Botnets: a retrospective to 2006, and where we are headed in 2007

a few months back i released a post on where i think anti-botnets technology is heading. now it’s time for what happened in 2006, and what we can expect from here on.

i am not a believer in such retrospective looks, as often, they are completely biased and based on what we have seen and what we want to see. this is why i will try and limit myself to what we know happens and is likely to get attention, as well as what we have seen tried by bad guys, which is working for them enough to take to the next level.

what changed with botnets in 2006:

1.botnets reached a level where it is unclear today what parts of the internet are not compromised to an extent. count by clean rather than infected.
2. botnets have become the most significant platform from which virtually any type of online attack and crime are launched. botnets equal an online infrastructure for abusive or criminal activity online.
3. in the past year, botnets have become mainstream. from a not existent field even in the professional realm up to a few years ago, where attacks were happening constantly reagrdless, it has turned to the main buzzword and occupation of the security industry today, directly and indirectly.
4. websites have returned to being one the most significant form of infection for building botnets, which hadn’t been the case since the late 90s.
5. botnets have become the moving force behind organized crime online, with a low-risk high-profit calculation.
6. new technologies are finally being introduced, moving the botnet controllers from using just (or mainly) irc to more advanced c&c (command and control) channels such as p2p, or multi-layered, such as dns and irc on the osi model.
7. botnets used to be a game of quantity. today, when quantity is assured, quality is becoming a high concern for botnet controllers, both in type of bot as well as in abilities.

what’s going to happen with botnets in 2007:

botnets won’t change. all will remain the same as it has been for years. awareness however, will increase making the problem appear larger and larger, perhaps approaching its real scale. the bad guys would utilize their infrastructure to get more out of the bots (quality once quantity is here) and be able to do more than just steal cash. maximizing their revenue.

further, more and more attackers unrelated to the botnet controllers will make use of already compromised systems and existing botnets to gain access to networks, to facilitate anything from corporate espionage and intelligence gathering, to shame-less and open show of strength to those who oppose them (think blue security), in the real world as well as the cyber one (which to the mob is one and the same, it’s the income that speaks).

meaning, the existing botnets infrastructure will be utilized both in an open fashion, due to the fact online miscreants (real-world mob) face virtually no risk, as well as quiet and secretive uses for third-party intelligence operations.

gadi evron,


Internet Security Operations and Intelligence II

isoi 2 is finalized. the schedule and agenda can be found here:

i am going to do my best to release some of these presentation publically after the event (if the authors agree), but it is not likely.

some public feedback will be relayed from the workshop.

gadi evron,


ISOI II – a DA Workshop (announcement and CFP)

the second internet security operations and intelligence (isoi) da workshop will take place on the 25th and 26th of january, 2007. it will be hosted by the microsoft corporation, in redmond wa. an after-party dinner will be hosted by trendmicro.

this workshop’s main topic is botmaster operational tactics – the use of vulnerabilities and 0day exploits in the wild. (by spyware, phishing and botnets for their businesses).
secondary subjects include ddos, phishing and general botnet subjects.


The anti botnet market for ISPs and corporate networks

is here. several companies are rehearsing their old products and buzzwording them for ddos mitigation or botnets, but not trend micro.

trend micro released a brand new product, implemented with the novel idea of utilizing dns to detect bots on an isp or corporate network.

whether by massive requests for a c&c (bots phoning home) or massive requests for an mx record (spam bots), looking for negative caching (nx being cached as the c&c is not there yet but requested) and beyond.
it works. i don’t know if that’s what trend micro is doing, but it’s one step in the right direction to better botnet detection and mitigation.


