Experts: Botnets add fault tolerance

Networks of zombie computers sport fault-tolerant architectures to withstand takedown attempts

Security experts contend that a growing number of operators of compromised computer networks (or "botnets") are finding new ways to grow their networks and make them immune to potential shut downs, including sophisticated fault tolerance planning to help ensure that their networks can't be easily wiped out.

As security companies and enterprise customers have gotten better at rooting out hijacked computers, the most savvy and advanced botnet herders have been busy growing and diversifying their operations. Today, those botnet operators are fighting back against takedown attempts using everything from multiple command-and-control centers to moving to peer-to-peer style botnet attacks, said Doug Camplejohn, chief executive of gateway security appliance maker Mi5 Networks.

"We're definitely seeing a degree of fault tolerance built into the most sophisticated botnets, these operators have too much time and effort invested in their networks to let someone take it down all at once; they've tried to make it such that if you cut off one command center, they can simply take control from another," Camplejohn said.

Using a new botnet monitoring tool, Mi5 found that roughly 25 percent of the networks of infected machines it has unearthed use some form of distributed control system.

For example, in order to prevent security researchers and anti-virus applications from detecting their presence, botnet operators are moving rapidly between different banks of infected machines and leveraging programs that lie dormant for longer periods of time to evade behavior monitoring tools.

"We see a lot more of these botnet programs that sit unused for a long period of time to stay hidden until someone wants to use them," Camplejohn said. "They're using every port they can to try to hide any communications taking place with outside command centers, and the communications themselves are cloaked or encrypted to hide their contents from filters."

Cutting-edge botnet attackers are also moving rapidly to adopt a peer-to-peer model for spreading their code that eliminates large central command-and-control centers that are more easily found and more expensive to maintain, according to other botnet trackers.

While most of today's botnets still use a hierarchical design, an increasing number of the systems have smaller, more distributed controllers, said Guillaume Lovet, manager of the EMEA threat response team at security appliance maker Fortinet, also based in Sunnyvale.

By using the peer-to-peer method of control, versus a centralized approach, the expert said the zombie networks are getting harder to nail down all the time.

"Over the last six months, we've entered the second phase of the botnet era, especially with these P2P botnets, where you'd essentially have to shut down every single node in the network to stop it completely, and there might be tens of thousands of infected machines," Lovet said.

Operators rapidly create botnets to fulfill specific duties such as seeding spam campaigns, funneling adware impressions or distributing malware, then move on to new sets of computers. That makes it harder to detect their presence at any time other than when they are actively using their hijacked PCs, Lovet contends.

"This type of attack is truly hard to stop as it moves along so quickly," he said. "If you have a botnet of ten thousand machines you can make a lot of money quickly, wipe it clean, and then move on to the next set. People are already doing this to generate regular income and they're making the systems robust as well as profitable."

Many of the activities carried out by the infected systems are likely the result of botnet rentals by other cyber-criminals, he said.

Lovet said he expects P2P botnets to become the predominant model over the next several years.

As they make their botnets more resilient to attacks, online criminals are also developing enterprising new ways to keep them healthy and growing, according to a recently-published research paper titled "Combating the Botnet Scourge."

In the study, a team of graduate students at Ohio State University concluded that P2P botnet operators are already using online multimedia formats -- specifically adult video-sharing sites -- to further increase the size of their zombie networks. As botnets adopt the rapid propagation mechanisms more commonly associated with malware programs such as worm viruses, the threats will become faster moving and may be harder to trace, the researchers said.

Incidents such as the denial-of-service attacks that took down anti-spamming service Blue Frog in mid-2006 illustrate just how large and powerful botnets can become when operators truly flex their hijacked computing muscle, said Adam Champion, one of the authors of the OSU paper.

"I'm not sure how this problem can be solved easily," he told InfoWorld. "The people who run these networks aren't stupid and they will continue to keep their identity cloaked...In the end not much will change unless popular operating system software becomes fundamentally more secure."

Join the newsletter!

Error: Please check your email address.

More about FortinetGateway

Show Comments

Market Place