Gallery

Bashin' the bots

Posted on 9 Apr 2008 at 12:05

Davey Winder steps into the murky world of botnets and gets some disturbing results from a routine online health check.

Now and then a statistic lands in my inbox that makes me sit bolt upright, take a deep breath and read it again. Like this one from the Marshal TRACE team, a specialist email security vendor: the distribution of no less than 85% of all global spam is controlled by just six botnets. That is truly shocking, and the first question out of your mouth should probably be: "If just six botnets are responsible for all our spam, why don't the law officers in the countries they operate from just close the buggers down and do us all a favour?"

To which I'd reply: "If only it were that easy." The first problem lies in the very nature of botnets, especially those of the 20,000-zombie-PC variety that spread over very wide areas - they're truly global, containing compromised computers from across the whole planet. It's their control servers that need to be pulled, but the criminal gangs that run them are working towards distributed P2P-powered control servers that can be sacrificed and reinstated somewhere else with increasing ease. That means they can cross national jurisdictions, and any lawyer will tell you that's a huge problem when trying to prosecute internet-based crime. That leads on to the second big reason why banishing botnets isn't easy: it's now a big-money business being operated by large, well-organised criminal enterprises. These guys know how to play the system, know which palms to grease and which countries to base themselves in for the best possible protection against the long arm of the law.

There is some good news, though, and it comes from my friends at security vendor Sophos, who inform me that recently there have been a few high-profile successes in cracking down on botnet bosses. In one such case, a Canadian-based botnet was found to contain no fewer than a million zombie PCs, located in 100 different countries. Seventeen people were arrested in connection with the operation of this "superbotnet" - for want of a better word - which delivered a real stab to the heart of one organised cyber-crime gang. In New Zealand, meanwhile, an 18-year-old programmer was arrested recently on suspicion of being the boss of a gang that's infected some 1.3 million computers to create botnets. These are moves in the right direction, but the harsh truth is that such arrests merely make a dent in the botnet fabric, and other gangs will soon move up to take their place.

I'm more enthused by the work being done by researchers at the Georgia Institute of Technology into a system that can detect botnet command and control channels, and which has been given the charming name of "BotSniffer". Once you've recovered from your attack of schoolboy sniggers, let me explain the serious technology being discussed here, as it might just have what it takes to stamp out spam for good. According to the Georgia Tech paper "BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic", which describes in detail how the technology works, the whole approach is based upon the observation that "because of the pre-programmed activities related to C&C, bots within the same botnet will likely demonstrate spatial-temporal correlation and similarity. For example, they engage in coordinated communication, propagation, and attack and fraudulent activities. Our prototype system, BotSniffer, can capture this spatial-temporal correlation in network traffic and utilise statistical algorithms to detect botnets with theoretical bounds on the false positive and false negative rates".

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site