Security Watch | Matt Hines » Building a botnet taxonomy

November 13, 2007 | Comments: (0)

Building a botnet taxonomy

TAGS: Security

Botnets have become so multifarious and diverse that at least one researcher is attempting to address the problem by creating a taxonomy that seeks to label all the different iterations of the attacks to help in the fight against the threats.

Jose Nazario, senior security engineer at infrastructure security specialist Arbor Networks, said in a recent phone interview that he hopes the effort will help his company and other security researchers predict and counteract emerging changes in botnet herders' tactics.

"We should be able to see earlier if a new technology is being used or there is some major shift in activity," Nazario said. "We're actually tracking more botnets than ever before at this point, as many as 1800-2000 each day, but the good news is that reaction rates from the security community are improving and people are generally more aware of the problem and taking care of the attacks faster."

The idea with the botnet taxonomy, which will be broken down into several sub-categories based on observed botnet activity and technological makeup, is to start by studying the network structure of each attack.

Some botnets remain more centralized, working under specific command and control centers, while others have morphed into more distributed models, as with the P2P zombie networks behind the Storm Worm/Trojan.

Looking at issues such as whether individual botnets are IRC-based, Web-based, DNS-based or operating under some other strategy will eventually help network operators block the attacks, the researcher claims.

For instance, if an attack is IRC or Web-based, admins can merely block the involved communications to internal servers, whereas with DNS-based botnets people must block the involved entries themselves, he said.

"There's huge fragmentation among the different technologies being used by the individual botnets, part of that is for differentiation, to evade detection, or to respond to the defenses built into security products," said Nazario. "We hope to detect and highlight new trends whenever we can, and point them out to our friends in AV; the network is important for fighting this stuff, but so is the host, and if AV can't keep up there will always be issues for end users."

The taxonomy will primarily provide researchers with a window into the directions botnet herders will flock next and attempt to abstract various features of the threats for use by fellow academics and anti-malware experts, the researcher said.

Getting the project off the ground was relatively easy, but figuring out all of the implications of his findings and taking those observations to a deeper level to use in a predictive role is proving more challenging, according to Nazario.

However, if the effort works out as he hopes it should, the researcher contends that it may allow law enforcement and research experts to track the actual players involved in running the schemes.

Overall, Nazario said that most carriers and large enterprises do seem to be handling the botnet scourge better than in previous years, but he said that they still always tend to be "a day late," when it comes to blocking the threats.

"It's a reactionary game, but there are a lot of new products to help," he said. "Essentially it remains a race of tools and endurance, and there is no shortage of pressure on the people on either side of the fight."

As botnets have risen in prominence, so has competition between the operators of the armies of zombie PCs, according to the researcher. This has led to infighting among the botnet operators and increased technological advancement on the part of those trying to remain leaders on their side of the market.

"There's a lot of competition at the lower levels in particular, as with the huge number of operators they are all under pressure to differentiate and go places where their rivals haven't been," said Nazario. "The big guys are constantly looking for the next blue water opportunity; they're becoming stealthier at infecting, updating their malware code on a faster basis, and using more rootkits to hide from AV systems."

"To a certain extent the botnet operators are becoming victims of their own success, but that's what happens when you find something that works, and then tools emerge that make it easier to pull off," he said. "That's how you end up with the scenario we see today -- which includes smaller numbers of people working on the next new techniques, while you also have a large number of novices at the helm of thousands of nodes that they've compromised relatively easily."

Posted by Matt Hines on November 13, 2007 12:28 PM

RATE THIS ARTICLE: