Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Rise of the Small Botnet

CmdrTaco posted more than 3 years ago | from the we-are-legion dept.

Botnet 61

wiredmikey writes "Botnets controlled by criminal enterprises all over the world continue to multiply at a steep rate, and it is now arguably the smaller, harder-to-trace operations that organizations should be the most worried about. Not only are smaller botnets cheaper and easier to build out and operate, but criminals have already realized that large-scale botnet activity attracts unwanted attention, and not just of law enforcement."

cancel ×

61 comments

Beware the new Nano-Terminator! (0)

Anonymous Coward | more than 3 years ago | (#34023824)

It's just like Arnold, except with a high squeaky voice. Sort of like Urkel.

Re:Beware the new Nano-Terminator! (1)

Tr3vin (1220548) | more than 3 years ago | (#34024162)

Will I be baaaack?

Spread of intrusion? (0)

ThePromenader (878501) | more than 3 years ago | (#34023896)

Um - detectable depending on what they want to access. I've deployed a daily login attempt/file access logarithm that will alert me to any intrusion attempt - it doesn't really matter to me how many other servers the intruder attempts to intrude; in fact, I don't even look.

Re:Spread of intrusion? (1)

pinkeen (1804300) | more than 3 years ago | (#34023948)

Your users have to solve logarithms in order to access their files? No surprise that no botnet isn't interested in them either.

Re:Spread of intrusion? (1, Informative)

ThePromenader (878501) | more than 3 years ago | (#34024084)

LOL - logarithm == internal cronjob. Anomaly detection/alerts.

Re:Spread of intrusion? (1)

pinkeen (1804300) | more than 3 years ago | (#34024670)

I googled for cronjob and logarithm. The only relevant entry found is your comment (and the first that pops out).

Re:Spread of intrusion? (1)

rcuhljr (1132713) | more than 3 years ago | (#34025518)

He means Algorithm, I hope.

conjob algorithms (1)

h00manist (800926) | more than 3 years ago | (#34028040)

Where is the latest pastebin for conjob algorithms?

Dude, you need to break out your dictionary (2, Informative)

sean.peters (568334) | more than 3 years ago | (#34026830)

The word you're looking for is "algorithm". A "logarithm" is a number that you get by taking the exponent of a number from a certain base. For example the "common" (base 10) logarithm of 1000 is 3. What your machine is doing has nothing to do with this.

Re:Dude, you need to break out your dictionary (1)

ThePromenader (878501) | more than 3 years ago | (#34035046)

Right you are. I was... um, drunk ; P

Re:Dude, you need to break out your dictionary (1)

sean.peters (568334) | more than 3 years ago | (#34044866)

lol, been there...

Re:Spread of intrusion? (3, Informative)

MyLongNickName (822545) | more than 3 years ago | (#34024100)

I'm posting from ThePromenader's unmonitored servers.

Re:Spread of intrusion? (1)

ThePromenader (878501) | more than 3 years ago | (#34024170)

If I had mod points, I would mod you 'funny' ; )

Re:Spread of intrusion? (1)

NeverVotedBush (1041088) | more than 3 years ago | (#34024104)

As long as the intruder tries to use logins or file access...

Re:Spread of intrusion? (1)

lavagolemking (1352431) | more than 3 years ago | (#34024144)

Um - detectable depending on what they want to access. I've deployed a daily login attempt/file access logarithm that will alert me to any intrusion attempt

What exactly do you consider an "intrusion attempt"? A failed SSH login? A suspicious script running on a website one of your users loaded? A phishing/trojan e-mail? An alert from the anti-virus (if you're running Windows)? How on earth do you browse through all those alerts, most of which can be ignored? Also, if you're working in IT, then you do care if they get into something. Obviously you would prefer it not be something like your main file server or something that stores sensitive financial/FERPA/HIPAA/whatever records, but you probably still care if one of your users' desktops is hosting malware/pr0n, pumping spam, logging keystrokes, or launching DoS attacks.

it doesn't really matter to me how many other servers the intruder attempts to intrude; in fact, I don't even look.

Aren't you desensitizing yourself to important alerts from the logs? There are certainly noteworthy things in the logs - coming from somebody who reads logs on his servers - but if you try to manually read and acknowledge every failed root login and every request with a bunch of - signs and quotation marks, you're going to be tempted to just ignore everything no matter how important.

Re:Spread of intrusion? (2, Interesting)

ThePromenader (878501) | more than 3 years ago | (#34024238)

The whole point of a cronjob log-combing program is to detect multiple failed login attempts across ~any~ protocol (I have open). When I do find a failed attempt, I do note it, but it is onlythe ~repeated~ attempts that I track down.

Industry Buzzwords (0)

Anonymous Coward | more than 3 years ago | (#34023984)

Why invest in cloud computing when you can get a botnet for free?

Step 1. bot net - Step 2. Profit! (1)

digitaldc (879047) | more than 3 years ago | (#34023988)

"The ability of defenders to thwart these attacks by over-provisioning their networks does not increase proportionally with the disruptive power of botnet-driven DDoS attacks, which will grow as more Internet users come online in developing nations and fast broadband connections become available more cheaply to home users that are less educated in proper security behavior."

It seems that by now, people should be MORE educated about security and not less...but oh well.

Re:Step 1. bot net - Step 2. Profit! (4, Interesting)

Shark (78448) | more than 3 years ago | (#34024956)

As an ISP, we actively track and warn customers that are infected. It was a bit of a hurdle at first but merely making our customers aware of the possibility has drastically decreased the number of infections despite the steady increase in number of customers.

Small botnet? (1)

pinkeen (1804300) | more than 3 years ago | (#34024016)

If a botnet is small doesn't it contradict the very idea of a botnet? I mean it seriously limits its uses.

From other story: I wonder how many unidentified large botnets remain out there.

Re:Small botnet? (3, Insightful)

wiredmikey (1824622) | more than 3 years ago | (#34024048)

Yes, but the larger the botnet it becomes more of a target for takedown. Running smaller botnets under the radar for a longer period of time can be more effective with less of a chance of being caught.

Re:Small botnet? (1)

ThePromenader (878501) | more than 3 years ago | (#34024096)

How do you define 'under the radar'?

Re:Small botnet? (2)

MyLongNickName (822545) | more than 3 years ago | (#34024124)

He means what "under the radar" usually means: unnoticed by the authorities or those with the ability to stop you.

Re:Small botnet? (1)

ThePromenader (878501) | more than 3 years ago | (#34024250)

Does that include laziness?

Re:Small botnet? (1)

MyLongNickName (822545) | more than 3 years ago | (#34024444)

No, what I meant was that 1) The authorities who might prosecute you are going after the bigger players and 2) Antivirus is less likely to detect threats that only affect a small number of machines.

Re:Small botnet? (1)

ThePromenader (878501) | more than 3 years ago | (#34024638)

Sorry, I wasn't imagining myself as the 'bot-sender' ; ) For the time being, I'm alerted to any multiple failed connection attempt (no matter what protocol, even http) - ...should I give the results of my foresighted vigilance to the antivirus/trojan/fear company (none to whom I subscribe) that I pay every month (that I do not)?

The most effective anti-intrusion application I have seen out there is Cloudmark... never mind the MS platform. They've got the right idea, their idea can work for even for trojan/virus/botnet software.

Re:Small botnet? (1)

ascari (1400977) | more than 3 years ago | (#34024212)

For a moment ignoring coordinate dependent things, how about "Not above or at the same level as the radar"?

Re:Small botnet? (1, Interesting)

Anonymous Coward | more than 3 years ago | (#34024156)

You simply create another small botnet to manage the small botnet's..

Re:Small botnet? (1)

suiminbusoku (1888128) | more than 3 years ago | (#34032926)

Yo dawg, I heard you like botnets...

Re:Small botnet? (0)

Anonymous Coward | more than 3 years ago | (#34024164)

Perhaps a better question is, what can you do with many small unrelated botnets that you can't do with a large botnet?

