P2P worms get their turn

Security experts warn of dangerous new threats arising from new botnet techniques and the consolidation of fraudulent organizations

Massive networks of infected computers controlled by attackers worldwide will serve as a powerful engine for the new breed of so-called P2P worm that is currently echoing across cyberspace.

Security experts have predicted over the last several years that botnets of hijacked PCs would pose one of the staunchest challenges faced by the IT community as criminals discovered new ways to use them to deliver attacks.

The rapid takeoff of the so-called Storm worm -- which many researchers have said is more accurately identified as a Trojan threat based on the fact that it uses botnet commands to spread itself instead of doing so independently -- likely represents the beginning of a new wave of activity supported by the captive infrastructure, according to researchers.

The attacks have more recently gained the additional P2P identification for their ability to contact external control servers using private peer-to-peer networks.

The confluence of more sophisticated botnet technologies and a wider audience of customers seeking to capitalize on the compromised computers has created a burgeoning economy that will make the threats harder to stamp out quickly, said Jose Nazario, senior software engineer at network security specialist Arbor Networks.

As malware writers, adware distributors, and fraudsters pool access to botnets and look for new ways to cash in on the systems, large-scale attacks like Storm, which mimics more traditional worm activity with its rapid-rate of propagation via spam, will rise to the top, according to the expert.

"The ease-of-use of the botnet technologies is increasing rapidly because the people building the botnets are reaching out for more customers, and they have to make their systems simpler to use," Nazario said. "They've also figured out ways to sell their botnets for a lot of different purposes, and as we're seeing a flood of botnets on the market, there also appears to be consolidation with several dominant organizations taking over."

Nazario attended an invitation-only conference in Boston last week dubbed HotBots where he said that researchers concluded that larger botnet operators are getting more aggressive as criminal groups with advanced money laundering capabilities are getting involved and fueling the illegal economy.

With spammers and adware vendors getting into the mix for their own purposes, outbreaks like Storm, which has flooded the Web with a massive amount of traffic since April 12 after periodic outbreaks since late 2006, will likely become more frequent.

"Everyone wants to make their money, and you have a lot of new people coming in, and some of these people are better skilled at the fraud end of the business," Nazario said. "Combined with a lot more people using botnets to drive fraudulent advertising revenue and a lot of next-generation spammers tapping into these botnets, there's a lot of greed, and you see the results."

One problem facing researchers in tracking botnet operators is their ability to infiltrate the community without subjecting themselves to potential arrest, a topic that was also hotly discussed at the HotBots event, according to Nazario.

Another challenge remains the international nature of the botnet industry as many of the parties involved hail from Eastern Europe and China.

When Storm first began setting off alarms in Dec. 2006 with a flood of related spam activity, it was a relatively simple Trojan program. However, latest variant of the attack has evolved into something far more sinister, distributing copies of itself inside a password protected ZIP file to circumvent anti-virus systems and install a root kit on infected systems.

The increasing professionalism being displayed by those creating the attacks is another hallmark of the growing maturity of the botnet economy, researchers said. Another sign are the growing number of botnets being used only once by each group of attackers, before being abandoned.

Some of the activity is the result of smarter attackers, while some credit for the trend should be accounted to improved defenses, said Dave Marcus, security research and communications manager with McAfee's Avert Labs.

"We're seeing a lot more bots that are single-purpose, which will make them harder to catch but changes the overall impact," Marcus said. "Previously you'd see most of them being used for denial-of-service, spam, adware, and spyware, but more and more appear to be built for a single purpose; clearly the attackers are focusing on whatever it is that is making them the most money, and the smarter ones are trying to stay on step ahead of pursuit."

Much as traditional self-replicating worms were the format of choice for attackers between 2001 and 2004, researchers contend that the IT security community should be ready for the new botnet-driven variety to become a popular platform for mass attacks until they are stymied.

Smaller, targeted threats carried out against select groups of people may reap the greatest financial spoils for malware writers and cyber-criminals, but the emerging virus format that has pounded the Internet over the last week may prove a more readily-noticeable nuisance, experts maintain.

"We've long seen the e-mail-based worms, but really the Web-based side of it has been underutilized, so it shouldn't be a surprise," said Dmitri Alperovitch, principal research scientist at software maker Secure Computing, San Jose. "Storm is just one of the first major attacks to capitalize on this opportunity, but there's every reason to believe that with the size of the botnet problem we'll probably see quite a few more."