1. Criminals in the Cloud: Past, Present, and Future
Jim Lippard
Sr. Product Manager, IT Security
EarthLink Business

2. Agenda What is a botnet? Bot Lifecycle Botnet Ecosphere
Botnet History & Evolution
Defense
Offense
Future
Q&A
This talk is botnet-focused; other types of malware and criminal activity are not covered or only touched upon, such as use of exploit packs, the details of carding and phishing, and actions by hacktivists and state-supported actors.

3. What is a botnet?
“Lippard dubs bot software ‘the Swiss army knife of crime on the Internet.’” Joaquim P. Menezes, NetworkWorld, July 26, 2007: (quoted from May 2006 interview on the Security Catalyst podcast)
“Networks of compromised computers controlled by a central server, better known as botnets, are a Swiss Army knife of tools for online criminals.” Robert Lemos, “Breaking the Botnet Code,” Technology Review, November 11, 2009:
“’Botnets are the Swiss Army knife of attack tools,’ said Marc Fossi, manager of research and development for Symantec Corp.'s security response team.” Gregg Keizer, “Botnets ‘the Swiss Army knife of attack tools’”, Computerworld, April 7, 2010:
“Botnets are the Swiss Army Knife of Internet criminals, according to Minister of Economic Affairs Maxime Verhagen.” Dutch Daily News, Jan. 14, 2011:
“‘Botnets are the Swiss Army knife of our criminals’, Picko said.” June 24, 2011:
Public domain photo from
Victorinox Swiss Army knife, photo taken in Sweden. This is a Mountaineer model. 12 June 2005 ( ) Photo taken by Jonas Bergsten using a Canon PowerShot G3.

4. What is a botnet? P2P C&C Traditional C&C
Images used with permission from Ben Woelk, “Avoiding the Botnet Snare,” Rochester Institute of Technology’s ITS eNews, 2007.
P2P C&C

5. What is a botnet? Two general purposes of using botnets:
Provide layers of separation/insulation between criminal actors and criminal acts.
Provide a cloud computing platform for a wide variety of functions.
Neither requires that there be anything of interest on victim computers.

6. Bot Lifecycle Infection Control Commands Detection Notification
Removal
(repeat)
Image from Wikipedia, by user Tom-b, and is available under a Creative Commons Attribution-Share Alike 3.0 Unported license. 1. Infection (trojan horse in this case), 2. Control, 3. Third party spammer purchases service (part of the social network to be discussed next), 4. Spam is sent out by the bots.
Many options:
Infection: Trojan horse, drive-by-download, worm, social engineering, etc. Primarily web or worm delivery, web delivery often driven by , IM, social networking, search results, etc. Lots of room for creativity.
Control: Most common channels: HTTP, HTTPS, IRC.
Commands: Again, virtually no limits, but driven by goals—spam, click fraud, DDoS, identity/financial theft, extortion, encrypting files, etc. Common functions include keystroke logging, proxying spam or other types of connections, collecting credentials, engaging in DDoS, and propagating further.

7. Botnet Ecosphere
Social context: Botnets are created by human agents to achieve some purpose.
Usually:
1. Create botnet.
2. ???
3. Profit!
What’s step 2?
Do all of these steps need to be done by the same people?
Who are these people?
Step 2 depends in part on the organizational structure of the social network behind the botnet, and whether the botnet is rented out, sold, or used in house. Similarly, step 1 is often divided amongst different players; slide 5’s components can be done by different players and even more steps can be added.
Step 2: Open proxies, sell for spam. Build own spam service and sell it. Lease the bots. Sell the botnet. Encrypt end user files and demand ransom for return. Install keyloggers, intercept traffic to financial sites, sell credentials and financial information. Install scareware, sell bogus AV software. Generate clicks to web advertising sites that pay affiliate fees. DDoS competitors.
Step 3 can be other things, of course—status, revenge, distraction, lulz, which then motivates other Step 2s like rigging online polls, adjusting popularity of links and websites, stealing and publishing information online.
Who are these people: 83% of breaches in Verizon DBIR 2012 are by organized criminal groups (p. 20). Larger enterprises tend to also see apparent state-sponsored or supported breaches (APT, which likely steer away from botnets), smaller are often targets of opportunity, apparently due to weaker controls (e.g., more breaches from default credentials on remote access).

