Security Experts:

The Rise of the Small Botnet

Smaller botnets are cheaper and easier to build out and operate, and criminals have already realized that large-scale botnets attract unwanted attention

Cybercriminals Increasingly using Smaller Botnets

In September, law enforcement agencies in the US and Europe announced that they had cracked a major ZeuS botnet operation allegedly responsible for the theft of over $70 million. Operation Trident Breach saw US agencies including the FBI, as well as police in the UK, Netherlands and Ukraine, charge or arrest the alleged gang ringleaders, along with over 100 people said to be the "money mules" responsible for electronically receiving and passing on the stolen cash. The sophisticated criminal operation was said to have compromised computers in at least 390 small and medium-sized businesses in the US alone, along with individuals and other organizations, in order to attempt to steal at least $220 million from bank accounts.

Reports of such law enforcement crackdowns are increasingly common, but they represent merely the tip of the iceberg in addressing the real underlying problem. Botnets controlled by criminal enterprises all over the world continue to multiply at a steep rate, and it is now arguably the smaller, harder-to-trace operations that organizations should be the most worried about. Not only are smaller botnets cheaper and easier to build out and operate, but criminals have already realized that large-scale botnet activity attracts unwanted attention, and not just of law enforcement. Late last year, an ad hoc coalition of security researchers seized the command and control servers at the center of the Mariposa botnet, essentially killing the beast by cutting off its head. By February this year the alleged mastermind behind the network had been arrested and charged, tracked down after his repeated attempts to regain control of his bots. While in control of the Mariposa C&C servers, the researchers discovered that over 12 million unique IP addresses, all compromised PCs, were attempting to connect, a startling illustration of just how large botnets have become these days.

Botnet management is an increasingly commoditized, automated and sophisticated activity that can put worryingly powerful technological weapons into the hands of criminals with little technical knowledge, and at a price point that won't hurt their wallet. Botnets smaller than those of the scale of Mariposa hide under the radar of major law enforcement efforts, and are becoming numerous enough to cause real concern.

Cybercrime Using BotnetsThe development of the black market for botnet technology and services mirrors legitimate Internet industries. Today, would-be criminals can choose to buy the latest version of kits such as ZeuS, or even ready-made botnets, for as little as $2,500, which is not a large sum when you consider that the potential rewards could quickly add up to tens or even hundreds of thousands of dollars. Cracked versions of such tools are sometimes made available for free, which has caused some toolkit developers to add DRM protections to their software. Indeed, this industry has even taken advantage of the ease and scalability of cloud-based business models allowing customers to “rent” their fully hosted botnet solutions for as little as $60 a day. A one-hour DDoS attack can be rented for the price of a couple of cups of coffee, especially if you are a repeat customer who yields a recurring revenue stream for the botnet merchant. Botnet rental can even come with service-level agreements and customized control panels; the black market is almost as sophisticated as many legitimate online marketplaces.

Even if an enterprise is successful in preventing its endpoints being added to a botnet, it remains exposed to the external threat of other botnet-related attacks, such as DDoS, which are much harder to mitigate. While high-profile DDoS-related outages at highly trafficked sites such as Facebook and Twitter make headlines on a regular basis, thousands of similar attacks against targets small and large are recorded every week. As the number of botnets increase, so too does the amount of bandwidth available to the attackers controlling them. The largest single reported DDoS attack this year weighed in at a hefty 49 Gbps, more than enough to take all but the best-provisioned handful of sites in the world offline and to cause serious problems at core infrastructure bottlenecks.

So what can your business do to defend yourself from the threats that botnets pose to your daily business? First, smaller enterprises can find refuge in the Cloud. Relocating some critical functions to highly capable, redundantly provisioned cloud application providers can offer a "safety in numbers" defense against DDoS that would be prohibitively expensive if managed in-house. Larger organizations need to assess the capabilities of their data centers or hosting providers and ensure that critical infrastructure services such as DNS are not overlooked and do not become single points of failure.

Botnets are the Swiss army knife of attack tools. Once a computer has been compromised with bot software, malicious hackers can leverage its bandwidth to send spam, host illegal content or execute distributed denial of service attacks. As Operation Trident Breach showed, they can also be used more covertly, to secretly record keystrokes, stealing banking passwords in order to transfer large sums to the criminals. ZeuS, currently the post popular botnet creation and control tool, is specifically designed to steal passwords and other sensitive data. Remarkably, less than half of ZeuS-based bot variants are detected, on average, by commercial anti-virus software. The 2008-era Conficker botnet is like an active volcano, ready to erupt at any time. This means that any organization, regardless of size, has a responsibility to educate its employees on external risks and proper behavior to mitigate infection and improve the security of the enterprise network.

Criminals no longer need large botnets comprising hundreds of thousands of compromised machines in order to shut down enterprises, or even important pieces of the Internet. Smaller botnets are more than enough to take down significant core pieces of national or corporate infrastructure. The ability of defenders to thwart these attacks by over-provisioning their networks does not increase proportionally with the disruptive power of botnet-driven DDoS attacks, which will grow as more Internet users come online in developing nations and fast broadband connections become available more cheaply to home users that are less educated in proper security behavior. This growing Provisioning Gap should be one of the biggest security concerns for enterprises today, as it has the potential to make the small botnets of tomorrow every bit as scary as the large botnets of today.

Subscribe to SecurityWeek

Ram Mohan is the Executive Vice President and Chief Technology Officer at Afilias, a global provider of Internet infrastructure services including domain name registry and DNS solutions. Ram also serves as the Security & Stability Advisory Committee's liaison to ICANN’s Board of Directors and has helped direct and write numerous policies effecting domain name registration and DNS security.