Botnet Market
				Selling or renting botnets for DDoS and other attacks can be a lucrative business Attackers may directly compromise computers to build a botnet by finding and infecting vulnerable computers. However, it is often more cost-effective to purchase a botnet assembled by someone else, or simply rent it for a few days to accomplish a particular task. In 2004, one bot herder made $3,000 in three months selling and renting botnets. The stakes have increased since then. The Shadowserver Foundation, which tracks bot activities, estimates that it costs approximately $1,000 to rent a botnet for a single spam event that spans one to two days. Renting a sizable network of 10,000 bots for a DDoS attack may cost $500 to $1,000 per event. The price to purchase an average botnet outright typically falls in the range of $5,000 to $7,400, according to Shadowserver. The SANS Internet Storm Center received a report indicating that purchase prices on botnets have been falling recently, due in part to groups from Russia willing to sell them for as little as 25 cents per bot. --LENNY ZELTSER

Stealthy and Self-Preserving
The increasing profitability of targeted attacks has fueled investment in the development of malicious software that helps make them possible. Such efforts produce malware with capabilities that stretch our defensive abilities.

• Using protected tunnels and peer-to-peer protocols for malicious traffic is becoming increasingly common. There are bot specimens that employ SSL to encrypt their command and control (C&C) channels. Another approach has been employed by some Phatbot and SDBot variants, whose use of peer-to-peer protocols makes it particularly challenging to disrupt their C&C communications. A keylogger recently demonstrated another technique, in which it obfuscated its messages to the attacker and embedded them in Internet Control Message Protocol packets. Malware may also use the ubiquitous HTTP protocol when calling home, which helps it pass through firewalls and travel unnoticed in other Web traffic.



• Rootkits are getting better at concealing the presence of malware on the infected system and occur more frequently. Recently released Rustock and Unreal rootkits are highly effective at shielding themselves from common rootkit scanners that look for discrepancies in the infected system's configuration. Proof-of-concept rootkits such as SubVirt, Blue Pill and Vitriol are able to treat the infected system as a virtualized one, making their detection very challenging. Another emerging category of rootkits focuses concealment within applications. For instance, the Argeniss rootkit for Oracle can hide the attacker's database of choice--anything from collections of pornography to stolen credit card data--after the intrusion.



• The complexity of anti-analysis techniques employed by malware is continuing to evolve. Protecting malware from reverse engineering conceals the authors' plans and protects the C&C channel. Protective measures often involve detecting the presence of virtualization and debugging software commonly used by analysts. Rather than including such functionality directly in the malicious code, malware authors often rely on packers--programs that can add anti-analysis mechanisms to almost any executable. For example, Themida is a commercial packer highly effective at complicating malware analysis.