A bot network tends to fluctuate such that the number of members of the network wax and wane over time. I base this understanding on my regular observation of modern botnets and the observations of my peers (please see pg. 41 of ISTR Volume X). In the past, IRC protocol-based botnets fell victim to an “Achilles Heel” situation if the single central server being used to control the network was taken down, because the network without a controller would fall apart.
The miscreants that choose to build and control these bot networks began to develop innovative methods that could bolster their reliability. With this goal, Fast-flux DNS tactics were employed to provide redundancy so that these networks were more difficult to take down. Trojan.Peacomm (also known as “Storm Worm”) employed the Overnet protocol – a robust, decentralized, peer-to-peer network that is based on the Kademlia algorithm.
However, all of these advancements in bot network technology still do not make the network bulletproof. These advancements do not protect the botnet from bot losses that occur because the bot-infected computer is taken offline or the infection is detected by antivirus and cleaned. There is little question that Trojan.Peacomm is a sophisticated peer-to-peer bot network that is difficult to disable completely, but it cannot be immune to property fluctuations. Perhaps this is why some of the static numbers for the Peacomm network size are so difficult to digest. According to MessageLabs there are 2 million bots. (They are quoted as reporting that at 2 million bots, it is operating only at 10% capacity, implying that the true size is 20 million bots. This article also goes on to report observations of 50 million Peacomm bots.) A botnet of 20 million bots was also reported on zdnet.com. Are these metrics based on active bot infected computers? Or, on a cumulative total that was observed since Peacomm was first detected?
Personally, I believe in applying Occam’s Razor when estimating the size of a given botnet. It is better to assume nothing about the current size of the network and instead gauge the network size based only on the number of active bots that can be observed for a period of time where the network size is least likely to fluctuate. According to the recently published Symantec Internet Security Threat Report (pg. 47), "The average lifespan of a bot-infected computer during the first six months of 2007 was four days, up from three days in the second half of 2006." This means that an accurate metric for a given bot network, if all of the bots join the network at exactly the same time, at very best can remain accurate for only four days. In reality the bot network will constantly fluctuate, so metrics for longer periods should at least be graphed at points over time to represent this fluctuation.
The "snapshot" approach, where activity is observed only for a reasonable period of time, should deliver a more accurate picture of the known and verifiable state of the botnet at that point in time, but only at that point. It will likely be a partial image, but it is based on accurate and verifiable activity. If many of these “snapshots” are taken, it might provide a more accurate impression of the bot network when graphed. For a dynamic network that can radically change in size from week to week, estimating the size of that network based on a cumulative number generated based on observed IPs over a long period of time might yield an inaccurate perception of the studied network.
Other researchers are reporting lower metrics for Peacomm network size than the 20 million nodes figure. For example, Secure Science Corp report an average of just over 53,000 active Peacomm bots at 7:00 a.m. ET, October 1, 2007. Secure Science Corp used the “snapshot” approach to graph metrics for the Peacomm network over the period of a week, and the undulating metric is fascinating.
Microsoft’s anti-malware team also reported lower metrics. In a recent blog they discuss that Peacomm ranks in only third for the total malware cleaned by the Microsoft anti-malware team. They also report a component of Peacomm was detected on 274,372 computers as of September 18, 2007, at 2:00 p.m. PDT.
Symantec’s DeepSight Threat Analyst Team decided to use this "snapshot" approach in order to gather a geographical picture of a 24-hour period of Peacomm spam activity. Based on spam messages that were captured over a 24-hour period by Symantec antispam sensors on August 18 and September 18, 2007, we observed 4,375 unique Peacomm IPs for August 18; 2,131 of these IPs were acting as Peacomm SMTP servers and 2,244 IPs were acting as Peacomm HTTP servers (these are the servers that serve exploits and Peacomm binaries to innocent victims, as well as Peacomm propagation spam). Contrast that with 6,081 unique IPs for September 18, 2007, with 3,408 SMTP IPs and 2,673 HTTP IPs. Given those two sample sets, only 1,610 IPs intersect. So, for just a month’s time-span we observed a respectable fluctuation in Peacomm IP metrics, reinforcing the understanding that the Peacomm network is consistently in a state of fluctuation.
This Peacomm snapshot was mapped based on the geo-location of the involved IP addresses and an interesting image developed. It seemed that English-speaking countries were most affected by the Peacomm activity. Based on conjecture, this could be because the majority of Peacomm spam is delivered in the English language, but this has not been verified and other factors are definitely involved. (Note: That the markers on the below map represent groups of IP addresses that are related geographically.)
I am sure that the debate about the Peacomm network size will rage on for some time, but I feel that we have to maintain some degree of sensibility before hysteria-inducing claims, such as “Storm worm more powerful than top supercomputers” can be proclaimed. Given the nature of Peacomm, an exact size metric is difficult to derive, although it is important that this is known. Peacomm presents an interesting enigma with regards to the size of the network. On one hand, many researchers (including myself) agree that it is indeed a large network given the sophistication of Peacomm. On the other hand the Peacomm network is impacted by daily bot losses as computers are disinfected or taken offline. My initial research suggests that the network is smaller than some think, leading me to believe that, at least currently, the Peacomm network size is closer to the more conservative estimates that are being published.
No comments:
Post a Comment