As a result, protection mechanisms, such as blocking IRC traffic, will fail. This could mean that zombies, which so far have mostly been broadband-connected home computers, will be created using systems on business networks.
"The trend to Web-based command and control is really about protecting the command-and-control center and hiding traffic from network administrators," said Randy Abrams, director of technical education at Eset, a security software company. "Web traffic is ubiquitous. IRC channels are well-known and relatively easily located and shut down."
Nazario agreed. "Part of the motivation is the idea of deeper penetration into juicier networks that allow Web-based traffic relatively unfiltered, but don't allow IRC," he said.
At the same time, zombie fighters lose an important capability to identify and spy on botmasters. Security professionals have been able to track hackers by crafting software tools mimicking a bot, and by signing in to IRC networks used to control botnets. On those same networks, the miscreants often also talk to co-conspirators.
"It is like talking to your friends over instant message," Nazario said.
Additionally, botnet operators can sometimes be identified by their Internet Protocol, or IP, address when they sign on to their own IRC server, he said. In the past year or so, law enforcement agencies have been able to arrest several botmasters.
The morphed threat requires work on the part of security people, Nazario said. "We have to speak a whole different language now," he said. "We have to learn new command instructions and new communication mechanisms that each of these bot families uses."
Security providers have found some ways to find and fight the new-style zombies. ISPs and businesses could block the individual Web addresses used by the malicious programs. In the near future, blacklists of such addresses will likely be compiled, experts said.
"You certainly can't just block all outbound Web traffic," Nazario said. "But if you have identified a certain Web server and it is not used for something else, you can go and block just that IP address."
Honeypot lures
To track the activity of bot masters, security professionals have to rely more on their honeypots, which are computers set up for the purpose of being infected, Fleischman said. This gives them the malicious code to dissect and identify the control servers, he said.
Also, a honeypot computer might be used as a control server, which means the attacker can be monitored and possibly identified when logging in, Fleischman said. "Botmasters hate the honeypot technique. They have a thousand bots, and they don't know which one is owned by a good guy," he said.
Individual organizations could invest in technology to more closely monitor Web traffic and spot traffic patterns that indicate bot activity. "But a lot of people don't want to look through that haystack," Fleischman said. "There might be more of a financial investment to scan that. The infrastructure cost is going to be higher."
Arbor identifies about 600 new botnets each day. Only a small number of botnets today, less than 1 percent, according to Arbor, use Web-based command and control. However, that number is likely to increase, as developers for the underground perfect the technique.
While the zombie fighters have to adjust to the new tactics of their adversaries, the battle has not been lost.
"The first variants of Web bots may have thrown people for a loop," said Adam Meyers, a security expert at consulting firm SRA International. "As new command-and-control mediums emerge, the good guys will adapt their containment and investigatory techniques."
The defense industry is always reacting to the bad guys, Nazario agreed. "They always make the first move and we counteract," he said. "That said, the good guys control the infrastructure, so we ultimately have the last word. If we don't like what they're doing, we can shut them down."
Play video
There are currently no comments for this post.