Arbor Networks: Security to the Core

I read this slashdot article over the weekend and was a bit surprised that I hadn’t heard of this Mega-D botnet before. So, I reached out to a few colleagues of mine and asked if they’d heard anything of it - beyond the press release and a slew of obviously derivative works, all to no avail.

Apparently, this all originated with the folks at Marshal, and their TRACE team, and this press release, err…, or was it this press release, or an interview, or…? Anyway, the sexy bit for me wasn’t necessarily that they believe this Mega-D botnet now accounts for 32% of ALL spam, or even that Storm currently accounts for _only 2% of spam — although I do consider these impressive and interest-invoking findings. Rather, most interesting were their assertions that the Storm botnet “seems to be passing”, and interviews speaking of “the Storm worm’s demise”, while an upstart Mega-D has already far-surpassed even Storm’s peak spam generating efforts.

So, the one reply I received from colleagues suggested that perhaps what they’re seeing is actually a partition of Storm, hence the common characteristics.

Note: A botnet partition is essentially a virtualized subset of botnet resources allocated to a ‘customer’ who then makes use of these resources for DDoS, spam, phising, etc. We can think of a botnet partition as somewhat similar to a MVNO in the mobile phone world - essentially, a ‘branded’ operator who’s making use of another carrier’s underlying network infrastructure. So, at first blush, it appears that Mega-D may well be a Botnet Virtual Network Operator - or BVNO - a term coined by Roland Dobbins a short while ago.

This is yet another example of how the online criminal underground have adopted many of the business models and best practices of legitimate enterprises . If that’s the case, then this whole thing is more like saying the lettuce on the sandwich is larger than the lettuce AND the rest of the sandwich.

I did reach out to the folks at TRACE, I’m hoping they can share some additional information on their findings. As much as I’d like to see clear skies and the demise of Storm, I suspect it’s not keeling over any time soon. And, as even the TRACE folks suggest, if Storm were indeed ready to pass, there are a slew of anxious beta bots ready to take the alpha helm.

This entry was posted on Monday, February 4th, 2008 at 9:33 am and is filed under ATLAS, Arbor Networks, Botnets, Critical Infrastructure, Interesting Research, Malware, Spyware, Trojan Horses. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.