Feeds

IRC botnets dying off

Web-based zombies dominate

High performance access to file storage

Web-controlled botnets now outnumber those controlled by the traditional method of IRC channel by a factor of five, according to the latest research from Team Cymru.

IRC channels used to be the only way to control networks of compromised PCs back in the day but the approach has fallen out of favour over the years as more script-kiddie-friendly approaches have begun to predominate.

IRC botnets are dying off, and would be dead and buried already but for weak corporate security policies that have allowed them to stick around, according to Steve Santorelli, former Scotland Yard Detective and now director of global outreach at Team Cymru.

Santorelli explained that many organisations do not filter port 6667, which is used for IRC channels and nothing else, allow infected PCs in corporate networks to receive instructions that would otherwise be blocked at the firewall.

"Infected machines that are part of IRC botnets often have persistent, continuous connections to their C&C, compared to HTTP based botnets which have their infected machines frequently 'check in' at pre-determined times," Santorelli explained. "These connections can be tell-tale symptoms if you know where to look."

IP blacklists and anti-virus software can also help combat comparatively unsophisticated botnet agents. "There is no excuse for allowing these relatively basic threats into your networks," Santorelli concluded.

HTTP-controlled botnets are easier than the IRC-controlled bots for miscreants to set up and run while being harder to detect, so it's no big surprise that they have become the preferred approach for the command and control systems of zombie networks. Web-based botnets are doubling in number every 18 months.

"HTTP based botnets often use ports (eg port 80 of course) that are unblocked on most networks and also hard to filter and easy to hide in a sea of noise," Santorelli told El Reg. "There is no persistent, constant connection to spot.

"They are very easy to configure and deploy - you need zero coding knowledge to run a web based botnet."

A short video explaining the changes in botnet control technology, published on Monday, can be found on Team Cymru's YouTube channel here. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.