Once upon a time, a “botnet” was a network of infected computers controlled from a central command and control (C&C) channel. This was a very clear, simple definition.
Cut to early 2007, after the release of Nuwar, a.k.a. the Storm Worm. Suddenly the term botnet had to account for things that were not controlled by a central C&C but managed by a hydra-headed control network. There was no longer a single head to be cut off to kill a botnet; now a network had several heads, which could be replaced as quickly as one was removed. The definition of botnet broadened to describe only the network of infected computers, exclusive of having a central C&C.
Now the term has broadened again, to include any functionality used by a botnet, including things such as password stealing and sending phishing emails or spam. The FBI warns that botnets “threaten online-shopper security,” but it seems to me they’re really warning against an increase in the prevalence and sophistication of Internet crime that is facilitated by botnets.
So I direct this discussion to you, dear reader: Has the definition of botnet become so watered down that it loses any meaning? If so, do we need to find some new term to replace what used to specify a distinct group of malware? Or do we need to broaden our warnings to include all crimeware–including botnets, password stealers, remote-access Trojans, phishing, and spam?
December 18th, 2007 at 1:41 am
The FBI is like an onion, loads of external flesh and a small strong core. The public face is the outer skin and must present what the public expect to hear and take the bruises. I’d not expect 100% terminology correctness 100% of the time from the public face.
Botnets acting as web servers and drop zones is probably beyond their scope for instance.
December 18th, 2007 at 7:34 am
If you broaden your warnings to include all manners of “crimeware”, you turn into Chicken Little and lose the ability to educate people on what the risks really are. Botnet as a term, is sufficient when describing a network of machines acting as one network - regardless of the threat posed as those threats will ever evolve.
Think about it. When a physical crime occurs and the perpetrator is still on the lose, the news doesn’t report, “Folks, you’ll need to be on the lookout for a bad guy as we just had reports of a crime”. The warnings need to be contextualized.
In the example of the news alert above, it would be more appropriate (and is vetted through experience by flipping on your local news broadcast) to issue a warning such as, “A home invasion robbery occured in Mytown, USA and the gunman is still on the lose. He is described as a 5′4″ Hispanic wearing blue jeans and a gray hoody. If you see him, call 911″.
Lets not reinvent the wheel here.
December 19th, 2007 at 12:16 pm
At this point there really is no one culprit to tell people to be on the lookout for. That used to be the case, certainly. But now malware variants are coming at such a rapid pace, we can’t say “look out for the guy in the red hoodie with a large gun” because they’ll miss the guy in the blue t-shirt with a grenade or the gal in the green sweater with a cannon.