This week, Arbor Networks reported that, at least for respondents to its third annual Worldwide Infrastructure Security Report, botnets have surpassed distributed denial of service (DDoS) attacks as the chief security concern. Of course, botnets and DDoS are deeply related -- one is used to launch the other -- but the identification of botnets as the key threat seems to suggest that it has become far more than a DDoS enabler.
The fight against botnets is never ending and, almost certainly, frustrating. An emerging trend, according to this interesting Dark Reading piece, is anti-botnet managed security services such as AT&T's Internet Protect and Verizon Business's DoS Defense. The report says that these managed services don't offer to clean infected machines, since a feasible business model doesn't exist for this resource-intensive activity.
We hope the good guys have other powerful anti-botnet recipes brewing. The power of the latest version of Storm, which has been percolating for the last few months, is scary. For anyone not convinced, just consider this quote in InformationWeek from Matt Sergeant, an antispam specialist at MessageLabs:
If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It's very frightening that criminals have access to that much computing power, but there's not much we can do about it.
Bottom line: Those who aren't worried should rethink their position. Another expert in the story estimated that the botnet has between 1 million and 2 million compromised machines and concurs that it can "easily overpower" a supercomputer. Sergeant says that a strength of 50 million machines -- a truly chilling number -- is possible. The malicious botnet clearly is causing problems, but it is possible it is marking time for a truly extravagant display.
We generally don't throw around adjectives like "frightening" and "scary" so freely, but in this case it is appropriate. There are three reasons for alarm. One, of course, is simply the overwhelming power of Storm. The second is that there is no way to accurately gauge just how big the threat is. It looms out there, ill-defined, like an epidemic or terrorist group. The third reason to fret is that reports suggest bot herders have configured their network in a grid or fabric manner and dole out small portions of capacity on an as-needed basis. Criminal sophistication such as this is evident in crimeware (crooks now get automatic updates), so there is no reason to bot herders aren't operating at the same level of sophistication.
One sign of the sophistication is evident in this Campus Technology story, which says that the Storm worm is beginning to turn its attention and attack computers that are scanning for network vulnerabilities or malware. In other words, the Storm is beginning to defend itself. If this was a sci-fi movie, the next step would be artificial intelligence. The story describes a warning to its 200 members issued last month by REN-ISAC, an consortium of higher education security researchers based at Indiana University.