1) They understand what they are doing
Herding a botnet isn’t easy these days. The people doing it understand that it is decidedly illegal to run malicious software on computers that are owned by others. They are professionals; where there’s money, there is dedicated will. Over the years, we have observed that the business of malware has gone from creating nuisance software (almost accidental attacks) to stealthy, sophisticated networks of compromised systems.
2) Criminal business is business
This concept is one that every tech-savvy person understands. Every one of us were young and full of game-changing ideas (at least we thought so). It may be that where a talented tech lands has more to do with opportunity and environment than some sort of moral compass.
Talented coders code to make compelling, advanced, things. They demonstrate, and advance, their skill by getting jobs done – the immediate jobs. Whichever side of the security divide (to abuse a phrase) you are on, you will recognize that there are common goals – deliver quality code that gets the job done.
The people in-charge of the wider strategy of the scheme clearly are criminals who take advantage of technical talent. They are in the business of crime.
There are many factors - geography, talent, relationships, timing and luck – that factor into opportunity. Consider that all of us, at some point, did the equivalent of holding a sign that read, “Have talent - will use it for money”.
3) Accept that ‘good’ and ‘bad’ are technology
There are two cutting-edges; those who defend, and those who attack. While we all enjoy labelling the things people do as “good” or “bad”, it does get convoluted in technology.
A brilliant idea is a brilliant idea. Though I have spent my entire career helping organizations secure stuff, I recognize the creativity - and sometimes surprising creativity -of people on the ‘other side’.
Consider that every technology idea that advances security is potentially a weapon for attackers. So it is also that every method of attack is another chance for security to advance. In a way, it’s about advancing technology in increments, some of which are designed to profit criminals, and some for governments, or security firms, but they are all advances.
The latest and most interesting, attack mechanisms are opportunities for organizations and security firms to learn. Root kits prodded people to think about ring-0 (also known as root/kernel).
The talent that drives security, in a strange way, works with the talent that drives attacks. It is tempting to call it a race or a game, but the temptation evaporates when people find empty bank accounts, or max’ed-out credit cards.
4) Owning endpoints is only the first step
From the perspective of a botnet herder, the world is full of possibilities:
• Code injection, memory trickeries, privilege escalation – tried and true.
• Finding a buffer overflow in a process has been achieved many times, yet it will be done many more times.
• Getting end-users to run an attachment is proven time and time again.
No matter where you live on this planet (for the most part), this activity is illegal. Maintaining control, via an anonymous channel, of the compromised endpoints is key. If law enforcement or security companies can trace activity to the person or group responsible for compromising systems, things will likely not go well for the botnet herders. In some cases, there can be criminal charges.
In other cases, control of the botnet is compromised, and the botnet herder finds their means to generate revenue equally compromised.
To read more about how botnet herders are maintaining Command and Control, read this Security Business review: