From Botnet to Malnet
Posted by Gunter Ollmann on December 14, 2006 at 12:54 PM EST.

I get pinged about botnets on an almost daily basis and most of the queries are related to how big the botnet problem really is.  Its an interesting request, but ultimately a very difficult one to answer.

My best, most reliable, source for information is ISS' managed security services (MSS) global threat analysis center (GTOC).  However, it's a catch-22 situation in the fact that to build up those statistics ISS customers would need to have botnets installed on them - which would mean that MSS hadn't done their job in protecting them.  Consequently, from a statistical perspective, botnet infections are 0%.

However, X-Force does have a number of other significant sources for botnet information - such as our massive webcrawlers (2 million new sites per day), spam/phishing monitoring services, honeynets, IRC/IM monitors, etc. - which means that (at the very least) we acquire approximately 50,000 new (unique) malware samples per month.

In our analysis of these samples, it's pretty clear that the classic 'bot' agent no longer really exists.  The current 'bots' are about as close to the old bots (of botnet fame) as a medieval knight is to James Bond.  To continue to call these distributed malware networked 'botnets' is to underestimate their contemporary abilities - lets call them for what they really are - Malnets.

While botnets were about noisy DDoS and spam-relaying, Malnets focus upon staying under the radar.  This was an expected evolutionary step.  As operating systems become more secure, and as 3rd-party security products have further reduced the likelihood of compromise, malnet owners have become more focused on retaining control of their infected host empire - the cost of infecting hosts is getting higher - so the nature of how they use their malnets have changed.

So, the question for many malnet owners is "if I own a 10,000 bot malnet, how can I make money without getting discovered?"  There are of course several 'business strategies', but it is pretty clear that with a little thought malnet owners can actually build a reoccurring revenue stream going down the personal profiling route rather than identity theft or DDoS agents for hire.

In case you're interested in finding out more about this interesting spin to malnets, check out the December X-Force newsletter - released today.  
    Copyright 2001-2007 © Gunter Ollmann