Len Sassaman <rabbi@abditum.com> writes:
On Sat, 12 Jan 2008, Peter Gutmann wrote:
(Alternatively, "because they can". They're not paying for the overhead, it doesn't really make much sense not to encrypt everything).
I don't agree -- they *are* paying for the overhead. Not in dollars, but in CPU cycles (and a minor programming overhead.) If you increase the performance degradation on the hosts in the botnet, you're going to lose some of those hosts due to the owners cleaning up the system so that they can use it
If you ever find users who do this, could you send them my way? :-). There may be some reference user somewhere in a display case who does this, but in practice unless the computer explodes in front of them no-one ever reacts to infection. I've seen users whose laptop fans are running continuously because the CPU is pegged at 100% by malware not have any idea that this isn't a normal state of affairs. I've seen users who patiently wait something like 30 seconds for an Explorer window to open because that's just how long Windows takes. I've seen users whose PCs page themselves to death every time they start an app, and that's quite normal. I've seen attack ships on fire off the shoulder of Orion... More importantly, the sort of people who are likely to have machines riddled with malware are the same ones who aren't likely to have any idea that anything's wrong. Bill Cheswick has a neat talk "Windows OK" in which he describes his dad patiently using his malware-infested PC that nicely illustrates this.
Adding in additional computational overhead to the operation of the botnet diminishes its overall capacity, either in the number of nodes, or in the amount of work you can steal from the nodes without losing hosts, or both.
So you reduce it from 1M nodes to 900,000 nodes, that's not much of a loss. The benefit you get from making it hard(er) to intercept and disrupt more than covers it. Peter.