Botnet on Botnet Action

Dausha writes "The Tech Web news site reports a story about Botnet turf wars. Botnets have been around for a while, and are increasing in severity. The latest innovation finds Bots capturing and securing host computers from other bots. Security includes installing software patches, shutting down ports, etc."

The fat years are over

[Opportunist]

The time when there was still a market to grow into with botnets is over. The big surge of new, clueless morons filling the net is slowly coming to an end, and even the morons now start using firewalls and AV tools (still no brains, but hey, I'm already happy with small steps).

So the maximum amount of machines to have is pretty much reached. Now the battle for the precious dimwits started. Well, it started some time ago, but we now get a lot of bot malware that actually tries to kick out the competition.

What for, one may ask. Why the overhead? I mean, what's wrong with 2 competing botnetters controlling a computer?

Bandwidth. You can only pump so much spam out of a machine with a given bandwidth. If two try that at the same time, they have to share. And sharing is not really a trait of a botnetter.

So, let the games for the herd begin. If anyone's looking for me, I'm in the lobby getting popcorn.

What I want to see is a Botnet that

[gurps_npc]

hunts down pop-up advertiserment programs and either destroys them or tags them (so that pop-up blockers will automatically shut them down).

With all the punk 1eet programers out there, you would think that someone would spend time writing this instead of silly viruses.

I am tired of having pop-up advertisements beat my pop-up blocker.

Meme Wars

[Anonymous Coward]

This sort of reminds me of John Barnes "Meme Wars" [amazon.com] books. Except that the botnets are fighting over our computers instead of our minds. I'm wondering if it will get to the point where people will actively choose to infect their computer with one particular botnet or another if they find that that particular one interferes the least with their particular usage. At least you would know what your computer is infected with and that will keep the other garbage out.

Re:Note to Editors

[qwijibo]

Because good has to be much more diligent, and that is orders of magnitude harder.

When you're working for evil, you don't have to worry about collateral damage. If you cause one system out of 100 to stop working completely, or just have some incompatibility that makes it less useful to the user, you don't care. If they didn't want to be infected, they'd have better security. Propagating evil viruses, trojans and worms is easy because you can be careless and expect the rest of the world to reboot if you have a bug.

This is also why large organizations have people to test that patches don't break the necessary functionality in their supported applications. If something breaks, they have to support it, so they make sure it's not going to come back to bite them. This takes a fair amount of time, people, and all of the supported configurations to ensure that things are safe. It's a real pain in the neck (or other body part) to do a good job at this.

The most secure machine is one that is turned off, unplugged and locked in a room that has an armed security guard with standing orders to shoot everyone. That's not the computer usage model that any of the companies listed want to encourage. They want the user to be insecure to different degrees.

Re:This has been going on for years,

[Opportunist]

Ain't that easy.

Windows is the primary target simply because it has a market share of roughly 90% in the consumer area. You may safely assume that a business server is administrated by someone who has at least half a clue and uses security features, no matter how lenient, so the consumer is the core target group for botnetters.

Since most modern attack schemes rely not on system weaknesses but on user stupidity, this would work in every environment.

What it really has to do with is users clicking on everything and allowing everything their (rarely but still sometimes existing) security tools ask them to allow.

Unfortunately, this is not true

[Mostly a lurker]

The use of AV, anti spyware and personal firewall products is increasingly ineffective in preventing infection. If these products are fully up to date, the good ones will currently stop about 80% of the malware thrown at them, and the situation is becoming worse. The trend towards broadband routers with embedded NAT firewalls helps, but infections through email attachments and visiting malicious websites is not going to decrease: it is going to continue to increase. As the botnets become oriented primarily towards identity theft, industrial espionage and other kinds of high profit operations, you are also going to see these nets become more stealthy and harder to detect. By next year, they are going to be prevalent in corporate networks and often present for long periods without detection.

With profits already dwarfing that of the global drug business, there is every incentive for these tech savvy mafias to continue their heavy investment in improving their infrastructure. Most people in IT do not even yet realise the scope of the threat we are facing.

Re:Unfortunately, this is not true

[Opportunist]

What part of it is not true?

Corporate networks are largely unintersting. Few people store their personal information on their corporate machines, simply because it would be against their working contract in most places to use the machine for personal business. At best such networks would be interesting for their bandwidth, but they are usually a lot closer monitored than private machines and nets.

Yes, the stealthyness will increase. It already does. 2 years ago the average malware was an easily detectable process, now it is a thread in a running process and will evolve into a full blown rootkit in no time. I give us about 6 months tops before rootkits become a real problem. The trials are already out and running.

AV tools are improving, too. But there is no replacement for brains and common sense. Unfortunately, a lot of machines are lacking in the user department. And what's worse, they're not upgradable.

Re:The fat years are over

[plover]

And if you use your bot to retrieve a competing bot, you can reverse engineer your opponent's command and control structure. Why fight for one advantage at a time when you can 0wn his entire botnet? Game, set and match.

Re:Note to Editors

[plover]

I'm not so sure about this. Why does good have to be diligent and honest? Why can't this be done by vigilante groups who are not officially sanctioned, but nobody complains about them?

The internet is still pretty much wide open, with no single governing body. A vigilante group could operate out of any number of less-than-cooperative countries. And this vigilante group does NOT have to be 100% good or careful. These zombies exist because their owners don't know or care enough to keep their machines safe, and now they're out attacking the rest of us. I have about zero tolerance for dangerously ignorant people or their hardware when it's threatening mine.

In medical terms, these zombies would be defined as malignant cancerous cells, and botnets as tumors. And to carry the medical analogy further, the treatment is to kill the rogue cells. We don't contact them, and ask "hey, Mr. Cancerous cell, you're hurting the rest of us, would you please stop?" No, we use chemo and radiation and surgery and remove and destroy the tumors so they don't spread further.

I really don't see why a vigilante group can't send out "good-faith" efforts to patch bad machines. If those machines die as a result of a bad patch, well, perhaps its because they deserved to die. I certainly wouldn't complain if someone started actively dismantling these networks.

Map?

[andrewd18]

What I'd like to see is a map of IP addresses, perhaps by provider, with the "turf" colored by type of infection. That would be awesome.

Re:Note to Editors

[karmatic]

I certainly wouldn't complain if someone started actively dismantling these networks.

Some of us try.

A while ago, I got a spam message, trying to infect me and connect me to a botnet - the software was a hacked up mIRC client with some DLL plugins. The client would automatically open a second connection, connect to a random network and channel, and proceed to spam people with virus messages on join. ("Type //some evil command to get op!, etc.")

After talking to the admins, we banned the owners (only certain nicknames were allowed to control the bots), and replaced them with an eggdrop that had the infected people download and install an automatic cleaner. Thousands of infected computers were cleaned overnight, and hundreds more over the next few weeks. Is it possible that the cleaner broke a machine or two in the process? Possible, but unlikely (would be most likely due to a variant of the bot). Oh well - it made the IRC servers I used a lot more useful.