SIGINT’10 took place between the 22nd and the 24th of May in Koln, Germany. The videos are also available and hosted by ccc.

I just saw the presentation made by Thorsten Holz and called ‘Botnets in 2010 - Status Quo and Future Threats’.

As a quick resume, it does a quick introduction to the botnets and its arquitecture and then talks about Storm Worm and Waledac.

Storm Worm

  • Not centralized C & C thanks to p2p
  • Fast flux domains
  • Uses infected computers with public IP addresses to proxy the content back to the backend: spam pages or with exploit packs. It is hard to track  and offers high availability.
  • The nated machines are user to send spam and dos attacks.
  • Template based spamming. The template is sent to the bots that then send the spam.
  • Mitigation: join the network and disrupt the communication channel between the bots (Stormfucker in 25c3 CCC)

Waledac

  • Successor of Storm Worm and perhaps created by the same group
  • Uses HTTP to tunnel trafic (major change) between the nated machines and the repeaters
  • multi-tier architecture (‘hybrid’ p2p), like storm worm
  • Static backend servers that host the content
  • Fast flux domains for C&C
  • Template based spamming.
  • The mitigation effort was called ‘Operation b49’ and took down the botnet in February 2010.

The video can be found here.