A botnet of botnets if you will?

Re:Small botnet? (1)

drcheap (1897540) | more than 3 years ago | (#34028600)

Perhaps a better question is, what can you do with many small unrelated botnets that you can't do with a large botnet?

A botnet of botnets if you will?

But you'll need a network of networks for them to run on. Good luck finding that! /lamejoke

Where is the Microsoft or Windows tag? (3, Insightful)

erroneus (253617) | more than 3 years ago | (#34024056)

I know for a fact that Linux boxes, especially servers on the net, get compromised and used by criminals from unknown locations on the planet. But botnets are made almost entirely of PCs running Microsoft Windows. Whether it is the OS or the apps running on it or both are the ultimate cause, it all has MS Windows in common.

All this botnet crap going on all over the planet could be halted in very short order if Microsoft would "man up" and do something about it. With every new release of an OS, it makes a choice and every time it has chosen to maintain the old ways instead of fixing the problems. Perhaps my perspective on this is a little wrong. I have not yet, for example, seen a compromised Windows 7 machine. (That's not because they can't be, it's simply because I haven't seen one yet and a lot of people don't want to use Windows 7.)

If I was in control of a beef company and the bovine products I was distributing was tied to global illness and crap like that, there would be no end to the complaints and measures taken against me. But somehow, the world hasn't managed to point enough fingers at Microsoft demanding that they do something about the problem. The only finger pointers are pretty much the IT crowd and no one listens to us. It is fascinating to me because the problems with compromised Windows machines has massive economic effect which, as we all know, is far more important than global health and general public safety.

Re:Where is the Microsoft or Windows tag? (1)

ka9dgx (72702) | more than 3 years ago | (#34024136)

It's not about Microsoft having to "man up"... it's more about a structural flaw in the basic paradigm we all know and love... the idea of running everything a default permissive environment. Until capability based security is put into common use, this problem will NEVER go away.

Re:Where is the Microsoft or Windows tag? (1)

erroneus (253617) | more than 3 years ago | (#34024492)

Agreed. Microsoft needs to essentially dump the Windows API. For obvious reasons, they don't want to just dump it. But this sort of move would not be unprecedented. Apple did it when it came out with Mac OS X. Sure they wrote a "Classic" support layer and it was buggy as hell. People complained to hell and back about it. But in the end, that only served to fuel the migration from "classic" apps to OSX apps. If Microsoft were to do that, we would see a much more energetic migration from Windows XP to Windows# that would carry out much more rapidly.

Presently, no software (generally) requires Vista or Windows 7. Sure, some devices no longer have WinXP drivers and stuff like that, but so far, there is nothing that makes the new OSes a necessity.

So yeah, Microsoft needs to do what Apple did. Dump the old, force the new and get it over with.

Re:Where is the Microsoft or Windows tag? (1)

0123456 (636235) | more than 3 years ago | (#34024758)

So yeah, Microsoft needs to do what Apple did. Dump the old, force the new and get it over with.

Who would buy Windows if it didn't run Windows apps?

Re:Where is the Microsoft or Windows tag? (1)

delinear (991444) | more than 3 years ago | (#34025468)

Who is to say it wouldn't run Windows apps - what's wrong with including some kind of virtual machine running a previous version for backwards compatability? I can already run Windows apps on Mac/Linux using this method, I'm sure MS could include a free license. They could even make it a business opportunity if they made it a limited time functionality to ease the transition (i.e. we'll support this for X years, then you have to buy new apps or your own old Windows license).

Re:Where is the Microsoft or Windows tag? (1)

xenapan (1012909) | more than 3 years ago | (#34032338)

You mean like XP mode on windows 7 machines? doesnt that exist already?

