LIMASSOL, CYPRUS–The operators of large-scale botnets such as Gumblar and others for years have relied upon stealth, creativity and guile to hide their creations from researchers and authorities for as long as possible. This has been especially vital for botnets with centralized command-and-control mechanisms. But the recent success of sophisticated, resilient peer-to-peer botnets has shown that level of effort isn’t necessary anymore.
As major botnet operators have moved from top-down C&C infrastructures, like those employed throughout the 1990s and most of the last decade, to more flexible peer-to-peer designs, they also have found it much easier to keep their networks up and running once they’re discovered. When an attacker at just one, or at most, two, C&C servers doling out commands to compromised machines, evading detection and keeping the command server online were vitally important.
But that’s all changed now. With many botnet operators maintaining dozens or sometimes hundreds of C&C servers around the world at any one time, the effect of taking a handful of them offline is negligible, experts say, making takedown operations increasingly complicated and time-consuming.
It’s security through ubiquity.
Security researchers say this change, which has been occurring gradually in the last couple of years, has made life much more difficult for them. While it’s a simpler task to find a C&C server when it’s one of a hundred or so, taking the server offline if much less effective than it used to be. Researchers in recent months have identified and cleaned hundreds of domains being used by the Gumblar botnet, but that’s had little effect on the botnet’s overall operation.
Recent research has shown that the botnet still has thousands of compromised servers in its network. And, Gumblar has the advantage of having both client machines and servers at its command, giving it tremendous flexibility and firepower. In a presentation at the Kaspersky Lab Security Analyst Summit here, Vitaly Kamluk, a security researcher in Kaspersky’s Tokyo office, who has been following Gumblar since its appearance, discussed the intricacies of the botnet, its infection mechanism and resistance to analysis.
Gumblar relies heavily on encryption and obfuscation, and researchers have found it difficult to track down the group behind the botnet. What they’ve found, though, are indications that the team behind Gumblar is not only monitoring the activities of researchers who are keeping tabs on the botnet, and changing their tactics over time to stay a step ahead of the game.
As researchers have continued to identify infected Gumblar servers and help remove them, attackers have stepped up their assaults, reinfecting the same machines multiple times and finding thousands of new servers vulnerable to attack.The Gumblar creators, as well as the operators of other recent botnets, take pains to encrypt portions of their malware and heavily obfuscate the code used to infect Web sites, but they’re not that worried about one of their infected servers or clients being discovered.
They’ll simply launch another mass infection campaign the next day. In fact, many servers that are identified and disinfected are compromised again within a day or two, researchers say. More infected servers means a more distributed infrastructure and less chance of a full takedown or disruption of the botnet.
It’s all in the game.