SpamHaus’ Steve Linford Joe Job

many abuse desks for numerous isps have been getting a fake email message from steve linford. warning against retribution if the spamhaus service is used, with fake information on the court ruling against spamhaus.

you can find more information on this joe job here: (more…)


The World of Botnets – a Virus Bulletin Article

in the latest edition of the virus bulletin magazine (september 2006), a featured article on botnets called “the world of botnets” by dr. alan solomon and myself was published.

all copyright to this article belongs to virus bulletin. virus bulletin is an ads-free professional magazine mostly read in the anti virus world.

we are allowed to share the article with you on our blogs or company websites, providing the above reference to the vb journal is added with a copyright notice.

you can find the article here.

we would love to hear comments and input! :)

gadi evron,


What can be done with botnet C&C’s?

following up to my last post on this subject, i emailed this to nanog today:

in my last email message i addressed some of the issues related to botnet
c&c’s and their mitigation. as mentioned, i waited to see what other
experiences told other people, as well as glimpse the opinion of others here.

in this message i will try and address some of the questions asked, but
once again limiting myself mostly to just networking rather than the whole
realm of botnet fighting.

“i work on this [c&c] for 30 days, only to find out one of you took it
down.” — us federal agent, two days ago, isoi (da workshop).

and still, sticking to networking issues, as obviously we cannot yet
depend on law enforcement to protect our networks for us, how do we handle

when we kill them (and by “kill” i naturally mean “report our suspicion
to the responsible authority so they can investigate, confirm and proceed
according to their aup”) we kill them, but only to our knowledge. they
immediately move elsewhere we do not know about in our space or someone
else’s, maybe misplacing an extremely smallish percentage of their
population while they are at it.

okay, say i am right… what *can* we do?

we can take advantage:

1. qos and traffic limiting tools.
many tools created in recent years, and used exstensively by many isp’s,
regardless of any net neutrality legislation, are at our disposal and
already implemented on our networks.

much like, for business reasons, many of us would limit p2p, how about
limiting the traffic to compromised users?

how, what and when is up to you.

you can know who your compromised users are by watching flows to c&c’s.

2. blocking communication to c&c’s.

watch the flows, block the users from communicating out to them. watch
these users and see where else they are communicating in comparison to
other users, en-masse.

it’s a matter of doing the same thing, for a different purpose.

3. walled garden and tech support costs.

obviously, if any of these users call you (and they very often do), you
lose money on them for a long time to come.. only they will call again.

a combination of quarantine, complete or partial, might work.

combine that with what some already do, such as sell users anti virus
products, and you get a nice deal. add to that a support company to lend
help to users, unrelated to tech support, by subscription, and you may
just have more business avenues to explore.

4. stop internal network infections. it is unbelievable how the networks
with the most bots are the networks that allow internal users to connect
wherever they want within the network.

all these come to show that although responsiveness to c&c’s is important
(rather than shutting them down), on the scale of the internet, what
will actually help the internet is if you take care of it on your own

you don’t have to do any of these, or all of these. just to wake up to the
fact that killing c&c’s will mostly not help anyone, and if anything, will
do harm. using them to deal with problematic users, even if only to block
them from acessing that c&c is more to the point.

you can choose how to handle these issues, but if you want to stop harming
the internet, stop your users from participating, ddosing,
etc. while not harming your business (no one can handle that tech
support load). monitor the c&c’s running on your network – contact law
enforcement. these are compromises that will keep happening, you are aware
of, and cause millions of dollars in damages.

“so, are we supposed to leave these compromised boxes up?”

my answer is this, if you fail to remove a spy, as another would just take
his place, wouldn’t you rather know where that spy is and work to take
him down for good?

the answer to that is no, as most of us won’t and can’t. that said, if you
must kill the c&c, be aware, it is nothing more than sweeping the
problem, localy on your network, as well as on your friends’, under the

do you know who your local fed is? see if he can help, he most likely
can’t and if he could, without a much wider cooperation between everybody,
he or she would be extremely limited by looking just at your c&c’s. that
said, i doubt you would want that fed’s attension.

you can limit p2p traffic yet you won’t limit scanning traffic? outgoing
email traffic from port 25 on dynamic hosts? bandwidth to
compromised users? port 80, or sny, traffic not through your proxy?

consider what other tools are in your arsenal. my ideas may be completely
wrong for you, yet that does not change the fact that killing the c&c will
just mean you are kept in the dark.

