By Rob Jamison, Manager, Network Intelligence, Managed Security Solutions Group, BT Global Services

Last month, we posted an article on the return of the Kraken botnet.  In addition to Kraken, the Storm botnets have also made a slight comeback on hosts once belonging to the recently decimated Mariposa Botnet.  Over the next several days, we will examine the technical issues surrounding the return of these botnets, with a focus on the following areas:

• The reuse of malware by persons of less technical sophistication than the original authors [lowering barriers to field entry]
• That botnet “breaking” is effectively a zero-sum gain, as most nodes previously rendered benign by DNS sinkholing have rejoined some other botnet [host recidivism]
• Pirated software is making the problem all the worse [piracy proportional to botnet size]

In this commentary, we’re covering the first area since there is plenty of evidence to support the claim that people of less technical sophistication than the original authors are reusing the malware.  Consider the attestation of Panda Security’s Pedro Bustamante:

“Our preliminary analysis indicates that the botmasters did not have advanced hacking skills.  This is very alarming because it proves how sophisticated and effective malware distribution software has become, empowering relatively unskilled cyber criminals to inflict major damage and financial loss.”

If the case were that Mariposa was a low tier botnet (say only 100,000 nodes), perhaps it could be explained away that script kiddy botmasters got lucky for a while.  They inherited well, or knew the “right people” in lieu of the “right stuff.”  However, this was not the case.  Mariposa was a 10^8 node botnet, and that, by any estimation, is a really big number. 

The position of the botmasters being N stages removed from the original authors supports the arguments that a botnet in itself is mercenarily a commodity.  To compare, entities that own the most barrels of petroleum at any given time are neither producing nor consuming petroleum.  They are “possessing it” in an assumption of risk (and hence profit) that comes from stewardship between the time it is made available and the time it is consumed by a refinery.  They don’t need to know details of either the production or distillation of the content, and they have no special skills (or at least display none) in either area.  This is similar to why these botmasters don’t need the same technical abilities that the authors of the original code exhibited.  Would a case be heard where the writer of Trojan software would sue a botmasters for financial loss or defamation??

It would be difficult to defend this position if Mariposa was not the single biggest documented botnet in the world back in January.  As skeptical as we are about actual numbers of nodes reported as participating in a single botnet — if the actual number was only 1/100 of the touted  number (which would be one hundred-thousand) — it would still be greater than the total number of computers in each of half the world’s countries.  Just consider that several people lacking technical sophistication, unaligned with any foreign government, were harnessing the power of a 3-gigawatt-per-hour computing center.*

   *  Calculations for emphasis only; assume 300W PSUs, 10 Million hosts online at a single time.

To read the full paper on Kraken, click here.