Damballa recently released a report entitled The Command Structure of the Aurora Botnet. It’s a good whitepaper. I like this section:
… Botnet operators also increasingly trade or sell segments of the botnets they build. Once sold, the owner of the botnet typically deploys a new suite of malware onto compromised systems. The CnC provides the link between various campaigns run by the botnet operators and the multiple malware iterations. Since Damballa focuses on malicious, remote-controlled crimeware that depends on CnC to function, we were able to determine the evolution and sophistication of the Aurora botnet and its operators with greater detail and accuracy than other reports to-date. In general, Aurora is “just another botnet” and typifies the advanced nature of the threat and the criminal ecosystem that supports it. It is important to note, however, that botnets linked to the criminal operators behind Aurora may have been sold or traded to other botnet operators, either in sections or on an individual victim basis. This kind of transaction is increasingly popular.
This isn’t really new, it’s been known that both kits and botnets are sold and rented in the black market. Admittedly, it is pretty dastardly to have a potentially adversary utilizing this market, further obfuscating them and their goal.
According to the perspective of the organized military, the problem with a a bazaar is that it lacks a center of gravity — a centralized command center that can be destroyed or a single set of motivations that can be undermined through psychological or political operations. It is virtually immune to these approaches. […] Finally, OSW networks are extremely innovative. The bazaar atmosphere makes it easy for innovations to develop and peculate among the members. They don’t need a single operational genius, just a large number of average members working together.
The disturbing undertone of the Damballa report is not the “old-school” nature of the botnet, or the seeming reliance on black market, but the rapidity of advancement through sharing and innovation. Targeted threats are prospering and growing in the chaos of the Bazaar. Certainly when compared to the order and structure of the Cathedral. The Cathedral, in this case is us, the CND operators. We innovate but are impaired with constraints that limit the speed of innovation and instinctually hoard, instead of sharing, vital information.
This threat is inside our OODA loop.