some large carriers do many of these already, run honey-nets, and what
not. do you?

i would like to hear some opinions on what networks can do, ecnomically,
from people here. please stick to network operations issues.

gadi evron,


Mitigating botnet C&Cs has become useless

here is a recent email message i sent to the botnets mailing list and nanog:

the few hundred *new* irc-based c&cs a month (and change), have been
around and static (somewhat) for a while now. at a steady rate of change which
maintains the status quo, plus a bit of new blood.

in this post i ask the community about what you see, against what we have
observed, and try and test my conclusions and numbers against your

the subject line “why mitigating botnet c&cs has become useless” is
misleading. it has been useless for a long time, but someone
had to hold back the tide, which several online mitigation communities
have been doing.

today it has become (close to) completely useless. i will present the case
on why that is in my opinion, in a few bullets, and we can discuss what
alternatives we have, or if perhaps i am misreading what’s going on.

*. when a botnet c&c is mitigated, it is immediately re-created on
another host on the same isp or another.
*. most botnet c&cs are a part of a larger group, such as an irc network
or another, possibly hidden “behind the scenes” network. lusers are being
redirected on the spot or reconnect to another host.
*. most botnet c&cs are a compartmentalized group out of the whole,
possibly a sub-group several tiers down. much like a terrorism cell.
*. if the above measures and features fail, most botnets have a secondary
control channel with which an immense host can be re-directed. this has
been seen back a few years ago.
*. many botnet c&cs now use fast-flux technology, moving ip addresses
quite often.
*. when the c&c is taken down, the bot may not jump to a new host, a new
one may simply be installed.
*. coordinated take-down of entire networks is extremely difficult, relies
on incomplete intelligence and only takes care of the problem for an
extremely short period of time until re-assembly.

the name of the game is the spbc: simple primitive botnet control (c&c).

simple – as it is simple, vs. a complex dynamic control channel.
primitive – old and quite unimpressive.
botnet – d’oh
c&c – command and control

it’s simple, we can see most of them with our tools. primitive, hey, they
have been using these for a long long time. it works.

as what we mainly did is concentrate on taking the c&c down, as well as
academically study how to detect or quantify it, what we achieved was
teaching the bad guys their business. that is yesterday’s news.

they are an oiled machine. we don’t hurt them any more. botnet have
become mainstream. they are part of sales pitches now.

spbc for the botnet controllers these days relies on proven and tested
techniques, concentarting and backing themselves on:
reliability – efficient and stable.
robust – easily replaced.
diverse – varying control channels, from dns, other irc servers and direct
connect to a downloader ready to download a new bot or re-infect a known
bad network.
distributed – need i speak of that one?

what taking down c&c’s does achieve?
1. coordination on security issues between isp’s, continued and
peer-pressure based. slowly but surely becoming more and more leo,
regulation and vendor-run in comparison to what it used to be.

2. responsiveness to abuse – gaging isp response is interesting and shows
how interested they are.

3. feeling good – cleaning the back yard and moving the problem to someone
else (another isp). hmm, yeah.. not really. in most cases the same isp’s
have the same problems month after month. they just make the c&c’s
“unknwon” vs. “yes, we know where they are”.

we are now past the point where killing c&cs has been harmful. it
was. these days the only real use a c&c can have for an organization with
a network, is to check for infected clients connecting in.

when it was harmful, creating the current situation, we were comfortable
with it as it helped hold back the immediate problem – which was important
by itself.

that’s my educated opinion, following this since 1996, and gathering
statistics for several years, some of which are seen by this community
every month.

please, i would love to hear your opinions, disputes and how you find the
operational intell on botnet c&cs useful to this day on networks for
mitigation purposes.

then i would like to try and check my facts against your findings as well,
and see if my conclusions hold up or if i miscalculated.

please try and limit your answers on this thread (unless you start
another) to network mitigation issues.

thank you all for your input. oh, and i wasn’t very accurate. killing c&cs
these days is still harmful, just that now it doesn’t even hold back the


note: this is also being sent to the public botnets mailing list.

gadi evron,