Report: Bad guys will seek re-enforcements, recycle code

A new report from Fortinet predicts the bad guys will hire re-enforcements to stay ahead of botnet takedowns. They will also turn on each other over territory and recycle malicious code, which will in turn lead to more confusion.

By , Senior Editor

December 15, 2010CSO

The good news is that the public and private sectors are getting better at these global botnet takedowns. The bad news is that the bad guys are already planning for it.

That's one of the takeaways from a new Fortinet report looking at five perils and opportunities to expect in the coming year. In an interview with CSO, Fortinet Cybersecurity and Threat Research Project Manager Derek Manky shared the following details:

  • 1. Global collaborative takedowns will increase. This year, Fortinet has seen examples of countries working together on efforts, such as such as Operation Bot Roast (FBI initiative), Conficker Working Group and the recent Mariposa/Pushdo/Zeus/Bredolab busts, to bring syndicates down. But these takedown operations are only focused on the most visible violators and sometimes only cause a temporary impact. For example, while authorities took down the massive Koobface botnet in November, the servers were reconfigured and back up and running at full capacity a week later. Next year, Fortinet sees authorities consolidating global collaborative efforts and teaming up with security task forces to shut down the growing number of malware ops. This year's Zeus takedown, which led to charges by authorities in the U.S. and Britain, is an example of the collaborations to come.
  • 2. The bad guys will get territorial and raise prices on each other for insidious services."Today, were seeing a territorial concern for criminals building their malware empire(s), since control over managed infections can lead to longer up times and greater cash flow," the report said. "Features advertised as bot killers are being implemented into new bots to generically kill other threats that may lurk on the same system." For example, he said, Fortinet studied one bot that enumerated process memory to look for commands used by resident IRC bots. Once the processes using these commands are found, it will kill them since they are seen as a territorial threat. As attackers infect machines in 2011, the value of already infected machines will increase. As a result, Manky expects to see a price increase for criminal services like bot rentals and malware that includes machine maintenance to maximize an infected machine's uptime. "To keep infections discrete, malware operators may turn to quality assurance services that would, say, refuse to load software that may crash a machine or otherwise impact their business," he said, quoting from the report. "As part of the package, malware operators may also include leasing infection process time. When the lease is up, the malware would clean up after itself, reducing the amount of load/threats on a single machine."

    • RESOURCE CENTER