Carl Weinschenk spoke with Ashar Aziz, CEO of FireEye.com.
Weinschenk: The growth of bots such as Storm, Celebrity and Nugache are not isolated or without antecedents. What's the back story?
Aziz: This whole area has been undergoing a steady phase of evolution over the last few years. Internet-scale worms have disappeared off the Net. The old ones still are out there. Slammer is out there and is still active. But new ones are not being produced at the same rate because malware has adapted much of the technology of worms and added new dimensions to create Storm and Nugache and a deluge of malware. These innovations in malware are a result of the underground economy.
Weinschenk: So what precisely is happening?
Aziz: In the past, random scanning worms had no business model. Now they can monetize infected machines. The key here is the remote control infrastructure. People have taken worm technology and added IRC command and control technology. Now they are able to go into pockets and take them under remote control. That was the first step, to go beyond worms with remote control. To us, that's what distinguishes bots from the previous era of random scanning worms. A lot of corporations don't allow IRC, so these guys became much more creative and came out with two innovations.
Weinschenk: What is the first?
Aziz: One is to go out and come in through the Web. They send infections through the Web and send control out through an HTTP connection. They can take advantage of browsers' vulnerabilities to download the initial attack and go out through an HTTP connection to another site to get command and control instructions. That's one big vector IT has to be concerned about. There is a false sense of security because they have a firewall and software to avoid obviously malevolent sites. The bad guys have commandeered legitimate Web sites. Here's the interesting thing: This class of malware doesn't scan at all for victims, it waits for victims to come to it. That is one of the key things.
Weinschenk: What is the other innovation?
Aziz: Storm does not use IRC-based channels for command and control. Storm has a peer-to-peer network. It makes it more dangerous because it doesn't make it obvious where the head is that you have to cut off. That means Storm is very active right now even though everyone has written about it.
Weinschenk: Are there big technical differences between Celebrity, Storm and Nugache?
Aziz: They're using similar concepts. They are competing. One of the models is to lease out capacity. They all do this. Nugache is competing with Storm on price. That is an element of competition in the underground economy. They try to inoculate systems so that others can't take it over subsequently. This will continue to evolve over the next few years because they have figured out that it is a very profitable business. This is what is driving them and what led to the elimination of scanning worms. They had no business model.