Messaging News - October 2008 - (Page 24) BOTNETS the resiliency of their infrastructure and the computer network bandwidth available to them, because that is money to them. Their goal is to be resilient and widespread.” Lin adds, “You can almost treat it like a virtual campaign—they are trying to increase their prospects—maybe they will turn them on and maybe they won’t. They do subsets of very valuable PCs that they keep closer to the vest, which they use for data mining.” Lin notes that the expendable consumer type PCs are more often used as spam engines or for DDoS attacks, “things that might reveal the existence of your botnet. You have sophistication built into the design.” Solving the Botnet Problem Because of the complexity of the underground economy, is the problem as complex to fix? “This is a problem capable of being solved,” says O’Reirdan. “This is very much a public-private joint initiative. You have got to look at it from a number of contexts.” O’Reirdan likens the botnet to the racketeering of the 1930s, which started out small and grew exponentially as organized crime took an interest. “Very similar here,” he says. “There has been a lot of organized crime involved based out of Europe and a number of other places with good broadband connectivity and weaker legal systems. That is where a lot of the coding is done. The bots themselves are deployed where there is strong broadband connectivity, like in the U.S., U.K. and other parts of Europe.” This economy makes this a multi-faceted problem. “This is a legal issue. All sorts of issues on territorial jurisdiction; you must have cooperation between a number of law enforcement.” All in all O’Reirdan believes they are doing a good job of cooperating on an international basis. O’Reirdan also says that it is an educational issue with the industry needing to help educate about good online hygiene. At FireEye, researchers recently made an interesting observation. “As you know the botnet can be commanded and controlled to do various activities, such as to send spam, or install a keylogger. We read about these infrastructures—like Storm or Rustock—but what is less well know is the linkages that are emerging in these dynamic malware infrastructures. Due to a lot of good work being 24 MESSAGING NEWS OCTOBER 2008 done by our malware research team, we have found linkages in terms of common malware families being deployed across these different botnet platforms. Sometimes in the press it sounds like they are rivals and they are fighting for control or turf, but we find that in the back they are the same puppeteer commandeering these different infrastructures.” While it is unclear to what extend they are related, it is fairly certain there is a relationship between them. Defending Against the Armies Most all agree that combating the armies will take a community effort. Boyd sites cooperative communications among security vendors, law enforcement and advertising networks as a crucial piece to solving the botnet problem. “It requires a community effort and a technology effort,” believes Bjorklund. “Botnets are used to pump out volumes of spam, DDoS attacks, and other types of distributed initiatives. Spamhaus helps with the mitigation of the spam resulting from these botnet armies.” Two of the three lists maintained by Spamhaus address botnets, the PBL (Policy Block List) which contains IP addresses that should not deliver unauthenticated SMTP email and XBL (Exploits Block List), which contains IP addresses of virus-compromised computers that are sending spam. “People look to Spamhaus as a trusted third party to help track the known sources of spam and botnets. Spamhaus currently protects over 1.4 billion user mailboxes and responds to over 100,000 individual queries every second.” Bjorklund recommends the target be the command and control centers. “Think of it as an octopus” he says. “If you can cut off the head, you make the tentacles worthless or die. There are six to eight million compromised zombies that generate about 85 percent of all the spam on the Internet today,” concludes Bjorklund. “Using the PBL and the XBL can immediately reject up to 90 percent of that volume. Reducing the overall amount greatly.” FireEye is offering a new technology approach. “Everyone talks about malware coming in, but the distinguishing feature of a botnet is the call back channel into the command and control infrastructure,” explains Aziz. “Our technology is designed to not just look at it coming in—like an anti-virus device might—but also going back out because that is, in the end, what you have to do to catch this blended threat. It may have come in from multiple mechanisms, but knowing what the command and control infrastructure coordinates are and the call back channel certainly is a very important aspect of detecting this class of activity.” The blended threat that makes up today’s botnet army is re-defining how we look at system infections. “We need to get away from the word ‘virus’ and really re-focus on malware,” contends O’Reirdan. “Earlier viruses were meant to destroy a machine. Today, it is meant to be quiet and unnoticeable. It is meant to not bother the user. Botnets aren’t just a technology problem; it also involves legal, educational and cultural issues. People tend to view the Internet as a safe environment, but they need to be made aware of some of these concerns. Technologists can’t solve this problem on their own. Everyone has a role to play.” SJ/TMP FOR YOUR REFERENCE FireEye, Inc. www.fireeye.com FaceTime Communications, Inc. www.facetime.com Messaging Anti-Abuse Working Group www.MAAWG.org MXTools www.mxtools.com Team Cymru www.team-cymru.org EDITOR’S NOTE: MAAWG Methods for Sharing Dynamic IP Address Space Information with Others and MAAWG Recommendations: Email Forwarding Best Practices are both available at no cost on the MAAWG Web site, www.maawg.org. http://www.fireeye.com http://www.facetime.com http://www.MAAWG.org http://www.mxtools.com http://www.team-cymru.org http://www.maawg.org
Table of Contents Feed for the Digital Edition of Messaging News - October 2008 Messaging News - October 2008 Contents Editor’s Note Short Takes Targeting the Technology-Wise Customer The Insider Threat: The New Era of Disaster Recovery Making Collaboration Tools Pro-Knowledge Sharing Botnets Go Marching On Dissecting Email Forensics Next in Messaging News “On Message” with Ben Gross The World is Not the Center of the Universe, and Filters Don’t Stop Email Spam Making the Case Learn More Messaging News - October 2008 Messaging News - October 2008 - Messaging News - October 2008 (Page Cover1) Messaging News - October 2008 - Messaging News - October 2008 (Page Cover2) Messaging News - October 2008 - Messaging News - October 2008 (Page 3) Messaging News - October 2008 - Contents (Page 4) Messaging News - October 2008 - Contents (Page 5) Messaging News - October 2008 - Editor’s Note (Page 6) Messaging News - October 2008 - Editor’s Note (Page 7) Messaging News - October 2008 - Short Takes (Page 8) Messaging News - October 2008 - Short Takes (Page 9) Messaging News - October 2008 - Targeting the Technology-Wise Customer (Page 10) Messaging News - October 2008 - Targeting the Technology-Wise Customer (Page 11) Messaging News - October 2008 - Targeting the Technology-Wise Customer (Page 12) Messaging News - October 2008 - Targeting the Technology-Wise Customer (Page 13) Messaging News - October 2008 - Targeting the Technology-Wise Customer (Page 14) Messaging News - October 2008 - Targeting the Technology-Wise Customer (Page 15) Messaging News - October 2008 - The Insider Threat: The New Era of Disaster Recovery (Page 16) Messaging News - October 2008 - The Insider Threat: The New Era of Disaster Recovery (Page 17) Messaging News - October 2008 - The Insider Threat: The New Era of Disaster Recovery (Page 18) Messaging News - October 2008 - The Insider Threat: The New Era of Disaster Recovery (Page 19) Messaging News - October 2008 - Making Collaboration Tools Pro-Knowledge Sharing (Page 20) Messaging News - October 2008 - Making Collaboration Tools Pro-Knowledge Sharing (Page 21) Messaging News - October 2008 - Botnets Go Marching On (Page 22) Messaging News - October 2008 - Botnets Go Marching On (Page 23) Messaging News - October 2008 - Botnets Go Marching On (Page 24) Messaging News - October 2008 - Botnets Go Marching On (Page 25) Messaging News - October 2008 - Dissecting Email Forensics (Page 26) Messaging News - October 2008 - Dissecting Email Forensics (Page 27) Messaging News - October 2008 - Dissecting Email Forensics (Page 28) Messaging News - October 2008 - Dissecting Email Forensics (Page 29) Messaging News - October 2008 - Next in Messaging News (Page 30) Messaging News - October 2008 - “On Message” with Ben Gross (Page 31) Messaging News - October 2008 - “On Message” with Ben Gross (Page 32) Messaging News - October 2008 - “On Message” with Ben Gross (Page 33) Messaging News - October 2008 - “On Message” with Ben Gross (Page 34) Messaging News - October 2008 - The World is Not the Center of the Universe, and Filters Don’t Stop Email Spam (Page 35) Messaging News - October 2008 - Making the Case (Page 36) Messaging News - October 2008 - Making the Case (Page 37) Messaging News - October 2008 - Learn More (Page 38) Messaging News - October 2008 - Learn More (Page Cover3) Messaging News - October 2008 - Learn More (Page Cover4)
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.