On Sat, 24 Dec 2005, Rob Thomas wrote:
Hi, NANOGers.
We've seen these PHP-built botnets for about two years now. They have recently become more popular. This is due to the fact that a very few of these bots can send out far more packet love than a large collection of broadband (generally Windows) bots. Return on investment and all that.
And that due to traditions and fascination with killing C&C's rathr than facing the problem itself the Bad Guys keep having to learn and evolve. And indeed, wonder of wonders, we see for years now the /technological/ AND /opertional/ capabilities of the offenders, both kiddies and organized crime (being the main two players, evolving in their capabilities... from the malware development to employing real operatives in meat-space). ROI is indeed the deal here, as you said. I always am happy about your presence and understanding of these issues.. even if I often find the language problem to be a special difficulty for communication between us. There are not millions of dollars involved, but rather billions. Phishing alone shows us aprox half a billion dollars lost through only the first half of 2005. PHP botnets have been around for a long time, as were web-knockers before them. Like IRC they are still around, and like IRC they are used both for contol and propagation. As long as we remain short-sighted, NSP-SEC style, we will continue to fight fires rather than preventing them and fighting the actual problems. There is NO BETTER OR GREATER force for the betterment of the Internet than NSP-SEC, but it is my belief that currently it does more harm than good, in the long run. I take it back, it is not my belief - I know so. It is difficult to hear something important that one invested much in is doing harm, but that is the only conclusion I and others can come up with after years of study, and NSP-SEC, as amazing as it has been, has been of a negative impact other than to cause a community to form and act together. Which is amazing by itself and which is why I believe it can do so much more.. even if it is relatively young it has proven itself time and time again... I am straying from the subject here.
Most bots don't attack "forever." The typical bot commands give an attack duration in either packets or time. I suspect that'll be the case with this botnet, so the attack may not last for months. In other words, it would be wise to check those flows sooner rather than later.
Word for word. I am happy there are at least a few people out there who really understand, like yourself.
Folks shouldn't focus solely on PHP, though that is the rage du jour. Even the venerable PhatBot family, generally used to compromise hosts running Windows, had a Linux spreader in it. Increasingly Unix systems and Cisco routers are the primary targets.
Bots in this meaning originated on *nix machines and there are quite a few groups out there that emloy them still quite regularly. Networking folks here should not forget this is not just a networking problems and that there are many people working on this in the anti spam, anti virus, anti whatever industries as well as in academic life and Government.
Keep in mind that botnets are but one facet of the threat. There are > a plethora of just-in-time DoSnets built off of the same vulnerabilities. In this case there is no central command and control making mitigation even more challenging. It's fairly easy to run a command on a vulnerable host through the same exploit that will permit one to install a bot. Just-in-time DoSnets are readily built and used in amplification attacks as well.
DoS is fine, but as critical as it is, it is indeed the short-sighted concern. Milions of bots... following financial transactions on every one and corelating information, impacting world economy and... I don't need to go on, you know of some of these things far better than me.
Bots have never been solely a Windows problem.
And they have never been the real problem. They are but a sympthom of the real problem. Online cooperation, liability and vulnerability are... and the Bad Guys being "funded" by millions and billions in R&D from ROI doesn't help much. It's time to move to the next stage.
Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
Gadi.