The Botnet Trackers

Thursday, February 16, 2006; 3:12 PM

Many information security experts say the mainstream Internet security companies have inadvertently yet drastically understated the seriousness and threat posed by the global bot epidemic.

"So far, information security companies and researchers have focused on discrete infections: a particular virus or worm, or the outbreak of the week," said David Dagon, a Ph.D. student at Georgia Tech who is working with researchers at the Honeynet Alliance, an international volunteer group whose members are conducting some of the most detailed research into the modern botnet craze.

Dagon argues that combating the worm du jour is necessary in the short-term, but that many of the Internet's most pressing security problems -- from spam to online financial scams to denial-of-service attacks like those launched against -- have a root cause in botnets.

"We should pursue a root-cause solution, instead of treating the latest symptom," Dagon said.

In its latest annual Internet threat report, Cupertino, Calif.-based security giant Symantec Corp. reported that the average botnet size was around 10,500 machines.

But Dagon's estimates are far higher. Throughout 2005, Dagon tracked more than 12 million distinct bots on the global Internet. Dulles, Va.-based America Online had the largest share of botted PCs at roughly ? million.

Dagon's research puts the median botnet size around 45,000 compromised machines, with 20,000 being the average size. The median size is pushed so much higher than the average, he said, because the group has tracked at least a dozen distinct botnets that contain more than 100,000 infected machines. Dagon cautioned, however, that it is quite common for a poorly secured PC to be infected with multiple bots.

But controlling the activities of more than 40,000 hacked PCs requires an enormous amount of computer-processing power and Internet-access bandwidth. As such, botmasters have adapted their command-and-control networks to accommodate much larger botnets.

One popular way to control large numbers of compromised machines is through delegation. For example, if a botmaster has compromised 100,000 PCs but only has the capacity or bandwidth to control 10,000, the attacker can organize the victim PCs into hundreds of much smaller groups, with a "lieutenant" bot in each group that orchestrates communication between other members of the platoon and the bot herder's main control channel.

In such a scenario, the individual bots are democratic. Should a lieutenant machine suddenly be unplugged from the Web or scoured of its controlling spyware, the platoon's remaining bots are programmed to hold a virtual "election" to see which computer should take command. In most cases, the PC with the fastest and/or most reliable Internet connection gets elected.

There is one factor in controlling vast numbers of bots that can mask the true size of any given botnet, Dagon said. To reduce the command-and-control burden, many bots are configured to remain disconnected from the herd most of the time and to merely "phone home" periodically to check for updates or new instructions. The downside -- from the botmaster's standpoint - is that only a fraction of a botnet's member PCs are connected at any given time, which means that the botmaster's instructions may not reach the entire herd for several hours.

Earlier this year, Dagon and others tracked a botnet of more than 350,000 compromised PCs scattered across dozens of countries on five continents. But due to the diurnal pattern of the individual bots -- which are turned on and off by their unsuspecting users according to the time of day -- only about 120,000 bot connections were visible at any one time.

Dagon and his team are currently at work on compiling a family tree of bots based on their code origin, since so many bot designers borrow computer programming instructions from one another. Some bots even come with their own "open source code license" that exhorts contributors to freely share their innovations.

"Although there are hundreds of bots in the zoo, there's a lot of inbreeding," Dagon said. "And unlike nature, this creates healthier offspring."

So far, it's proving to be a full-time job just keeping with the new variants. Dagon estimates that at least four or five new, distinct bot programs are created each day.

© 2006 The Washington Post Company