Rise of the Small Botnet

wiredmikey writes "Botnets controlled by criminal enterprises all over the world continue to multiply at a steep rate, and it is now arguably the smaller, harder-to-trace operations that organizations should be the most worried about. Not only are smaller botnets cheaper and easier to build out and operate, but criminals have already realized that large-scale botnet activity attracts unwanted attention, and not just of law enforcement."

Size matters

[gmuslera]

For some of the botnet activities, size matters. If want to steal cc numbers or passwords, being in more places mean more chances to get something useful. Other common use of botnets is sending spam, where more machines=better (harder to block because the numbers, and less chances to fill the bandwidth of those computers, and be noticed because that, if want to send a lot of spam).

Instead of just going small, there are 2 tactics that could be used by botnets: try being more stealth (i.e. sending out information only when the user does), or resizing by quality of the machines they run on (i.e. stay active only in machines where actually they are putting credit card info, or their spam is not being bounced, or having better bandwidth)

Re:Small botnet?

[Anonymous Coward]

You simply create another small botnet to manage the small botnet's..

Re:Spread of intrusion?

[ThePromenader]

The whole point of a cronjob log-combing program is to detect multiple failed login attempts across ~any~ protocol (I have open). When I do find a failed attempt, I do note it, but it is onlythe ~repeated~ attempts that I track down.

Fighting chance

[hesaigo999ca]

I had a heated debate once with a colleague, about how botnets operate, and he was under the impression they were all script kiddies with no morals, and just wanted to thrash all websites and infect everyone.... I tired to let him know, they were people (higher ups) with organization skills of real companies, with real business sense, using techniques to covertly avoid detection. I even heard of one botnet that would send out a few emails from each computer a minute, not more....to avoid sending up flags that 1 million emails in an hour would set off....and then there was that one that would cycle between computers in the botnet to send off mail, so that the ip address changed each time based on where the email was coming from....so you could get 300 emails all from diff. addresses not to send off a flag, so that one company with 300 employees would all get spammed.

These guys are nasty tacticians, and really only want the best way to stay in the game, even if it means uninstalling themselves for a few days, with a script that will send the computer back to a website with a payload to redownload and reinfect. This one no one believes, but I saw it....with my own eyes, and could not believe that 3 days later it was back, although it had not uninstalled itself because of me, it must have been a command from a CC.

Re:Step 1. bot net - Step 2. Profit!

[Shark]

As an ISP, we actively track and warn customers that are infected. It was a bit of a hurdle at first but merely making our customers aware of the possibility has drastically decreased the number of infections despite the steady increase in number of customers.