Bots slim down to get tough

Malicious makers of bots are finding big is not always better when it comes to avoiding detection, according to a security expert.

Over the past two years, the average network of bots, or compromised PCs commandeered by remote attackers, has dropped from more than 100,000 to an average of 20,000, Mark Sunner, MessageLabs's chief technology officer, said during Tuesday's annual Security Roundtable Webcast.

A botnet is comprised of thousands of computers that have been surreptitiously transformed into zombie PCs without their owners' knowledge. The move to pint-size botnets helps malicious attackers have more success in delaying detection of their illicit zombie networks, Sunner said.

"When a larger botnet is spreading a virus, it lights up the switchboard of (antivirus) vendors, and they'll respond in a few hours with a signature to contain the outbreak," Sunner said.

"With a smaller botnet, it may take a day or so before it's discovered and a signature is written," he said.

Maksym Schipka, a senior antivirus researcher at MessageLabs, noted that two other issues have also contributed to the shrinking size of botnets.

First, an increase in the numbers of hackers hoping to put together networks has made the task of securing zombie computers more competitive, so it is harder for the "bot herder" to amass a larger number of drone computers.

Second, home users with high-bandwith connections, the primary targets of hackers, are taking more steps to secure their computers.

Often, hijacked bots have been infected with software that will connect to an Internet Relay Chat and await instructions from the malicious attacker. Botnets are used to send out e-mail messages for spam and phishing attacks. They can also be used to send out a flood of data to bring down a system in a denial-of-service attack.

When a malicious writer launches a phishing scam, antivirus companies will write so-called signatures that identify the attack for their protective products. These signatures are like taking fingerprints of malicious software. Each time the attack touches the doorknob to enter a system, the door locks.

The more quickly antivirus vendors distribute a signature for a virus and customers deploy it, the less effective that particular botnet can be, Sunner said.

"As botnets get used up, they are blacklisted and less useful for spamming or phishing attacks," Sunner said. "But they get mopped up and are used for DOS attacks."

As DOS attacks don't directly use e-mail or viruses, they won't be caught by blacklists or signature-based antivirus products. Last year, Sunner said his company began noticing old, wornout spambots were being resold as potential DOS bots on various sites and forums used by malicious attackers.

"People would advertise bots with 'fresh' machines, or ones that were mopped up," Sunner said.