Report predicts rise of self-defending botnets

The world is not only losing the war against spam, the situation might be about to get a whole lot worse with the emergence of a new type of automatic botnet able to thrive without direct human control, Symantec's MessageLabs division has warned.

Ironically, according to the company's 2009 Security Report, the emergence of what might be termed the ‘autobot' has been driven by attempts to tackle the current generation of botnets by shuttering ISPs associated with the global flow of spam.

The best example of that was the closing of ISP-gone-bad, McColo, towards the end of 2008, which dramatically and instantly reduced spam levels in a way that nobody thought was possible. During 2009, further ISPs have been shut, including Real Host last summer, but the effect has been much less pronounced.

MessageLabs reckons this is a sign that today's botnets have been modified to more quickly adapt to the loss of a particular nodes, transferring traffic through different channels in a matter of days or even hours. The speed of response necessary requires self-healing behaviour, including the use of encrypted channels for control based on P2P principles.

"You don't have to have a person looking after it, the botnets can now look after themselves," says MessageLabs' Paul Wood, who notes that the McColo shutdown had affected spam levels for up to seven weeks, a hiatus that would be extremely unlikely now.

Woods predicts that during the coming year, botnets will migrate to a design based on "inbuilt self-sufficient code" able to adapt to anti-botnet activities and so improve their survival chances. The company has detected 5 million PCs that are now working on behalf of the botnets.

Elsewhere in the spam ecosystem, 2009 has seen defences such as CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) being eroded to the point of near uselessness. Previosuly considered a way of foiling the mass creation of email account to channel spam and get around reputation services based on trusting a whitelist of domains, CAPTCHA was now being defeated by individuals in sweat shops paid small sums to manually create accounts.

MessageLabs predicts that this will see CAPTCHA replaced by more complex systems based on recognising images, which will at least increase the amount of time it takes for a paid CAPTCHA-beater to create a bogus account.

Other Internet crime hotspots for the year have included a range of smaller innovations such as social engineering attacks exploiting the trust relationships implicit in social networking, and specific attacks such as the hijacking of short URLs to hit people with malware.

So what do reports such as this tell us that we might not have known a year ago? An important underlying theme is that criminality has now burrowed deep into the fabric of the Internet in ways that make tacking problems such as spam almost impossible.

As the takedown of various ISPs has shown, service providers are now being set up specifically to distribute malware and spam right under the noses of the authorities in countries such as the US. Similarly, the de-regulation of the domain registration system has allowed crooked registrars to spring up which exist solely to bend that system to criminal needs. Telling these apart from legitimate Internet businesses is often difficult.

Woods in unconvinced that there is an easy solution to this problem. Simply striking at these ISP and registrars could actually hamper police investigations that rely on the accumulation of evidence trails and deeper associations over longer periods, he said.

The full report (a 10MB PDF file) can be downloaded from MessageLabs' website.