Experts: Botnets add fault tolerance

Security experts contend that a growing number of operators of compromised computer networks (or "botnets") are finding new ways to grow their networks and make them immune to potential shutdowns, including sophisticated fault-tolerance planning to help ensure that their networks can't be easily wiped out.

As security companies and enterprise customers have gotten better at rooting out hijacked computers, the savviest and most advanced botnet herders have been busy growing and diversifying their operations. Today, those botnet operators are fighting back against takedown attempts using everything from multiple command-and-control centers to moving to peer-to-peer-style botnet attacks, said Doug Camplejohn, chief executive of gateway security appliance maker Mi5 Networks, based in Sunnyvale, Calif.

"We're definitely seeing a degree of fault tolerance built into the most sophisticated botnets. These operators have too much time and effort invested in their networks to let someone take it down all at once; they've tried to make it such that if you cut off one command center, they can simply take control from another," Camplejohn said.

Using a new botnet monitoring tool, Mi5 found that roughly 25 percent of the networks of infected machines it has unearthed use some form of distributed control system.

For example, in order to prevent security researchers and anti-virus applications from detecting their presence, botnet operators are moving rapidly between different banks of infected machines and leveraging programs that lie dormant for longer periods of time to evade behavior monitoring tools.

"We see a lot more of these botnet programs that sit unused for a long period of time to stay hidden until someone wants to use them," Camplejohn said. "They're using every port they can to try to hide any communications taking place with outside command centers, and the communications themselves are cloaked or encrypted to hide their contents from filters."

Cutting-edge botnet attackers are also moving rapidly to adopt a peer-to-peer model for spreading their code that eliminates large central command-and-control centers that are more easily found and more expensive to maintain, according to other botnet trackers.

While most of today's botnets still use a hierarchical design, an increasing number of the systems have smaller, more distributed controllers, said Guillaume Lovet, manager of the EMEA threat-response team at security appliance maker Fortinet, also based in Sunnyvale.

By using the peer-to-peer method of control, versus a centralized approach, the expert said the zombie networks are getting harder to nail down all the time.

"Over the last six months, we've entered the second phase of the botnet era, especially with these P2P botnets, where you'd essentially have to shut down every single node in the network to stop it completely, and there might be tens of thousands of infected machines," Lovet said.

Operators rapidly create botnets to fulfill specific duties such as seeding spam campaigns, funneling adware impressions, or distributing malware, then move on to new sets of computers. That makes it harder to detect their presence at any time other than when they are actively using their hijacked PCs, Lovet contends.