8. Botnet Ecosphere Some roles for division of criminal labor:
Exploit/exploit pack developer
Botherder/admin (manages botnet)
Seller (drives traffic to exploit sites, paid per infection)
Spammer (sender)
Sponsor (spam ad buyer)
Phisher
Carder (trades in card data/makes counterfeits)
Casher (takes out cash)
Reshippers (stolen good/cash laundering--WFH/GTJ)
Exploit packs are an interesting topic in their own right, see:
Team Cymru, “A Criminal Perspective on Exploit Packs,” 2011:
Criminal network roles are also discussed in Phil Williams, “Transnational Criminal Networks,” in John Arquilla and David Ronfeldt, Networks and Netwars: The Future of Terror, Crime, and Militancy, 2001, RAND, pp , and especially pp Williams identifies Organizers, Insulators, Communicators, Guardians, Extenders, Monitors, and Crossovers.
Example cash mule/launderer: Ronnie Cutshall:

9. Botnet Evolution: Overview
The convergence of DDoS tools, IRC bots, P2P software, worms, and SaaS = modern botnets
Early 1990s: IRC channel bots (e.g., eggdrop, mIRCscripts, ComBot, etc.).
Late 1990s: Denial of service tools (e.g., Trinoo, Tribal Flood Network, Stacheldraht, Shaft, etc.). Peer-to-peer file sharing tools.
2000: Merger of DDoStools, worms, and rootkits (e.g., Stacheldraht+t0rnkit+Ramen worm; Lion worm+TFN2K).
2002: IRC-controlled bots implementing DDoS attacks.
2003: IRC-controlled bots spread with worms and viruses, fully implementing DDoS, spyware, malware distribution activity. First P2P bots (Sinit, WASTE).
(Dave Dittrich, “Invasion Force,” Information Security, March 2005, p. 30)
2003-present: Botnets used as a criminal tool for extortion, fraud, identity theft, computer crime, spam, and phishing.
This slide is little changed from talks given in Main changes since then are more P2P, Macs as bots, and arrests and takedowns.
Sources: Dave Dittrich, “Evolution: Rise of the bots,” Information Security, March 2005, p. 30.
Julian B. Grizzard, Vikram Sharma, Chris Nunnery, Brent ByungHoon Kang, and David Dagon, "Peer-to-Peer Botnets: Overview and Case Study,“ Hotbots '07: Proceedings of the first conference on hot topics in understanding botnets:

10. Botnet Evolution: History
Dec. 1993: Eggdrop bot - Non-malicious, occasionally abused (Supported linking multiple bots by 1999)
April 1998: GTbot variants - Based on mIRC, malicious bots
1999: Sub7 trojan - Pretty Park worm, IRC listeners
May 1999: Napster - Non-malicious file sharing, hybrid P2P & client-server
March 2000: Gnutella - Non-malicious file sharing, decentralized P2P
April 2002: SDbot variants - Malicious bot with IRC client. Code made widely available.
Most of these are derived from Grizzard et al., op cit., up through Storm/Peacomm in 2007.
Rik Ferguson points to Sub7 and Pretty Park as pregenitors of IRC bots and puts GTbots later than Grizzard:

11. Botnet Evolution: History
Aug 2002-Sep 2003: Sobig variants - Botnet used by Ruslan Ibragimov’s send-safe spam operation
Sobig/Ibragimov/Send-Safe ROKSO record:

12. Botnet Evolution: History
Oct 2002: Agobot variants - (500+ by 2008), malicious bot w/modular design
Apr 2003: SpyBot variants - Derived from Agobot
May 2003: Nullsoft WASTE - Encrypted P2P network. Removed from distribution by AOL
Sep 2003: Sinit - P2P trojan, found peers via crafted DNS packets to random IPs, exchanged peer lists when found
Nov 2003: Kademlia - P2P distributed hash table
Dittrich (op cit).
Agobot variant count: Kleber Cariello de Oliveira, “Botconomics” – Mastering the Underground Economy of Botnets. LACNIC May,
WASTE: A reference to Thomas Pynchon’s The Crying of Lot 49:
Kademlia’s distributed hash table algorithm was later used by Limewire to augment Gnutella and by BitTorrent. It is subject to Sybil attacks/pseudospoofing:

13. Botnet Evolution: History
Feb 14, 2004: FBI takedown of Foonet and “DDoS Mafia.”
DDoS tool of choice: Agobot
Creator: Axel “Ago” Gembe of Germany, was indicted in 2008.
Saad “Jay” Echouafni, CEO of Orbit Communication Corp., hired Paul Ashley, owner of Foonet, to DDoS his main business rivals in satellite TV resale, for $1,000, and skipped the country on $750K bail. He’s never been caught. The rivals, WeaKnees.com and RapidSatellite.com, were taken down by SYN flood attacks.
Paul Ashley of Foonet turned informer to get Echouafni on tape. This takedown was part of the FBI’s “Operation Cyberslam.”
Kevin Poulsen, “FBI busts alleged DDoS Mafia,” Security Focus, August 26, 2004:
Kevin Poulsen, “Hackers Admit to Waves of Attacks,” Wired, September 8, 2005:
Gembe indicted: Lucian Constantin, “European Botnet Runners Indicted in the Foonet DDoS Case,” Softpedia, October 4, 2008:
Also see:

14. Botnet Evolution: History
Mar 2004: Phatbot - P2P bot using WASTE
bot.command runs a command with system()
bot.unsecure enable shares / enable dcom
bot.secure delete shares / disable dcom
bot.flushdns flushes the bots dns cache
bot.quit quits the bot
bot.longuptime If uptime > 7 days then bot will respond
bot.sysinfo displays the system info
bot.status gives status
ot.rndnick makes the bot generate a new random nick
bot.removeallbut removes the bot if id does not match
bot.remove removes the bot
bot.open opens a file (whatever)
bot.nick changes the nickname of the bot
bot.id displays the id of the current code
bot.execute makes the bot execute a .exe
bot.dns resolves ip/hostname by dns
bot.die terminates the bot
bot.about displays the info the author wants you to see
shell.disable Disable shell handler
shell.enable Enable shell handler
shell.handler FallBack handler for shell
commands.list Lists all available commands
plugin.unload unloads a plugin (not supported yet)
plugin.load loads a plugin
cvar.saveconfig saves config to a file
cvar.loadconfig loads config from a file
cvar.set sets the content of a cvar
cvar.get gets the content of a cvar
cvar.list prints a list of all cvars
inst.svcdel deletes a service from scm
inst.svcadd adds a service to scm
inst.asdel deletes an autostart entry
inst.asadd adds an autostart entry
logic.ifuptime exec command if uptime is bigger than specified
mac.login logs the user in
mac.logout logs the user out
ftp.update executes a file from a ftp url
ftp.execute updates the bot from a ftp url
ftp.download downloads a file from ftp
http.visit visits an url with a specified referrer
http.update executes a file from a http url
http.execute updates the bot from a http url
http.download downloads a file from http
rsl.logoff logs the user off
rsl.shutdown shuts the computer down
rsl.reboot reboots the computer
pctrl.kill kills a process
pctrl.list lists all processes
scan.stop signal stop to child threads
scan.start signal start to child threads
scan.disable disables a scanner module
scan.enable enables a scanner module
scan.clearnetranges clears all netranges registered with the scanner
scan.resetnetranges resets netranges to the localhost
scan.listnetranges lists all netranges registered with the scanner
scan.delnetrange deletes a netrange from the scanner
scan.addnetrange adds a netrange to the scanner
ddos.phatwonk starts phatwonk flood
ddos.phaticmp starts phaticmp flood
ddos.phatsyn starts phatsyn flood
ddos.stop stops all floods
ddos.httpflood starts a HTTP flood
ddos.synflood starts an SYN flood
ddos.udpflood starts a UDP flood
redirect.stop stops all redirects running
redirect.socks starts a socks4 proxy
redirect.https starts a https proxy
redirect.http starts a http proxy
redirect.gre starts a gre redirect
redirect.tcp starts a tcp port redirect
harvest.aol makes the bot get aol stuff
harvest.cdkeys makes the bot get a list of cdkeys
harvest. shttp makes the bot get a list of s via http
harvest. s makes the bot get a list of s
waste.server changes the server the bot connects to
waste.reconnect reconnects to the server
waste.raw sends a raw message to the waste server
waste.quit
waste.privmsg sends a privmsg
waste.part makes the bot part a channel
waste.netinfo prints netinfo
waste.mode lets the bot perform a mode change
waste.join makes the bot join a channel
waste.gethost prints netinfo when host matches
waste.getedu prints netinfo when the bot is .edu
waste.action lets the bot perform an action
waste.disconnect disconnects the bot from waste
Phatbot command list from LURHQ, now part of SecureWorks.

