Tracking Botnets Just Got Harder

Security researchers often use ‘honey-pots’, computers without anti-virus protection containing monitoring software, to conduct research on botnets. The honey-pot computer becomes infected with a virus that would turn it into part of the botnet. However, the system is set up so the commands sent to the computer are monitored and the computer does not actually follow the commands of the control computer.

This research effort, which is one of the most common methods used by research firms examining botnets, may become obsolete quickly. According to a team of computer scientists led by Cliff Zou at the University of Florida, cyber criminals attempting to assemble and maintain botnets are now able to avoid honey-pots. The team’s findings were published in a recent article in the International Journal of Information and Computer Security.

Cyber criminals are able to monitor which computers in the botnet fail to follow their instructions, such as sending out spam. When the cyber criminal finds a honey-pot, they are able to program command and control servers to bypass or disable honey-pot machines, depriving researchers of vital data. The team is currently working on ways to make honey-pots less obvious.

“Honeypot research and deployment still has significant value for the security community, but we hope this paper will remind honeypot researchers of the importance of studying ways to build covert honeypots, and the limitation in deploying honeypots in security defense,” Zou said, “but all that effort will be for naught if honeypots remain as easily detectable as they are presently.”

Related posts:

1. Botnets Don’t Pay what They Used To
2. Botnets Battle for Domination
3. Cleaning Botnets the Japanese Way
4. Germans Set Up Botnet Cleaner
5. Highly Sensitive Info Available via P2P