p2pnet.net News:- Threats posed by botnets – zombie computer systems - are probably worse than originally believed, says a new report from the Honeynet Project, set up to use networks of computers to act as “honey pots” meant to attract hacker-hijackers and garner information about how they work.

“Even if we are very optimistic and estimate that we track a significant percentage of all botnets and all of our tracked botnet IRC servers are not modified to hide JOINs or obfuscate the joining clients IPs, this would mean that more then one million hosts are compromised and can be controlled by malicious attackers,” it says in Know your Enemy: Tracking Botnets.

“We know there are more botnet clients since the attackers sometimes use modified IRC servers that do not give us any information about joining users.”

Know your Enemy is based on research by the German Honeynet Project which works closely with the Laboratory for Dependable Distributed Systems at RWTH-Aachen University to learn what Botnets are, how they work, the people behind them, and several new tools for tracking them.

“Our research shows that some attackers are highly skilled and organized, potentially belonging to well organized crime structures,” says the paper.

Akamai, a ‘high value target’
“Leveraging the power of several thousand bots, it is viable to take down almost any website or network instantly. Even in unskilled hands, it should be obvious that botnets are a loaded and powerful weapon. Since botnets pose such a powerful threat, we need a variety of mechanisms to counter it.”

Decentralized providers such Akamai can offer a certain amount of redundancy, “but very large botnets can also pose a severe threat even against this redundancy” and because taking down Akamai would impact very large organizations and companies, it’s presumably a high value target for certain organizations or individuals, say the researchers, going on:

“We are currently not aware of any botnet usage to harm military or government institutions, but time will tell if this persists.

The Honeynet Project hopes in the future to develop more advanced hijacker traps such client honeypots that actively participate in networks (eg, by crawling the web, idling in IRC channels, or using P2P-networks) or to modify honeypots so they capture malware and send it to anti-virus vendors for further analysis.

“Since our current approach focuses on bots that use IRC for C&C, we focused in the paper on IRC-based bots,” it says, adding:

“We have also observed other bots, but these are rare and currently under development. In a few months/years more and more bots will use non-IRC C&C, potentially decentralized p2p-communication.

“So more research in this area is needed, attackers don’t sleep. As these threats continue to adapt and change, so to must the security community.”

Something you think we should know? tips[at]p2pnet.net

============

See:-
Honeynet Project - Know your Enemy, March 13, 2005

This entry was posted on Thursday, March 17th, 2005 at 8:54 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 1338 times