Storm, Nugache lead dangerous new botnet barrage

[Peter Gutmann]

Len Sassaman <rabbi at abditum.com> writes:
>On Sat, 12 Jan 2008, Peter Gutmann wrote:
>> (Alternatively, "because they can".  They're not paying for the overhead, it
>> doesn't really make much sense not to encrypt everything).
>
>I don't agree -- they *are* paying for the overhead. Not in dollars, but in
>CPU cycles (and a minor programming overhead.) If you increase the
>performance degradation on the hosts in the botnet, you're going to lose some
>of those hosts due to the owners cleaning up the system so that they can use
>it

If you ever find users who do this, could you send them my way? :-).

There may be some reference user somewhere in a display case who does this,
but in practice unless the computer explodes in front of them no-one ever
reacts to infection.  I've seen users whose laptop fans are running
continuously because the CPU is pegged at 100% by malware not have any idea
that this isn't a normal state of affairs.  I've seen users who patiently wait
something like 30 seconds for an Explorer window to open because that's just
how long Windows takes.  I've seen users whose PCs page themselves to death
every time they start an app, and that's quite normal.  I've seen attack ships
on fire off the shoulder of Orion...

More importantly, the sort of people who are likely to have machines riddled
with malware are the same ones who aren't likely to have any idea that
anything's wrong.  Bill Cheswick has a neat talk "Windows OK" in which he
describes his dad patiently using his malware-infested PC that nicely
illustrates this.

>Adding in additional computational overhead to the operation of the botnet
>diminishes its overall capacity, either in the number of nodes, or in the
>amount of work you can steal from the nodes without losing hosts, or both.

So you reduce it from 1M nodes to 900,000 nodes, that's not much of a loss.
The benefit you get from making it hard(er) to intercept and disrupt more than
covers it.

Peter.