Re:Where is the Microsoft or Windows tag? (2, Insightful)

c6gunner (950153) | more than 3 years ago | (#34024730)

it's more about a structural flaw in the basic paradigm we all know and love... the idea of running everything a default permissive environment

Even that's largely irrelevant. Back when I had a botnet or two of my own, I didn't really give a damn what kind of permissions they had as long as they were capable of accessing the net. Firewalls set up to stop programs from dialing out didn't seem to be much of an issue - the average user would just click "allow", anyway. The biggest problem has always been - and will continue to be - ignorant or uncaring users.

Where is the BOFH tag? (0)

Anonymous Coward | more than 3 years ago | (#34025798)

The biggest problem has always been - and will continue to be - ignorant or uncaring users.

Isn't that why the BOFH rules with an iron fist?

Re:Where is the Microsoft or Windows tag? (5, Insightful)

Spad (470073) | more than 3 years ago | (#34024302)

The vast majority of current exploits are targeted at applications, rather than OSs; primarily Acrobat Reader and Java at the moment.

Regardless, no OS can overcome the problem of permitting users to carry out administrative tasks without allowing them to execute malicious code when they really, really want to see the dancing bunnies.

Re:Where is the Microsoft or Windows tag? (0)

Anonymous Coward | more than 3 years ago | (#34026782)

This is a very, very stupid comment. An exploit "targeted at an application" cannot do j*ck sh!t. The real problem is that Windows is so full of privileges-escalation holes that any "application exploit" on Windows means that an OS TARGETED LOCAL EXPLOIT can escalade privilege and give you "admin" power on your Windows machine. And that is why these gigantic botnets are all Windows botnets and not "Mac botnets" (mind you, there are millions and millions of Macs out there and now millions and millions of Linux / Android cellphones, which is a market dwarfing Windows desktops).

Also, your last knee-jerk comment "no OS can overcome..." bla bla bla is the usual MS astroturfing fanboi logical fallacy: so do you in all intellectual honesty (which you don't seem to have much) believe that all OS are created equal when it comes to security?

Bullsh!t. Rubbish bullsh!t and modded +4 insightful, sad.

W7 can be easily infected (0)

Anonymous Coward | more than 3 years ago | (#34027920)

I repair (primarily remove infections these days) computers at our family run business. About ten percent of the Windows boxes we get in are Windows 7 infected with one or more rogue programs. No Windows version is immune to infection. No OS is immune for that matter.

Tempnet (1)

Joebert (946227) | more than 3 years ago | (#34024064)

If you think that's bad, just wait until the self-aware temporary infection botnets come out.

Nothing Like a Large Botnet (4, Funny)

MyLongNickName (822545) | more than 3 years ago | (#34024080)

To really do damage to a webserver, you need a large botnet [slashdot.org] .

Re:Nothing Like a Large Botnet (3, Funny)

MyLongNickName (822545) | more than 3 years ago | (#34024352)

Heh, Flamebait :) Some mod is having fun modding me down today. Here's another one to waste your points on :)

Re:Nothing Like a Large Botnet (1)

Joebert (946227) | more than 3 years ago | (#34025234)

Slash dot dot org bot net.

How does this make sense? (3, Insightful)

exentropy (1822632) | more than 3 years ago | (#34024120)

Organizations shouldn't be worried about small botnets simply because they haven't attracted the attention of law enforcement -- they should be afraid because their antivirus won't have a signature for the malware being propogated by small botnets. And what's the point of advising organizations to be worried about small botnets? Fear doesn't increase security.

Re:How does this make sense? (1)

ascari (1400977) | more than 3 years ago | (#34024272)

Fear doesn't increase security.

Agreed! And besides, those tiny little botnets are so damn cute they don't scare anybody!

Re:How does this make sense? (4, Insightful)

captainpanic (1173915) | more than 3 years ago | (#34024298)

Fear actually does increase security... well... in a way.

Consultants call this fear "awareness". And if you want a general group to implement any measures, you have to "create awareness". It's a well-known fact.
So, because of the awareness, security measures are taken.

Not only the cyber security, but also physical security (security companies and weapons industry) thrive because of the awareness of all kinds of problems (security leaks, terrorism, etc).
The real question is: is the threat as big as it is portrayed?

Re:How does this make sense? (1)

Spad (470073) | more than 3 years ago | (#34024316)

No, it increases sales.

Size matters (2, Interesting)

gmuslera (3436) | more than 3 years ago | (#34024148)

For some of the botnet activities, size matters. If want to steal cc numbers or passwords, being in more places mean more chances to get something useful. Other common use of botnets is sending spam, where more machines=better (harder to block because the numbers, and less chances to fill the bandwidth of those computers, and be noticed because that, if want to send a lot of spam).

Instead of just going small, there are 2 tactics that could be used by botnets: try being more stealth (i.e. sending out information only when the user does), or resizing by quality of the machines they run on (i.e. stay active only in machines where actually they are putting credit card info, or their spam is not being bounced, or having better bandwidth)

Re:Size matters (1)

ThePromenader (878501) | more than 3 years ago | (#34024346)

The problem with this is that botnets have to come from ~somewhere~ - and that somewhere can be detected. It's what they're trying to ~do~ - and how often - that is important. I suppose the whole point of the article is that bots are becoming less 'intensive' - we have to spread our intrusion dectection defenses to detect attempts spread over a longer period of time, that's all.

Re:Size matters (0)

Anonymous Coward | more than 3 years ago | (#34024508)

Thanks for the tips?

Re:Size matters (1)

CAIMLAS (41445) | more than 3 years ago | (#34026130)

It's not so much the size, I think, but the density.

If every house in a neighborhood has a small ant colony, they are all more likely to go unnoticed than if one or several houses has a large and obvious colony. Likewise, if only half the houses in the town have small colonies, they're more likely to be OK than if all houses had an infestation.

There are quite a few ways to be 'stealthy'. Some would be method/mode and 'intelligence' to infection of hosts. (Eg. semi-random, selective within subnets, distributive parent/daughter logic, secured intercommunications, etc.)

Fighting chance (2, Interesting)

hesaigo999ca (786966) | more than 3 years ago | (#34024644)

I had a heated debate once with a colleague, about how botnets operate, and he was under the impression they were all script kiddies with no morals, and just wanted to thrash all websites and infect everyone.... I tired to let him know, they were people (higher ups) with organization skills of real companies, with real business sense, using techniques to covertly avoid detection. I even heard of one botnet that would send out a few emails from each computer a minute, not more....to avoid sending up flags that 1 million emails in an hour would set off....and then there was that one that would cycle between computers in the botnet to send off mail, so that the ip address changed each time based on where the email was coming from....so you could get 300 emails all from diff. addresses not to send off a flag, so that one company with 300 employees would all get spammed.

These guys are nasty tacticians, and really only want the best way to stay in the game, even if it means uninstalling themselves for a few days, with a script that will send the computer back to a website with a payload to redownload and reinfect. This one no one believes, but I saw it....with my own eyes, and could not believe that 3 days later it was back, although it had not uninstalled itself because of me, it must have been a command from a CC.

Depends on the intended function (1)

PPH (736903) | more than 3 years ago | (#34025498)

If the botnet is for churning out large volumes of spam then a large, distributed net is better. Traffic will be lower at any one node for the same total volume. If the botnet is to be used for targeting specific installations or types of installations (ala Stuxnet) then smaller is better. The more infected nodes you operate, the greater the likelihood of detection.

Maybe they're really bigger? (1)

kiehlster (844523) | more than 3 years ago | (#34027822)

How do we know the criminals haven't just gone bigger scale? Why settle for a giant botnet when you can run a botnet full of tiny botnets? Is the attention attracted from seeing the same code on thousands of machines, or from seeing the same attack from thousands of machines? Why run DDoS attacks when you can run multiple exploit attacks instead on multiple networks to throw off any sign of a large coordinated attack?

Botnet Blacklisting with denyhosts & iptables (1)

Freshly Exhumed (105597) | more than 3 years ago | (#34028094)

Instructions for Linux, but can be modified to suit *BSD, some other OSes. Remember, with firewalls fascism is good.

