Botnets: Computer Crime's Service ProvidersBotnets: Computer Crime's Service Providers

3:55 PM -- Back in the '80s, the telecom industry underwent a revolution in the United States, as a newly deregulated field of service providers built out their networks, fought for customers, and scrambled to occupy niches that hadn't yet been captured.

Today's botnets -- the service providers of tomorrow's mass hacks and computer crimes -- currently are undergoing a similar revolution.

Yes, I know. It's hard to look dispassionately at botnets as a business, especially when they cause so much trouble for enterprises, end users, and security managers. But if you want to understand where botnets are going -- in order to defend against them -- then you need to understand how the botnets' "business" is evolving, and how market forces drive them. And that evolution, from what we can tell so far, is remarkably similar to the evolution of the service provider market of the 1980s.

If we look at the last year (obviously, there were botnets before that, but they weren't quite so commercial), we saw the rise of Storm, the largest and most innovative of the botnets we know about. Storm isn't quite as ubiquitous as the AT&T of 1984, but for a time, it was clearly the main game in town. If you wanted to do a pump-and-dump scam to millions of users, Storm was clearly the best answer, unless you wanted to build your own botnet. (See 'Storm' Trojan Hits 1.6 Million PCs; Vista May Be Vulnerable.)

Recently, however, we've begun to see significant competition in the botnet space. Researchers say Nugache, a rival botnet, is now undercutting Storm's prices, offering to carry a million spam messages for just $100. Like the MCI of 1985, Nugache offers a service that might not be quite as good, but is a lot cheaper. (See Competition May Be Driving Surge in Botnets, Spam.)

Other emerging botnets, such as Rbot and Bobax, offer slightly different "services" and technologies, and have the potential for big growth over time. Let's call them the Sprint and Dialcom of 1986. (See The World's Biggest Botnets .)

And increasingly, we're seeing the emergence of smaller, specialized botnets that are designed for a specific purpose, such as spam or denial-of-service attacks. Earlier this week, researchers offered some insights on so-called "DDOS botnets," such as Machbot, Barracuda, and BlackEnergy, which have carved out functional or regional "niches" of the botnet market. In our '80s analogy, these might be the specialized email networks (Easylink) or the regional service providers (LDDS) that emerged shortly after deregulation. (See DDOS Botnets Thriving, Threatening.)

And, like the AT&T of the late 1980s, Storm is responding to the competition. According to researchers, it is expanding its footprint and taking steps to keep the zombies it already has. It's possible that Storm's operators may have lowered their prices, leading to the recent increase in Storm-borne spam. And Storm's architects are finding new applications for the infrastructure, including a new series of phishing attacks. (See Storm Botnet Turned Toward Phishing Attacks.)

Clearly, we're not just seeing the rise of a new security threat here, but the emergence of an entire competitive market. We're seeing price competition, product differentiation, and the creation of niche markets. And, as it helped customers and businesses in the 1980s, this competition is giving spammers and computer criminals more choices, lower prices, and more ways to use the infrastructure.

If law enforcement and IT security people hope to stop botnets -- or at least curb their evolution -- they had better stop looking at them as individual exploits and start looking at the whole market for botnet services. That's the place to interrupt the botnet revolution. If they don't, they'll soon be like Hercules fighting Hydra -- cutting off one head only to see two more grow up in its place.

— Tim Wilson, Site Editor, Dark Reading