ThiemeWorks - The Missing Link

http://www.theregister.co.uk/2008/02/13/new_botnet_advances/

Not your father's botnet
By Dan Goodin in San Francisco
Published Wednesday 13th February 2008 23:42 GMT

Researchers have unearthed two previously undetected botnets that exhibit sophisticated new capabilities that could significantly advance the dark art of cyber crime.

One of them, dubbed MayDay by security firm Damballa, uses new ways to send and receive instructions to infected machines. One communication method uses standard HTTP that is sent through an organization's web proxy. That allows the malware to circumvent a common security measure employed by many large companies.

Indeed, Tripp Cox, vice president of engineering and operations at Damballa, says he's observed MayDay running inside some of the world's most elite organizations, including Fortune 50 companies, educational institutions and ISPs. (He declines to identify them by name.)

"Most malware doesn't go through the trouble of trying to discover a computer's web proxy settings and use that as a method for getting onto the internet," he says.

The botnet also uses two separate peer-to-peer technologies so zombies can stay in touch with each other, presumably as a back-up measure in case the central channel is disconnected. One protocol communicates using the internet control message protocol (ICMP) and the other uses the transmission control protocol. The ICMP traffic is obfuscated so it's indecipherable to the human eye. Damballa researchers are still working to figure out exactly what kind of information is being transported over the channel.

Up until now, the zombie army popularly known as Storm has been the 800-pound gorilla of the botnet underground. Having recently marked it's one-year birthday, it is believed to comprise about 85,000 infected machines. It was responsible for about 20 percent of the world's spam over the past six months, according to MessageLabs, which provides email and web filtering services to more than 16,000 business customers.

By comparison, MayDay and another newly discovered botnet called Mega-D have far fewer nodes, but they are worth watching for a couple reasons. For one, they are likely to get bigger over time. And for another, their increasing sophistication is a good indicator of the direction professional bot herders are headed.

MayDay has also done a good job of flying under the radar. Infected machines have a limited amount of time to connect to the command and control channel. If the time stamp is more than a few hours old, the server returns an error message, making it hard for white-hat researchers and rival bot masters to perform reconnaissance. And according Cox, the vast majority of the anti-virus products fail to detect at least some of the samples obtained by Damballa researchers. (Symantec and Sophos, in postings here and here, question Damballa on this issue.)

There's another reason why MayDay has managed to remain under cover until now: it is still relatively small. At any given time, there are only "several thousand victims" infected, according to Cox.

The other recent arrival on the botnet scene is Mega-D. It was discovered by security firm Marshall, which last week said it had dethroned Storm as the top source of spam.

Some of Marshall's peers in the research community aren't so sure about that, including Joe Stewart of SecureWorks. He says Mega-D consists of about 35,000 bots, less than half the size of Storm. Mega-D isn't propagating as fast or efficiently is Storm has, either. Finally, he suspects spam from Storm is being under-counted.

Referring to Mega-D he says: "This is a very strong botnet, but hardly a challenger to Storm."

Nonetheless, Mega-D boasts some advances that Stewart says aren't common in botnets. One of them allows it to avoid being "greylisted," a technique used by email servers to prevent spam by instructing unrecognized senders to retransmit the email later. Whereas most spam bots give up, Mega-D bots don't.

"This is the first time I've seen any bot have any type of code in it dealing with greylisting," Stewart says. "This is actually at the bot level."

Stewart says Mega-D is the work of Russian hackers and has its genesis in a little-known family of malware known as "Ozkok." It is detected by most anti-virus products, but usually is only flagged with generic labels such as "Pakes" or "Agent," which may partly explain why Mega-D has been able to grow into such a large army with seemingly no one noticing.

While the newcomers aren't as big as Storm and, depending on who's asked, aren't believed to be as big of a nuisance, they are a reminder that the development of malware is a growing business that places a high value on innovation. MayDay's ability to communicate within heavily fortified businesses shouldn't be taken lightly. Neither is Mega-D's anti-greylisting capability.

In its first year, Storm showed a preternatural ability to stop on a dime, morph and take on new capabilities. Here's wondering how soon its developers adopt some of these latest bells and whistles? ®

And Hobbit's response:

*Hobbit*

Breathless articles like this just piss me off. It isn't about whose botnet is bigger or more secretive or what its C2 protocol is. It's
really about the fact that they're permitted to exist at all, let alone successfully send huge volumes of spam.

If the ISPs would actually grow a pair one of these days and curtail
untrusted customer netblocks full of known-infested machines from
sending ANY direct SMTP traffic to anywhere but the ISP's own authorized and well-controlled egress relay, there would be no point in spam botnets. I wrote at length about this over two years ago and suggested some local [and arguably somewhat lame] mitigation strategies, in

http://www.usenix.org/publications/login/2005-10/openpdfs/hobbit.pdf

but how many people actually read Usenix papers, anyways. The point
here is that the ISPs are a very large percentage AT FAULT for the
continued existence and appeal of botnets. If you work for an ISP, go ahead, be as angry as you want at me for saying that, but you know how true it is. Have you ever spent *4 hours* on the phone with reps in the Phillipines for Verizon or Comcast [to pick on the big boys] trying to find someone who can even spell SMTP, let alone do anything to solve a problem or track spam? GFL.

How hard is it to add some anti-forgery header rules to the egress
dropoff mailservers that ALREADY exist, special-case a few people who
actually know what they're doing, and then hop on the edge routers and clamp down on any other TCP 25 noise emerging from subscriber clouds?

HOW HARD IS IT?? Don't give me that lame "common carrier, can't do it" excuse -- you wouldn't be blocking ingress CIFS and the like either if that held any water. If you're an ISP and continuing to let botnets work under your noses, you are an overt threat to the security of many nations at once. Get busy.

Oh, and you could try answering your abuse@ mailboxes once in a while.

_H*