On August 10, a group of information security professionals, vendors, and
law enforcement gathered at Cisco Headquarters in San Jose. With little
notice, the “Internet Security Operations and Intelligence Workshop”
attracted around 200 attendees. Led by the enigmatic Gadi Evron (security
evangelist for Beyond Security and chief editor of the security portal
SecuriTeam), speaker after speaker painted a bleak and complex picture. Many
lamented the increasing ineffectiveness of the prevailing strategy, which
focused on identifying and taking out C&C servers.This is the “kill the head
of the snake” approach. Bots have begun to evolve beyond this weakness now.
Some now have multiple C&C servers, and, like a Hydra, if
you cut off one
C&C server, two more pop up. Some used protocols that lend themselves to a
more decentralized organization. Some are using “Fast Flux” DNS technology
(see Chapter 3) to play an electronic version of the shell game with the C&C
server.There was much wailing and gnashing of teeth by the security and
network professionals. However, amidst the lamentations, some very inter-
esting and innovative ideas were presented.
These ideas involve different
methods of detecting botnets, aggregating
this information, and sharing it for the benefit of all. Some ideas were so
tempting that participants began trying out aspects of the idea during the pre-
sentation. When all was said and done, 200 minds knew what only a handful
knew before. Further, a “call to action” had been issued. Come out of our
shell, share what we know, organize our responses.
www.syngress.com
Botnets: A Call to Action • Chapter 1
23
427_Bot_01.qxd 1/8/07 11:53 AM Page 23
Summary
Botnet technology is the next killer Web application. It
is a tremendous force
multiplier for organized crime.The money from organized crime has created
a fertile technology incubator for the darkside hacker.The problem they have
created is huge, global in scope.Their primary victims targeted to become
clients are the innocents, the elderly, the young, and the non-computer lit-
erate. Many of the botherder schemes also target this defenseless group.The
appetite for power doesn’t stop there. In
the DDoS attack, bots have grown
big enough to be a threat to major corporations and even nations.
Bot technology has evolved from simple agents that played games with
users to mercenary robotic armies without morals, ready to carry out designer
crimes on demand. From “Hunt the Wumpus” we now have botnets that col-
lect information about
customers of a specific bank, then target those cus-
tomers with special botclients that contain features designed to defeat or
bypass that bank’s security.Today’s bots are easy to customize, modular, adap-
tive, targetable, and stealthy.They are moving to a more decentralized
approach and diversifying their C&C techniques.
Law enforcement has begun to catch and arrest some botnet developers
and operators.The Microsoft bounty fund has proven
useful in improving law
enforcement opportunities to find the bad guys. Unfortunately, the court
system is in serious need of change. Investigations take months for crimes that
are over in seconds. Cases drag out for years, so much so that the affected
businesses cannot afford to support prosecution efforts.The penalties being
given are rarely more than a slap on the wrist, if anything at all is done. In
many cases the arrested individual trades information
for little or no punish-
ment.The public reporting of light sentences and fines sends the message that
crime does indeed pay and that you will likely never have to pay the piper.
In May of 2006, news articles were trumpeting the success of efforts by
security and network professionals in taking down C&C servers around the
world. By August, the headlines had changed to claims that we’ve already lost
the botnet war.The hacker community responded to the security strategy of
taking down C&C servers by reducing their dependence on a single C&C
server.They’ve shifted their approach by creating multiple C&C
servers and by
employing “fast flux” DNS. By changing their architecture, they decimated the
Do'stlaringiz bilan baham: 