15. Botnet Evolution: History
2003: Rbot - Uses encryption to evade detection
2004: Polybot - Adds polymorphism
Mar 2006: SpamThru - P2P bot
Apr 2006: Nugache - P2P bot, distributed via trojaned downloads on freeware sites. Author arrested Sep 2007.
: Rustock - Major spammer. Atrivo takedown Sep 2008, McColo takedown Nov 11, 2008.
Jan 2007-late 2008: Storm/Peacomm trojan - P2P; massive spammer. RBN connection? 20% of spam in 2008.
2007: Srizbi - Used Mpack, Reactor Mailer, bypassed host firewall. Similar to Rustock. Was largest botnet for a time. McColo.
Polybot, Rbot: Ferguson “History of the Botnet, Part I,” op cit.
Nugache: David Dittrich and Sven Dietrich, “P2P as botnet command and control: a deeper insight,” Proceedings of the rd International Conference on Malicious and Unwanted Software (Malware), October 2008:
Nugache/Storm: Sam Stover, Dave Dittrich, John Hernandez, and Sven Dietrich, “Analysis of the Storm and Nugache Trojans,” USENIX ;login: v. 32, no. 6, December 2007, pp :
Atrivo:
Atrivo, McColo probably had Esthost connections as well—see Nov 8, 2011.
McColo shut down Nov. 11, 2008 by Global Crossing and Hurricane Electric, reducing global spam by 75% (temporarily):
Storm:
On Russian Business Network, see Joseph Menn, Fatal System Error, 2010, PublicAffairs.

16. Botnet Evolution: History
2007: Cutwail trojan - Rootkit, DDoS and spam bot. 1.5M-2M bots. C&C taken down when ISP 3FN was taken down by the FTC on June 4, 2009.
: Zeus - financial info stealer, variants of software sold for $500-$15K. Still prevalent. Configs stored in AWS EC2, use of Google, Twitter, Facebook.
: Torpig/Anserin - Financial info stealer. Includes Mebroot rootkit. UCSB researchers temporarily controlled for 10 days in 2009.
Nov. 2008: Conficker worm - Variants A-E, end action of A-D was to update to subsequent versions; disabled Windows update and AV. Variant E (Apr 2009) installed Waledac spambot and SpyProtect scareware. Massive propagation (10.5M+) On May 3, 2009, variant E deleted itself and left C.
Cutwail: Ferguson, history of the botnet part II:
Takedown: Brian Krebs, “The Fallout from the 3FN takedown,” June 9, 2009:
Zeus:
Use of Amazon Web Services Elastic Compute Cloud, Google, Facebook, and Twitter: Ferguson, “history of the botnet, part III”:
Operation Trident Beach, initial Zeus takedown Sep 30, 2010: Dan Goodin, “5 botnet kingpins busted in $70m fraud ring,” 1 Oct 2010:
5 arrests in Ukraine.
Torpig:
Conficker C details:
Conficker E details:

17. Botnet Evolution: History
Dec 2008: Koobface - Social network C&C, had Mac version Click fraud, scareware sales. Gang exposed in NY Times.
Koobface gang tracked down to St. Petersburg, Russia, exposed in the New York Times after investigation by Jan Drömer, independent researcher, and Dirk Kollberg, SophosLabs, in “The Koobface malware gang - exposed!”:
“Web Gang Operating in the Open,” New York Times, 17 January 2012:
“Anton Korotchenko, who uses the online nickname “KrotReal”; Stanislav Avdeyko, known as “leDed”; Svyatoslav E. Polichuck, who goes by “PsViat” and “PsycoMan”; Roman P. Koturbach, who uses the online moniker “PoMuc”; and Alexander Koltyshev, or “Floppy.””

18. Botnet Evolution: History
2009: Grum/Tedroo -Spammer, generated 26% of spam in March 2010.
Mar 2009: Coreflood - Info stealer, taken down Apr 2011 (FBI w/ISC).
Apr 2009: Waledac - Spammer. 1% of spam volume. Microsoft takedown of C&C domains Feb. 2010, spam domains Sep
May 2009: Bredolab trojan - Botnet. 30M bots, 143 C&C seized by Dutch police Oct. 25, 2010, Armenian suspect arrested.
2009: Aurora - Google attacked.
2009: Mariposa (Spain) - Info stealer, spam, DDoS. Taken down by Spanish police (w/Panda Security), Dec M bots.
Apr 2010: Storm 2 - Minus P2P
Coreflood takedown:
Waledac takedown, Operation b49:
Aurora:
Mariposa takedown December 23, 2009:
Bredolab takedown, October 25, 2010:

19. Botnet Evolution: History
2011: DNSChanger - Esthost/Rove Digital, redirected 6 million people to malicious websites, 4M bots. Nov 8: 100 servers seized in U.S., 6 Estonians arrested.
Image from
Operation Ghost Click

20. Botnet Evolution: History
2011: Kelihos/Hlux/Waledac P2P botnet similar to Waledac. 3-tier design: controllers, routers, workers. Spam, MacDefender scareware. Taken down Sep 26, 2011 by Microsoft.
Kelihos: (source of image)
Controllers host nginx web servers, don’t show up in peer lists on workers.
Routers add an insulation layer to protect the controllers and include proxy capability.

21. Botnet Evolution: Present Day
: Darkshell - DDoS botnet & buyable kit.
Official website,
“Darkshell DDoS Botnet Evolves with Variants,” April 5, 2012, McAfee Labs:

22. Botnet Evolution: Present Day
Feb 2012: Flashback trojan - Exploits Java flaw. Mac botnet 655K+ strong. Deletes itself if ClamXav is installed.
Flashback:
Rich Mogull, “What you need to know about the Flashback trojan,” April 6, 2012, MacWorld:
Estimated number of infections as of 10 April 2012: 655,700.

23. Defense
Patch.
Patch: Most breaches are still from a small number of vulnerabilities, including older ones.
30% of breaches use stolen login credentials—Verizon DBIR 2012, p. 26.
People getting better about Windows patching—but don’t forget applications, esp. Adobe & Java.

24. Defense Mac users: It’s time for AV.
ClamXav, which uses the ClamAV enginer from SourceFIRE, is free.
Mac security/hardening guides:

25. Defense Filter Outbound traffic Web content filtering
Application control
Identity awareness
Intrusion prevention
Data leak prevention
Web application firewall
Next-generation firewall, anyone? Gets you most of the above in one package (WAF sold separately).

26. Defense Monitor Signs of bots often show up in web and DNS requests
Monitor user login activity; 30% of breaches use stolen credentials
Log and alert/review
You need an incident response plan
Monitoring and Incident Response plan: There are two kinds of companies, those which know that they’ve been breached and those that don’t. You will be breached if you haven’t been already, and most companies only hear about it after the fact from a third party. Better to be in the former category and be able to recognize a breach when it occurs and respond.
Log & review: How about doing some crowdsourcing on login misuse, by sending login notifications to the mobile device of the user?

27. Defense Report Collaborate To FBI, USSS, or ic3.gov.
Collaborate: Share as much information where possible about breaches, at least within secure settings (e.g., industry Information Sharing and Analysis Centers (ISACs):
SEC guidance requires breach disclosure now if such incidents are “among the most significant factors that make an investment in the company speculative or risky” ( and companies with mature security programs are disclosing in detail (e.g., Verisign, RSA). It’s time to build a culture where we’re open about security breaches and those who disclose are not stigmatized for the disclosure (as opposed to for having terrible security). Failure to disclose and very late disclosure should be seen as a negative sign, while timely disclosure should be seen as a positive sign.
And these things can lead to….