1. install and configure denyhosts http://denyhosts.sourceforge.net/ [sourceforge.net]
2. use the reporting/updating feature of denyhosts to coordinate and sync botnet-dropping with other denyhosts users
3. write a script or daemon that checks for updates to denyhost's hosts-restricted file and then tells your iptables firewall to drop all packets to and from those hosts

Example of iptables firewall config file with blacklists:

# Blacklisted IP addresses: uses output of denyhosts daemon
#
# RESERVED_HOST=$(cat /var/lib/denyhosts/hosts-restricted|awk -F ":" '{print $1}')
#
# Blacklisted subnets: place banned subnets here
#
RESERVED_NET=" "
#
# Prevent packets sent to unassignable and blacklisted subnets from
# leaving the firewall (see Blacklist above)
#
$IPTABLES -N SRC_EGRESS
$IPTABLES -F SRC_EGRESS
$IPTABLES -A SRC_EGRESS -s 10.0.0.0/8 -j DROP
$IPTABLES -A SRC_EGRESS -s 172.16.0.0/12 -j DROP
$IPTABLES -A SRC_EGRESS -s 192.168.0.0/16 -j DROP
$IPTABLES -A SRC_EGRESS -s 224.0.0.0/4 -j DROP
$IPTABLES -A SRC_EGRESS -s 240.0.0.0/5 -j DROP

        for NET in $RESERVED_NET
        do
        $IPTABLES -A SRC_EGRESS -s $NET -j DROP
        done

$IPTABLES -N DST_EGRESS
$IPTABLES -F DST_EGRESS
$IPTABLES -A DST_EGRESS -d 10.0.0.0/8 -j DROP
$IPTABLES -A DST_EGRESS -d 172.16.0.0/12 -j DROP
$IPTABLES -A DST_EGRESS -d 192.168.0.0/16 -j DROP
$IPTABLES -A DST_EGRESS -d 224.0.0.0/4 -j DROP
$IPTABLES -A DST_EGRESS -d 240.0.0.0/5 -j DROP

        for NET in $RESERVED_NET
        do
        $IPTABLES -A DST_EGRESS -d $NET -j DROP
        done

# Prevent packets sent to or from blacklisted hosts from
# entering or leaving the firewall (see Blacklist above)
#
        for HOST in $RESERVED_HOST
        do
                $IPTABLES -I INPUT -s $HOST -j DROP
        $IPTABLES -A SRC_EGRESS -s $HOST -j DROP
        $IPTABLES -A DST_EGRESS -d $HOST -j DROP
        done

Re:Botnet Blacklisting with denyhosts & iptabl (1)

Freshly Exhumed (105597) | more than 3 years ago | (#34028192)

Of course this assumes that the botnet attack is a standard SSH-based one. Also the # RESERVED_HOST=$(cat /var/lib/denyhosts/hosts-restricted|awk -F ":" '{print $1}') line needs to be uncommented.

Re:Botnet Blacklisting with denyhosts & iptabl (1)

kefa (640985) | more than 3 years ago | (#34030452)

Does anyone know where the download is for Denyhosts v2.7? This is listed in the changelog for Deny Hosts, but SourceForge only has v2.6 available for download, which I believe still has a minor log injection DoS exploit.

Splitting a botnet. (1)

mail2345 (1201389) | more than 3 years ago | (#34034948)

Couldn't it be possible to have a botnet upgrade into different versions, allowing it to split?

Clarification:
Virus writer releases virus A and sets up control server A.
Botnet A gets large, and the writer is worried about authorities, so he sets up servers B and C, as well as writing two updates.
Botnet A gets update B or update C from control server A.
The update installs the new virus and removes the old one.
Botnet B gets large, virus writter sets up servers D and F.
Process continues.

If it's split before the AVs pay any considerable attention(or if you split enough to confuse them), a writer could write a fast spreading botnet, without having to worry about it getting too large.

I would imagine that setting up new servers and updates might be a hassle though.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...