Monday, April 26, 2010

Opt-in Botnets

As businesses and governments have moved their presence online, protesting and other public forms of disaffection against them have followed. Growing numbers of people have been motivated to take up the cyber-equivalents of protest placards, highway sit-downs and Molotov cocktails.

The last few years have shown a steady increase in the sophistication of the tools and tactics the disaffected use online. Social networking applications, Web 2.0 technologies and the general availability of what can best be described as “military grade” cyber attack tools make it a trivial task for protestors to launch crippling attacks from anywhere around the world.

The massive adoption of social networking portals and micro-blogging services in turn created a new generation of centralized Command-and-Control (CnC) capabilities that quickly and easily organize protests for international participants from all walks of life. The simplicity with which these technologies can be leveraged for attack coordination against governments and commercial organizations cannot be underestimated.

A second generation of cyber-protesting tools has emerged, encompassing a disturbing blend of criminal technology and activist enthusiasm. A growing number of movements are asking their members to deliberately install botnets on their hosts and within their networks in order to participate in more sophisticated and effecting cyber-protests.

Botnets have always been considered a severe threat that removes PCs and servers from IT control. However, botnet compromises have always come from the accidental and unknowing installation of bot malware. The purposeful and intentional acceptance of bot malware, however laudable the cause, presents a dangerous challenge to any organization concerned about maintaining control over network assets and demonstrating proper fiduciary responsibility.

In short, the introduction of social networking CnC and an increasingly diverse range of motivations and common-cause group memberships is opening the doors to new cyber-protesting possibilities – and to criminal misappropriation of hacktivist botnets. This whitepaper examines the evolutionary path of opt-in botnets, including how tactics have changed, why anyone would willingly choose to join a botnet, and what activist botnets mean to organizations that find themselves both victims and enablers of a botnet-driven attack.

1 comment:

  1. i'm hesitant to label tools that people knowingly install as bot software, even if a degree of aggregated remote control is provided by it. it becomes difficult to distinguish them from seti@home,, or the blue frog client from the now defunct blue security anti-spam company. parallels could probably also be drawn with p2p software, among other things.

    client tools for distributing workload are increasing in number, regardless of whether that workload be for a legitimate purpose, an illegal enterprise, or something in between. if we aren't careful we could wind up throwing out the baby with the bath water.

    there's a category of malware that rarely gets much attention and i suspect many people might not even realize qualifies as malware (even though it's clearly malicious software). that category is the attack software that, rather than running on a compromised victim's machine (which is what we typically think of for malware), actually runs on machines legitimately owned by the attacker(s). opt-in hactivist tools seem like they would belong in this category. unfortunately this category is so seldom discussed there is probably a paucity of malware classifications under it which could be applied such opt-in hactivist tools.