The Future of Botnets

A lot of people in the security industry are paid to think like attackers: pen testers, security consultants, software security experts. But some of these people have never met an actual black hat, so much of their work is necessarily based on what they think attackers might do in a given situation.

A lot of people in the security industry are paid to think like attackers: pen testers, security consultants, software security experts. But some of these people have never met an actual black hat, so much of their work is necessarily based on what they think attackers might do in a given situation.

Considering the stakes in today’s security game, gleaning intelligence from professional attackers is an invaluable experience for researchers on the other side of the ball. Robert Hansen, a security researcher and CEO of SecTheory, has been doing just that in recent months, having a series of off-the-record conversations with spammers and malicious hackers in an effort to gain insight into their tactics, mindset and motivation.

In a blog post describing one such conversation, Hansen says that the attacker was lamenting the difficulty of executing targeted attacks against machines in high-value networks. Security systems are doing a fairly good job of making life difficult for him.

He’s not the type to hack randomly, he’s only interested in targeted
attacks with big payouts. Sure, if you really work at it for days or
weeks you’ll get in, almost always, but it’s not like it used to be
where you’d just run a handful of basic tests and you were guaranteed to
break in. The risk is that now when he sends his mules to go cash out,
there’s a chance they’ll get nailed. Well, the more I thought about it
the more I thought that this is a very solvable problem for bad guys.
There are already other types of bad guys who do things like spam, steal
credentials and DDoS. For that to work they need a botnet with
thousands or millions of machines. The chances of a million machine
botnet having compromised at least one machine within a target of
interest is relatively high.

Hansen’s solution to the hacker’s problem provides a glimpse into a busines model we might see in the not-too-distant future. It’s an evolutionary version of the botnet-for-hire or malware-as-a-service model that’s taken off in recent years. In Hansen’s model, an attacker looking to infiltrate a specific network would not spend weeks throwing resources against machines in that network, looking for a weak spot and potentially raising the suspicion of the company’s security team.

Instead, he would contact a botmaster and give him a laundry list of the machines or IP addresses he’s interested in compromising. If the botmaster already has his hooks into the network, the customer could then buy access directly into the network rather than spending his own time and resources trying to get in.

This tactic reminds me a little of the movie Wall Street. You have a
failing company (in this case a botnet that will probably only last a
year or two). If the company continues on it’s course it’ll make a
pretty good amount of money, but nowhere near as much as if the owners
break up the company into pieces and sell them off one by one to the
interested parties. Kind of an interesting/scary thought, but it could
easily be used to avoid the cost and danger of individual exploitation
against a company for a hacker interested in target attacks. Rather, a
brokerage for commodities (bots that come from interesting IPs/domains)
could be created and used to sell off the individual nodes.

This model makes sense on a number of levels and may well have been implemented already. The value of a large botnet for executing DDoS attacks or extracting valuable data from the compromised machines could be multiplied hundreds or thousands of times using this model.

Suggested articles

Discussion

  • Lance Miller on

    You do not need 1000's of machines to steal credentials and DDoS, unfortunately.

  • Dennis Fisher on

    That's a good point. But the more worrying thing is that these guys *do* have thousands of machines under control, some of them in very high value networks and if they decided to make this move--and there's no reason to think they won't or haven't already--it's not going to be good.

  • Roland Dobbins on

    This has been going on for the better part of a decade - see this preso:

    http://files.me.com/roland.dobbins/y4ykq0

  • Anonymous409 on

    Please reply on this blog or directly......a question you've never ever been asked!......Has Kaspersky ....you guessed it......ever been hacked or duplicated by hackers?

  • Anonymous on

    I have windows vista and it's hard wired to my computer, someone (who knew my email & password) signed into it and emailed someone looking like it came from me. How can they do that? Plus, we found our phone box crashed open. Is that possible, because we know we didn't do it. Thank you  Ps  The person we think that did it, knows alot about computers as well, we don't.

  • Ralph on

    It seems we need a fundamental paradigm change in this field. Right now we routinely allow a wide variety of code to execute on our computers. Most of that code is acting in concert with our interests, but some of it is malicious. In our personal lives, most of us would be unlikely to let a posse of lightly vetted strangers wander around in our house at all hours of the day and night. Yet that's what we're doing with all this executable code. It only takes one malicious visitor to compromise a lot of information or do some serious damage.

    In our homes, the answer to such concerns is to not let random people, or people recommended only by a friend of a friend of an acquaintance, into the house. And when we do let someone in, we watch him or her. With a computer, things are too complex, and happen too fast for us to effectively watch visiting code. Furthermore, even if we could watch closely, we will not always be able to tell which visitors are dangerous. Actions that appear innocuous at one time may be used to help set up a later misdeed.

    The only long-term way to deal with this problem is to restrict who we let into the house. That implies a very different way of looking at and working with our computers and other devices. The eventual change will require a painful transition, during which we will have to accept significant limitations on what we allow our electronics to do, both for us and against us.

  • Monte on

    Ralph is suggesting something called Application Whitelisting. But that is not the silver bullet. Quite honestly, one for computer security does not exist. Kaspersky has some of this built in to their protection. The truth is it takes many layers of procedures, products and security solutions, so think in layers. Suites are good for home users, integration is good for buinsesses. More on layered security and software here:

    http://www.softwaresecuritysolutions.com/layered-security-solutions.html 

  • Dan M. on

    Monte is right, but only to a point, All we will need to make the plan work is 5x our current computing power, oh wait, that brings more code, complexity and more problems... this is the old snowball rolling down hill.

     

    I don't know of a solution, but lets start with firing squads for hackers... Just a thought, cheap easy and a big detractor to crime...

  • Joe F. on

    I think Dan M. is on to something, but we don't need a firing squad. Two solutions come to mind, both from the middle ages: 1. Cut of the hand that offends. A few handless hackers would send a powerful message. 2. Have a legal punisment that simply declares the convicetd hacker an outlaw. This is far more powerful than it sounds. It means the convicted one has no protection from the law. So anybody could do what they wanted to him and he could not appeal for protection from the law; his assaliants could not be charged with any crime....outlaw!

    A more practical solution is to find a way to make it easier to catch and convict these criminals and make the jail sentences long and not open to parole...

     

  • Manny on

    where is the captcha?

  • Anonymous on

    The amount of obvious spam, containing probably malicious links, in the talkbacks of an article on computer security is... amusing.

  • Anonymous on

    That is true that Considering the stakes in today's security game, gleaning intelligence from professional attackers is an invaluable experience for researchers on the other side of the ball.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.