Botnets are being split into smaller ‘swarms’ to evade detection, analysis from two security vendors has suggested.
Last week, F-Secure’s Mika Stahlberg was reported as saying that the company had noticed the emergence of smaller botnets, a trend that ran counter to the previous tendency to run huge numbers of hijacked machines as single entities.
Israeli company Finjan this week echoed with the Finnish company’s findings, noting that the phenomenon of the mini-botnet was an evolutionary defence against better detection systems.
The findings don’t mean that total effective size of a particular botnet is getting smaller, simply than botnetters are building their spam-sending creations from smaller subsets of hijacked computers.
"By escaping detection in this way, criminals can effectively fly their rented botnets in under the security radar, and ensure the swarm hits the relevant Web sites with devastating results,” said Finjan CTO Yuval Ben-Itzhak.
“This is a potentially serious evolution in the world of botnets. The change in the web security status has proven to be a difficult task to tackle for traditional security companies. The best way to detect modern malicious code is to be able to understand in real-time what the code intends to do, before it does", he claimed.
It is an open question as to what security pressure is causing this change. Both companies sell software that blocks or detects the attacks through which botnets strike at desktops by monitoring traffic to and from the network gateway and PC. It is unlikely that smaller botnets would make any difference to this detection method.
A more likely explanation is that smaller swarms are an attempt to confound ISP and Internet-based detection systems set up to resolve connection attempts to IP addresses, blocking those that look to be suspiciously active. Experts have long contended that such technology, and the development of reputation services, is the only long-term answer to the botnet problem.
Now take part in our