Smarter 'Headless' Botnets
Botnets, which are large clusters of compromised computers that can be controlled centrally from a remote location, have become the delivery mechanism of choice for cybercrooks that want to distribute spam and other sorts of malicious code. Though such networks have been very efficient at distributing malware they have become relative easy to neutralize by tracking and taking down the command and control servers that control them.
"Bot masters have been relatively stupid so far," said Mustaque Ahamad, director of the GTISC. "There are a variety of interesting ways to detect bot activities fairly quickly," he said. That's already changing, however, as cybercriminals put more effort into hiding bot activity by, among other things, disguising bot traffic as normal traffic, he said.
Another technique gaining favor in the botnet world is the use of so-called fast-flux networks, said Jon Ramsey, chief technology officer at Atlanta-based security vendor SecureWorks Inc. and also a report contributor. Such networks allow compromised systems in a botnet to be controlled by multiple command and control servers instead of just one system as is the case today. These "headless" botnets are going to be a lot harder to shut down than today's typical hierarchical models, Ramsey predicted.
Botnet operators have also started using HTTP protocols for communications between the compromised machines and the command and control servers. As a result, it will become a lot harder to distinguish botnet activity from normal traffic going forward, Ramsey said.
Cybermilitias and Cyberwarfare
Russia's military invasion of Georgia earlier this year was preceded by a meticulously planned cyberattacks against media and government communication infrastructure targets in the Georgian city of Gore.
A post-mortem by Secure Works shows that the attacks were coordinated among known hacking groups and military operators. The attacks included DDoS and cache-poisoning attempts targeting DNS servers for major Georgian networks. The attacks were launched from Russia's state-operated Rostelecom and Moscow-based COMSTAR networks, using the same tools and infrastructures that are being use by organized cybergangs to steal data and send spam.
At its peak, the amount of traffic directed at the targeted servers during the DoS attacks touched an astounding 80GB per second, Ramsey said. "That is the shock and awe version of cyberwarfare," he said. The huge success of the attacks is sure to serve as a model for similar attacks by nation states using cybermilitias, he said.
Ad Choices
Comments