Hi, NANOGers.
We've seen these PHP-built botnets for about two years now. They have
recently become more popular. This is due to the fact that a very few
of these bots can send out far more packet love than a large collection
of broadband (generally Windows) bots. Return on investment and all
that.
And that due to traditions and fascination with killing C&C's rathr than
facing the problem itself the Bad Guys keep having to learn and evolve.
And indeed, wonder of wonders, we see for years now the /technological/
AND /opertional/ capabilities of the offenders, both kiddies and organized
crime (being the main two players, evolving in their capabilities... from
the malware development to employing real operatives in meat-space).
ROI is indeed the deal here, as you said. I always am happy about your
presence and understanding of these issues.. even if I often find the
language problem to be a special difficulty for communication between us.
There are not millions of dollars involved, but rather billions. Phishing
alone shows us aprox half a billion dollars lost through only the first
half of 2005.
PHP botnets have been around for a long time, as were web-knockers before
them. Like IRC they are still around, and like IRC they are used both for
contol and propagation.
As long as we remain short-sighted, NSP-SEC style, we will continue to
fight fires rather than preventing them and fighting the actual problems.
There is NO BETTER OR GREATER force for the betterment of the Internet
than NSP-SEC, but it is my belief that currently it does more harm than
good, in the long run.
I take it back, it is not my belief - I know so.
It is difficult to hear something important that one invested much in is
doing harm, but that is the only conclusion I and others can come up with
after years of study, and NSP-SEC, as amazing as it has been, has been of
a negative impact other than to cause a community to form and act
together. Which is amazing by itself and which is why I believe it
can do so much more.. even if it is relatively young it has proven
itself time and time again... I am straying from the subject here.
Most bots don't attack "forever." The typical bot commands give an
attack duration in either packets or time. I suspect that'll be the
case with this botnet, so the attack may not last for months. In other
words, it would be wise to check those flows sooner rather than later.
Word for word. I am happy there are at least a few people out there who
really understand, like yourself.
Folks shouldn't focus solely on PHP, though that is the rage du jour.
Even the venerable PhatBot family, generally used to compromise hosts
running Windows, had a Linux spreader in it. Increasingly Unix
systems and Cisco routers are the primary targets.
Bots in this meaning originated on *nix machines and there are quite a
few groups out there that emloy them still quite regularly.
Networking folks here should not forget this is not just a networking
problems and that there are many people working on this in the anti spam,
anti virus, anti whatever industries as well as in academic life and
Government.
Keep in mind that botnets are but one facet of the threat. There
are > a plethora of just-in-time DoSnets built off of the same
vulnerabilities. In this case there is no central command and control
making mitigation even more challenging. It's fairly easy to run a
command on a vulnerable host through the same exploit that will permit
one to install a bot. Just-in-time DoSnets are readily built and used
in amplification attacks as well.
DoS is fine, but as critical as it is, it is indeed the short-sighted
concern.
Milions of bots... following financial transactions on every one and
corelating information, impacting world economy and... I don't need to go
on, you know of some of these things far better than me.
Bots have never been solely a Windows problem.
And they have never been the real problem. They are but a sympthom of the
real problem.
Online cooperation, liability and vulnerability are... and the Bad Guys
being "funded" by millions and billions in R&D from ROI doesn't help much.
It's time to move to the next stage.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
Gadi.
