[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.21.0612222158290.23229-100000@linuxbox.org>
Date: Fri, 22 Dec 2006 21:59:28 -0600 (CST)
From: Gadi Evron <ge@...uxbox.org>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Botnets: a retrospective to 2006,
and where we are headed in 2007
A few months back I released a post on where I think anti-botnets
technology is heading ( http://blogs.securiteam.com/index.php/archives/697 ).
Now it's time for what happened in 2006, and what we can expect from here
on.
I am not a strong believer in such retrospective looks, as often, they are
completely biased and based on what we have seen and what we want to
see. This is why I will try and limit myself to what we know happens and
is likely to get attention, as well as what we have seen tried by bad
guys, which is working for them enough to take to the next level.
What changed with botnets in 2006:
1.Botnets reached a level where it is unclear today what parts of the
Internet are not compromised to an extent. Count by clean rather than
infected.
2. Botnets have become the most significant platform from which virtually
any type of online attack and crime are launched. Botnets equal an online
infrastructure for abusive or criminal activity online.
3. In the past year, botnets have become mainstream. From a not existent
field even in the professional realm up to a few years ago, where attacks
were happening constantly reagrdless, it has turned to the main buzzword
and occupation of the security industry today, directly and indirectly.
4. Websites have returned to being one the most significant form of
infection for building botnets, which hadn't been the case since the late
90s.
5. Botnets have become the moving force behind organized crime online,
with a low-risk high-profit calculation.
6. New technologies are finally being introduced, moving the botnet
controllers from using just (or mainly) IRC to more advanced C&C (command
and control) channels such as P2P, or multi-layered, such as DNS and IRC
on the OSI model.
7. Botnets used to be a game of quantity. Today, when quantity is assured,
quality is becoming a high concern for botnet controllers, both in type of
bot as well as in abilities.
What's going to happen with botnets in 2007:
Botnets won't change. All will remain the same as it has been for
years. Awareness however, will increase making the problem appear larger
and larger, perhaps approaching its real scale. The bad guys would utilize
their infrastructure to get more out of the bots (quality once quantity is
here) and be able to do more than just steal cash. Maximizing their
revenue.
Further, more and more attackers unrelated to the botnet controllers will
make use of already compromised systems and existing botnets to gain
access to networks, to facilitate anything from corporate espionage and
intelligence gathering, to shame-less and open show of strength to those
who oppose them (think Blue Security), in the real world as well as the
cyber one (which to the mob is one and the same, it's the income that
speaks).
Meaning, the existing botnets infrastructure will be utilized both in an
open fashion, due to the fact online miscreants (real-world mob) face
virtually no risk, as well as quiet and secretive uses for third-party
intelligence operations.
Gadi Evron.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists