"Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere anarchy is loosed upon the world,
The blood-dimmed tide is loosed, and everywhere
The ceremony of innocence is drowned;
The best lack all convictions, while the worst
Are full of passionate intensity"

The term botnet in its negative connotation refers to a collection of compromised machines that are under common control and are being used as a collective for nefarious purposes. Perhaps the most important part of the botnet lifecycle is the ability to propagate and add more machines into the pool. New victims are added by luring unsuspecting users to invoke malicious code or by actively attacking systems with viruses or worms and exploit tools. Once these machines are infected, they report back to a centralized machine that is under the attacker's control, often referred to as the command and control server. It is via this established communications channel that the attacker, or bot header, sends instructions to the collective of compromised machines to undertake his or her bidding.

Here at DVLabs we are developing and applying a number of algorithms to mine our extensive collection of logs and global sensor data. These algorithms model each of the above stages in the lifecycle of a bot-net. Using this information, we can map out in what manner the victim was compromised, if they in turn infected more machines, as well as the ultimate action that the particular machine was called upon to perform by the bot herder.

Below is a time-line of one such event that we are currently tracking:

2007-07-10 18:55:56 We see a client make a HTTP request to a machine located at a Ukranian web hosting company. This fires TippingPoint filter 5374, HTTP: Suspicious ActiveX Instantiation, which looks for a malicious, obfuscated ActiveX control being run inside of a client's web browser.

2007-07-13 14:55:56 We now start to see IRC traffic from the above client to a IP located at an ISP in China. This trips one of our current beta filters that is looking for IRC traffic that is indicative of bot-nets. This type of traffic is usually a very lean subset of the IRC protocol and all of the chat and commands are usually encrypted or obfuscated.

2007-07-17 17:52:01 We are still seeing IRC traffic between the above hosts, but have not yet seen the infected host be called upon to perform a nefarious task. I imagine it is just a matter of time.

So, what other filters are we seeing in conjunction with botnets? How are hosts getting compromised in the first place? Well the list below is a veritable who's who list of the current hot attacks, all of which are being actively used to increase the power of bot nets:

3210 HTTP: Malicious Animated Cursor Download

3377 HTTP: Shellcode Found in Javascript

3629 HTTP: Suspicious Double-Unescaped Javascript Code

4244 HTTP: Microsoft Data Access Components ActiveX Control Vulnerability

5087 HTTP: ADODB.STREAM ActiveX Malicious Invocation

5374 HTTP: Suspicious ActiveX Instantiation

Like Yates' gyres, the various stages that a machine undergoes as part of a bot net is a complex relationship between the past, present and the future. Here at DVlabs we are looking to discover relationships between seemingly disparate filter occurrences that are the hallmark of today's cutting-edge, multistage attacks.