ҹ1000

Why timing is crucial in the botnet wars

Unlike their biological counterparts, computer worms don't come out at night, and taking this into account could help computer security firms

UNLIKE their biological counterparts, computer worms don’t come out at night. Taking this into account could help computer security firms calculate when outbreaks are likely to pose the greatest risk, allowing them to set the installation of patches and filters to times when they will be most effective.

Most models of worm activity don’t allow for variation in the time zones in which computers become infected. “If a worm is released at different times, then the worm’s propagation dynamics will be different,” says Cliff Zou of the University of Central Florida in Orlando.

Zou and collaborators David Dagon and Wenke Lee at the Georgia Institute of Technology in Atlanta have shown that time zones are a particularly important consideration for the most vicious type of worm. This spreads from computer to computer over the internet, creating a botnet – a network of infected or “zombie” machines that hackers can control remotely for their own nefarious ends, such as password theft.

Zou’s team infiltrated a dozen botnets by persuading the domain name service provider to send communications from identified bots to the team’s computer rather than the hacker. They were then able to monitor whether the bots were in North America, Asia or Europe, what vulnerability the worm had exploited to infect the computers, and at what times they were active in each region. They noticed that activity generally peaked at around noon local time and died down to almost nothing between 3 am and 6 am. “Most compromised computers belong to home users. When they go to sleep, they shut down,” says Zou.

To see if this data could be used to predict how a botnet would spread, the team programmed the daily cycles for each region into a model containing the geographical locations of the computers in one of the monitored botnets and the time of day the worm first appeared. The model’s prediction correlated very closely to the actual botnet growth.

The model could be used to predict when an attack might quickly get out of control. If, for example, a worm is designed to exploit a vulnerability peculiar to US computers, and it is nearing the beginning of the working day there, it could explode as soon as people begin to switch on their computers.

Topics: Computer crime