Saturday, January 06, 2007


This article talks about botnets becoming more stealthy.

Stealth is not a technical issue. We have technology can deal with even stealthy connections, such as Arbor Networks mentioned in the above article (which is a very, very good product). The real issue is that with stealth comes disbelief. The sad thing in the cyber-security industry is that CIOs and middle-managers only believe in things they can see. FW, AV, and IPS are successful not because that's where the threat is, but because that's where the visibility is. They won't invest in products like Arbor because they can't easily see the threat.

Most large corporations and government agencies aren't thinking about botnets, and among those, I'd guess that roughly half have a live infection. Many of the botnets came in along with noisy worms, but since they didn't themselves propagate noisily were never cleaned. The others came from browser/doc vulns, which infect silently because they are "pulled" down to the victim rather than noisily "pushed" at it.

The stealth of botnets and rootkits is a social-engineering problem rather than a technical one. It's like how the ninjas of old Japan convinced people they could magically "walk through walls" because they repaired the walls after breaking through them. I guess we've entered the age of the Ninja-Hacker.

"The greatest trick the Devil ever pulled was convincing the world he didn't exist" -- Baudelaire (as translated by Verbal Kint)

No comments: