A brief history of the 'Botwar'

Back in 2003, security firms saw thousands of PCs infected with the Sobig mass-mailing virus. Later that year, Fizzer malware logged thousands of computers into internet chat rooms.

This was initially perceived only as a problem for IRC (Internet Relay Chat) admins. However, the infected PCs were connected to chat rooms by their human bot-masters, waiting for command and control (C&C) instructions. When MessageLabs Intelligence correlated the malware and spam traffic from each spam sending IP address, the bigger picture was revealed.

Security firms observed botnets to combat their escalating output of spam, but didn't know how to tackle their C&C infrastructure. In 2008, the security community realised the best way to disrupt botnets was to take down the ISPs that hosted them.

The first to go at the end of September 2008 was Intercage (aka Atrivo), linked to the infamous Russian Business Network. The most widely publicised shutdown was McColo, a California-based ISP which was found to deal almost exclusively with cyber gangs. McColo was host to a botnet called Srizbi controlling 1.3 million IP addresses, as well as the Mega-D, Rustock, Asprox, Bobax and Gheg botnets.

In November 2008, community action resulted in McColo's peering ISPs disconnecting it from the internet. Taking down McColo was a shock to botnet gangs. Spam levels dropped instantly by up to 80 per cent.

Srizbi was crippled, never to return and other botnets were badly disrupted. Two months later spam recovered to previous levels, as the surviving botnets relocated their C&C channels and criminals spawned new botnets. Botnet operators were forced to re-evaluate how they functioned and put more protection in place to prevent a repeat of the huge disruption caused by taking down a single ISP.

When Srizbi disappeared, activity from the surviving botnets increased dramatically, seeking to fill the gap left behind. When the next major take-down of a dubious ISP occurred, it was clear cyber criminals had already learned from the strike against McColo.

This time the security community's target was an ISP called 3FN (aka APS Telecom and Pricewert). 3FN hosted C&C channels for Cutwail (aka Pandex). Cutwail, one of the oldest botnets, had been spewing out malware since January 2007 and by June 2009 swelled to over 1.5 million active IP addresses in an aggressive recruitment drive.

3FN was taken down on 5 June, 2009, and Cutwail went with it. But within a few days, Cutwail was back online with a vengeance.

Botnet gangs refined their creations following the McColo takedown.  Now armed with more flexible and robust technology, botnet gangs could review the botnet status and return to business in a few days. Botnets now had a business continuity or disaster recovery plan of their own.

Botnet C&C mechanisms shifted from IRC to HTTP. Algorithms were now built into the bots so they would look for random-looking domain names, which are purchased by the botnet gang each day, and from which bots receive commands. This ensures botnets aren't reliant on one ISP.

Mega-D (aka Ozdok) was one botnet that grew significantly in the wake of the McColo take-down. By November 2009, FireEye broke the algorithms behind the C&C mechanism used to issue the botnet with new instructions. The result was the ability to predict which domain names were going to be used by the botnet and register them in advance of the botnet controllers. It was now possible to know the botnet's next move and to register these domains faster than the botnet controllers.

Mega-D appeared to be crippled. However, a few days later MessageLabs Intelligence identified large volumes of Mega-D spam being distributed from IP addresses that had not been used to send spam previously. This suggested that the botnet controllers had enacted their business continuity plans, seemingly with inactive sleeper bots or a whole parallel backup botnet.

Disaster recovery isn't the only business methodology botnet controllers utilise. They also use a technique called 'fast-flux' hosting, which dynamically distributes resources across a number of continually changing IP addresses using a 'round-robin' style DNS. In the hands of a botnet controller, fast-flux can hide the true location of websites used to host malware, spam and phishing content by hiding them behind the IP addresses of compromised, botnet-controlled computers, each acting as a web server or proxy.

Another technique used to hide botnets from security firms is to expose only a small proportion of their zombies at any one time, cycling their use over a period of several days and limiting the amount of spam sent from each to minimise the risk of them appearing in blacklists of known spam-sending IP addresses.

Until recently, botnet controllers had to recruit one PC at a time. But with the advent of 'generic droppers' like Bredolab, larger botnets can be assembled for a spam campaign or something more sinister.

Cyber criminals can purchase the control of thousands of already-compromised PCs, recruited en masse for their botnet. This moves botnet recruitment from a random, scattergun approach to a more commoditised recruitment campaign. The only limitation to the size of the botnet is how much the criminals are prepared to spend.

MessageLabs Intelligence estimates there are about five million bots or zombie PCs around the globe actively producing exorbitant amounts of spam. It takes hundreds, not even thousands, of zombie PCs to launch a successful DDoS attack against a typical web server, and cyber criminals often prefer to spread the workload across several thousand computers to better avoid detection.

The zombie PCs that make up botnets are recruited largely from inadequately-protected domestic PCs, but there are also a plethora of compromised business networks. Conventional firewalls that don't inspect HTTP streams - the preferred C&C mechanism for many contemporary botnets - are usually inadequate, as is conventional antivirus software on its own.

Businesses should minimise the risk of becoming part of a botnet by ensuring that they are protected, by filtering internet traffic for spam and other malicious or harmful content before it reaches their corporate network.

All eyes are now on the cloud, whether private or public, to fight the 'Botwar'. Traditional desktop appliances are no longer flexible or strong enough to keep defences running around the clock.

With all the will in the world it will be almost impossible to eradicate the problem using technology alone. The most effective way to stop botnets is by turning the internet against them, using the fabric of the cloud as a catalyst to kill the botnets.

Adrian Covich is a principal systems engineer at Symantec Hosted Services.