The good news is that the public and private sectors are getting better at these global botnet takedowns. The bad news is that the bad guys are already planning for it.
That's one of the takeaways from a new Fortinet report looking at five perils and opportunities to expect in the coming year. In an interview with CSO, Fortinet Cybersecurity and Threat Research Project Manager Derek Manky shared the following details:1. Global collaborative takedowns will increase. This year, Fortinet has seen examples of countries working together on efforts, such as such as Operation Bot Roast (FBI initiative), Conficker Working Group and the recent Mariposa/Pushdo/Zeus/Bredolab busts, to bring syndicates down. But these takedown operations are only focused on the most visible violators and sometimes only cause a temporary impact. For example, while authorities took down the massive Koobface botnet in November, the servers were reconfigured and back up and running at full capacity a week later. Next year, Fortinet sees authorities consolidating global collaborative efforts and teaming up with security task forces to shut down the growing number of malware ops. This year's Zeus takedown, which led to charges by authorities in the U.S. and Britain, is an example of the collaborations to come.2. The bad guys will get territorial and raise prices on each other for insidious services."Today, were seeing a territorial concern for criminals building their malware empire(s), since control over managed infections can lead to longer up times and greater cash flow," the report said. "Features advertised as bot killers are being implemented into new bots to generically kill other threats that may lurk on the same system." For example, he said, Fortinet studied one bot that enumerated process memory to look for commands used by resident IRC bots. Once the processes using these commands are found, it will kill them since they are seen as a territorial threat. As attackers infect machines in 2011, the value of already infected machines will increase. As a result, Manky expects to see a price increase for criminal services like bot rentals and malware that includes machine maintenance to maximize an infected machine's uptime. "To keep infections discrete, malware operators may turn to quality assurance services that would, say, refuse to load software that may crash a machine or otherwise impact their business," he said, quoting from the report. "As part of the package, malware operators may also include leasing infection process time. When the lease is up, the malware would clean up after itself, reducing the amount of load/threats on a single machine."3. There will be more 32-to-64-bit infections. Manky said technologies like address space layout randomization (ASLR), data execution prevention (DEP), virtualization, PatchGuard/kernel driver signing and sandboxing are becoming more routine along with the 64-bit machines running them. This has restricted malware's reach, and that will drive demand in 2011 for things like 64-bit rootkits such as Alureon, which got around PatchGuard and signing checks by infecting the master boot record to stage the attack. "Expect more 64-bit rootkits to follow in the quest to gain a foothold on newer machines and further, innovative attacks that circumvent defenses like ASLR/DEP and sandboxing," he said.
MORE ON THE BOTNET WAR4. Cybercriminals will hang up the "help wanted" sign. As money mules are taken offline in the coming year, the bad guys will be seeking immediate replacements. This will lead to an increase in underground work for developers to create custom packers and platforms, hosting services for data and drop-zones, CAPTCHA breakers, quality assurance (anti-detection) and distributors (affiliates). As demand grows, criminal operations will expand head counts. New affiliate programs will likely create the most head count by hiring people who sign up to distribute malware. Botnet operators have typically grown their botnets themselves, but, Fortinet suspects more operators will begin delegating this task to commissioned middle men in 2011. "The Alureon and Hiloti botnets are two examples that have already grasped this concept by establishing affiliate programs for their own botnets; paying anyone who can help infect systems on the operator's behalf," the report said.5. Recycled source code will spread. In 2011, Fortinet predicts more cyber criminals will try to make money using recycled source code. This will create more threat names and variants as it circulates in the wild, which will only create further confusion and dilute the meaning of these names. "While public source code will continue to create problems on the security landscape, private source code will increase in value as will jobs for adept developers," the report said. "We also expect to see new cases of leaked private source that are employed by new up-and-comers, thus continuing the vicious cycle."