Botnets shrinking in size, harder to trace

Security experts say botnets are increasingly becoming more difficult to trace as criminal hackers have developed clever means to hide them.

Botnets are networks of computers infected with code that allows hackers to control them. Once grouped together, a botnet is illegally used to send spam, propagate viruses, and carry out DDOS (distributed denial of service) attacks aimed at causing a Web site to crash. The highest profile attack of late is continuing against The Million Dollar Home Page, a creative advertising idea by a British college student that involved the sale of individual pixels.

According to the Times Online, the owner of the site, 21-year-old Alex Tew, has received threatening e-mails in broken English demanding ransom in exchange for a halt to the DDOS assault.

Extortion schemes have emerged backed by the muscle of botnets, and hackers are also renting the use of armadas of computers for illegal purposes through advertisements on the Web, said Kevin Hogan, senior manager for Symantec Security Response, part of Symantec.

Almost all botnets use IRC (Internet Relay Chat) servers because of the common commands used by IRC software, Hogan said. The first legitimate bot, called Eggdrop, was written in 1993 by Robey Pointer and had a feature that allowed more control over IRC networks, according to a Symantec paper written by John Canavan.

In 1999, a worm called PrettyPark emerged that made use of IRC to control other computers, Canavan wrote. Three or four years ago, it was easier to connect to botnets and estimate the size of one by noting the number of IP (Internet Protocol) addresses on the network, he said.

As legislation emerged cracking down on spammers, it appeared those who ran botnets started pursuing more clandestine ways to continue their operations. Rather than deter "hard-core spammers, it just drove them further underground," said Mark Sunner, chief technical officer for MessageLabs.

Increasingly botnet administrators have customized IRC commands, and many well-known commands that allowed for the remote querying of machines have been disabled, Hogan said. "We simply cannot see the extent of the botnet in most cases," he said.

Botnets have an ebb and flow similar to biological behavior, Sunner said. Viruses on an infected on a computer may download new variants in an attempt to evade antivirus sweeps.

Even more extreme is dueling malware. Over a year ago, two viruses -- Netsky and Bagle -- battled it out, uninstalling and replacing each other on users' computers, Sunner said.

Typically, the malware can be removed by antivirus programs, but security vendors need a sample of a virus in order to issue updates to their programs to remove it from a computer. Many kinds of malware try to disable antivirus software.

Law enforcement authorities have become more adept at putting together task forces to track down botnet administrators running malicious networks that cross international borders, Sunner said. As a result, botnet administrators have countered by not commandeering as many computers, sticking to smaller groups of around 20,000 machines that are less likely to be detected as quickly, Sunner said.

In October 2005, Dutch police arrested three people believed to have controlled up to 100,000 computers for malicious purposes, according to MessageLabs Intelligence 2005 Annual Security Report.

"I think the bad guys have been making hay while the sun is shining but things are definitely starting to turn," Sunner said.