Botnets are getting larger and smarter

February 19th, 2006

Brian Krebs’ Security Fix blog has additional material that didn’t make it into his Washington Post Magazine article on botmasters and malware. I found his discussion of botnet research to be very intriguing. Botnets are using protocols and algorithms developed over the past decade in the distributed systems and software agents research communities. Some botnets, for example, can contain hundreds of thousands of PCs making central control infeasible:

“But controlling the activities of tens of thousands of hacked PCs can take an enormous amount of computer processing power and Internet-access bandwidth. As such, botmasters have adapted their command-and-control networks to accommodate much larger botnets.One popular way to control large numbers of compromised machines is through delegation. For example, if a botmaster has compromised 100,000 PCs, but only has the capacity or bandwidth to control 10 percent of those computers, the attacker can organize the victim PCs into hundreds of much smaller groups, with a “lieutenant” bot in each group that orchestrates connections and communications between other members of the platoon and the bot herder’s main channel.

In such a scenario, the individual bots are democratic. Should a lieutenant suddenly be unplugged from the Web or discovered and cleaned up by a security professional, the remaining bots in the platoon are programmed to hold a virtual “election” to see which computers should replace it. In most cases, the PC with the fastest and/or most reliable Internet connection becomes the new lieutenant.

There is one factor in controlling vast numbers of bots that can mask the true size of any given botnet, Dagon said. To reduce the load that a massive botnet would place on a command-and-control network, many bots are configured to remain mostly disconnected from the herd, “phoning home” periodically to check for updates or new instructions.”

This makes me wonder if sploggers are using botnets. Setting up a splog on an infected machine would be more complicated for a bot since it would require a minimal HTTP server and also riskier since it entails both outgoing and incoming connections. We have a very large collection of sites identified as hosting one or more splogs. An analysis of the distribution of their IP addresses might be interesting.