Rise of the Small Botnet

wiredmikey writes "Botnets controlled by criminal enterprises all over the world continue to multiply at a steep rate, and it is now arguably the smaller, harder-to-trace operations that organizations should be the most worried about. Not only are smaller botnets cheaper and easier to build out and operate, but criminals have already realized that large-scale botnet activity attracts unwanted attention, and not just of law enforcement."

Re:Small botnet?

[wiredmikey]

Yes, but the larger the botnet it becomes more of a target for takedown. Running smaller botnets under the radar for a longer period of time can be more effective with less of a chance of being caught.

Where is the Microsoft or Windows tag?

[erroneus]

I know for a fact that Linux boxes, especially servers on the net, get compromised and used by criminals from unknown locations on the planet. But botnets are made almost entirely of PCs running Microsoft Windows. Whether it is the OS or the apps running on it or both are the ultimate cause, it all has MS Windows in common.

All this botnet crap going on all over the planet could be halted in very short order if Microsoft would "man up" and do something about it. With every new release of an OS, it makes a choice and every time it has chosen to maintain the old ways instead of fixing the problems. Perhaps my perspective on this is a little wrong. I have not yet, for example, seen a compromised Windows 7 machine. (That's not because they can't be, it's simply because I haven't seen one yet and a lot of people don't want to use Windows 7.)

If I was in control of a beef company and the bovine products I was distributing was tied to global illness and crap like that, there would be no end to the complaints and measures taken against me. But somehow, the world hasn't managed to point enough fingers at Microsoft demanding that they do something about the problem. The only finger pointers are pretty much the IT crowd and no one listens to us. It is fascinating to me because the problems with compromised Windows machines has massive economic effect which, as we all know, is far more important than global health and general public safety.

Re:Where is the Microsoft or Windows tag?

[Spad]

The vast majority of current exploits are targeted at applications, rather than OSs; primarily Acrobat Reader and Java at the moment.

Regardless, no OS can overcome the problem of permitting users to carry out administrative tasks without allowing them to execute malicious code when they really, really want to see the dancing bunnies.

Re:Where is the Microsoft or Windows tag?

[c6gunner]

it's more about a structural flaw in the basic paradigm we all know and love... the idea of running everything a default permissive environment

Even that's largely irrelevant. Back when I had a botnet or two of my own, I didn't really give a damn what kind of permissions they had as long as they were capable of accessing the net. Firewalls set up to stop programs from dialing out didn't seem to be much of an issue - the average user would just click "allow", anyway. The biggest problem has always been - and will continue to be - ignorant or uncaring users.

Nothing Like a Large Botnet

[MyLongNickName]

To really do damage to a webserver, you need a large botnet.

Re:Nothing Like a Large Botnet

[MyLongNickName]

Heh, Flamebait :) Some mod is having fun modding me down today. Here's another one to waste your points on :)

Re:Spread of intrusion?

[MyLongNickName]

I'm posting from ThePromenader's unmonitored servers.

How does this make sense?

[exentropy]

Organizations shouldn't be worried about small botnets simply because they haven't attracted the attention of law enforcement -- they should be afraid because their antivirus won't have a signature for the malware being propogated by small botnets. And what's the point of advising organizations to be worried about small botnets? Fear doesn't increase security.

Re:How does this make sense?

[captainpanic]

Fear actually does increase security... well... in a way.

Consultants call this fear "awareness". And if you want a general group to implement any measures, you have to "create awareness". It's a well-known fact.
So, because of the awareness, security measures are taken.

Not only the cyber security, but also physical security (security companies and weapons industry) thrive because of the awareness of all kinds of problems (security leaks, terrorism, etc).
The real question is: is the threat as big as it is portrayed?

Re:Small botnet?

[MyLongNickName]

He means what "under the radar" usually means: unnoticed by the authorities or those with the ability to stop you.

Size matters

[gmuslera]

For some of the botnet activities, size matters. If want to steal cc numbers or passwords, being in more places mean more chances to get something useful. Other common use of botnets is sending spam, where more machines=better (harder to block because the numbers, and less chances to fill the bandwidth of those computers, and be noticed because that, if want to send a lot of spam).

Instead of just going small, there are 2 tactics that could be used by botnets: try being more stealth (i.e. sending out information only when the user does), or resizing by quality of the machines they run on (i.e. stay active only in machines where actually they are putting credit card info, or their spam is not being bounced, or having better bandwidth)

Re:Spread of intrusion?

[ThePromenader]

The whole point of a cronjob log-combing program is to detect multiple failed login attempts across ~any~ protocol (I have open). When I do find a failed attempt, I do note it, but it is onlythe ~repeated~ attempts that I track down.

Fighting chance

[hesaigo999ca]

I had a heated debate once with a colleague, about how botnets operate, and he was under the impression they were all script kiddies with no morals, and just wanted to thrash all websites and infect everyone.... I tired to let him know, they were people (higher ups) with organization skills of real companies, with real business sense, using techniques to covertly avoid detection. I even heard of one botnet that would send out a few emails from each computer a minute, not more....to avoid sending up flags that 1 million emails in an hour would set off....and then there was that one that would cycle between computers in the botnet to send off mail, so that the ip address changed each time based on where the email was coming from....so you could get 300 emails all from diff. addresses not to send off a flag, so that one company with 300 employees would all get spammed.

These guys are nasty tacticians, and really only want the best way to stay in the game, even if it means uninstalling themselves for a few days, with a script that will send the computer back to a website with a payload to redownload and reinfect. This one no one believes, but I saw it....with my own eyes, and could not believe that 3 days later it was back, although it had not uninstalled itself because of me, it must have been a command from a CC.

Re:Step 1. bot net - Step 2. Profit!

[Shark]

As an ISP, we actively track and warn customers that are infected. It was a bit of a hurdle at first but merely making our customers aware of the possibility has drastically decreased the number of infections despite the steady increase in number of customers.

Dude, you need to break out your dictionary

[sean.peters]

The word you're looking for is "algorithm". A "logarithm" is a number that you get by taking the exponent of a number from a certain base. For example the "common" (base 10) logarithm of 1000 is 3. What your machine is doing has nothing to do with this.