Chapter 1 / Empty Cup Mind
father of the TCP/IP standard, up to 150 million of the 600 million comput¬
ers connected to the Internet belong to a botnet.-� During a single incident in
September 2003, police in the Netherlands uncovered a botnet consisting of
1.5 million zombies.�'
Enter: Conficker
Although a commercial outfit like Google can boast a computing cloud of
500,000 systems, it turns out that the largest computing cloud on the planet
belongs to a group of unknown criminals.According to estimates, the botnet
produced by variations of the Conficker worm at one point included as many
as 10 million infected hosts.The contagion became so prolific that Micro¬
soft offered a $250,000 reward for information that resulted in the arrest and
conviction of the hackers who created and launched the worm. However, the
truly surprising aspect of Conficker is not necessarily the scale of its host
base as much as the fact that the resulting botnet really didn't do that much.�'�
According to George Ledin, a professor at Sonoma State University who
also works with researchers at SRI, what really interests many rescarchcrs in
the Department of Defense (DoD) is the worm's sheer ability to propagate.
From an offensive standpoint, this is a useful feature because as an attacker,
what you'd like to do is quietly estabhsh a pervasive foothold that spans the
infrastructure of your opponent: one big massive sleeper cell waiting for the
command to activate. Furthermore, you need to set this up before hostilities
begin. You need to dig your well before you're thirsty so that when the time
comes, all you need to do is issue a few commands. Like a termite infesta¬
tion, once the infestation becomes obvious, it's already too late.
Malware Versus Rootkits
Many of the malware variants that we've seen have facets of their operation
that might get them confused with rootkits. Spyware, for example, will often
conceal itself while collecting data from the user's machine. Botnets imple-
20. Tim Weber, "Criminals may overwhelm the web," BBC News, January 25, 2007.
21. Gregg Keizer, "Dutch Botnet Suspects Ran 1.5 Million Machines," TechWeb, October 21,
2005.
22. Robert Miillins, "TTie biggest cloud on the planet is owned by ... the crooks," NetworkWorld�
March 22, 2010.
23. http://mtc.sri.com/Confickcr/.
24. John Sutter, ''What Ever Happened to The Conficker Worm," CNN, July 27, 2009.