28. Offense Track Takeover Takedown Arrest & Prosecute FBI:
May 22, 2001: Operation Cyber Loss – 62 arrests
May 16, 2002: Operation E-Con – 50 arrests
Nov 20, 2003: Operation Cyber Sweep – 125 arrests
Feb 14, 2004: Operation Cyber Slam – Foonet DDoS
May 20, 2004: Operation SLAM-Spam - 50 targets
Jun 13, 2007: Operation Bot Roast – 3 arrests
Nov 29, 2007: Operation Bot Roast II – 3 indictments
Sep 30, 2010: Operation Trident Beach – 5 Ukraine arrests, Zeus partial takedown
Apr 2011: Coreflood takedown (w/ISC)
Nov 8, 2011: Operation Ghost Click – 6 Estonians arrested for DNSChanger. (w/Trend Micro)
The law finally catching up:
Roger A. Grimes, “If you do the cyber crime, expect to do the time,” InfoWorld, April 3, 2012:
Tracking: Brian Krebs, various security researchers, Microsoft Digital Crimes Unit, Team Cymru, SecureWorks, Damballa, Sophos, Symantec, Crowdstrike.
Takeover, Takedown: Microsoft, Crowdstrike.
Arrest & Prosecute: FBI, USSS, national police agencies, Interpol.
FBI Operations:
Operation Cyber Loss, May 22, 2001.
Arrests 62 fraudsters.
Operation E-Con, May 16, 2002
50 arrested, 48 charged, 12 guilty pleas Operation Cyber Sweep, November 20, 2003
125 arrests
Operation SLAM-Spam, May 20, 2004 (IC3/industry)
Identified 100 spammers, targeted 50.
Operation Bot Roast, June 13, 2007
Robert Alan Soloway, James C. Brewer, Jason Michael Downey Operation Bot Roast II, November 29, 2007
3 indictments
Operation Ghost Click, November 9, 2011
six Estonians arrested
Private operations:
Microsoft/Shadowserver/Symantec Operation b49, Waledac C&C takedown, February 22, 2010
Microsoft Waledac spam takedown, October 27, 2010
Microsoft/FireEye Rustock takedown, Operation b107, March 16, 2011
1.1M-1.7M infected machines, hardcoded IPs for C&C
Microsoft/Kaspersky Kelihos (Waledac 2.0) takedown, September 26, 2011 Dominique Alexander Piatti, dotFREE Group SRO and John Does 1-22 of owning a domain cz.cc and using cz.cc to register other subdomains such as lewgdooi.cz.cc used to operate and control the Kelihos botnet.
41,000 computers
Microsoft/F-Secure, etc. Zeus takedown Operation b71, RICO statutes, March 23, 2012
13 million Zeus infections, 3 million in U.S.
Zeus sold for $700 to $15K for latest, source code leaked May 2011, see Wikipedia
Crowdstrike/Honeynet Project/SecureWorks/Kaspersky Kelihos v2 takedown, March 29, 2012
Microsoft Digital Crimes Unit:
Feb 22, 2010: Operation b49, Waledac C&C takedown (w/Shadowserver, Symantec)
Oct 27, 2010: Operation b49, Waledac spam takedown
Mar 16, 2011: Operation b107, Rustock takedown (w/FireEye)
Sep 26, 2011: Operation b79, Kelihos/Waledac 2.0 takedown; civil suit vs. Dominique Alexander Piatti.
Mar 23, 2012: Operation b71, Zeus takedown (w/F-Secure)
Crowdstrike:
Mar 29, 2012: Kelihos v2 takedown (w/SecureWorks, Honeynet Project, Kaspersky)

29. Future Macs as targets Social networks as delivery mechanism
Mobile as target
More indirect attacks (CAs, RSA, Sophos)
Competing legal agendas:
Global Online Freedom Act (GOFA) HR 3605
Cyber Intelligence Sharing and Protection Act (CISPA) HR 2523
A decline in the use of large botnets except as “stepping stones”
Social networks as delivery mechanism:
Twitter sues top 5 spammers:
Indirect:
CAs: Comodo hacked Mar. 2011, DigiNotar hacked Sep. 2011:
GlobalSign hacked Sep. 2011:
RSA, hacked March 2011:
Sophos partner portal hacked, Apr 6, 2012:
GOFA opposes use of surveillance and content filtering by governments to promote “Internet freedom.”
CISPA has been criticized on civil liberties grounds, for allowing disclosure of information to the NSA or DOD CyberCommand.
The U.S. is a bit conflicted on what “Internet freedom” means or requires (see, e.g., Evgeny Morozov, The Net Delusion: The Dark Side of Internet Freedom, 2011, PublicAffairs). As the Arizona legislature passes a bill (HB 2549) to expand telephone harassment & stalking statutes to cover online speech, the federal government is condemning censorship by authoritarian governments—but also seeking to expand its own ability to monitor.
As botnets become a target for takedown, and if targets of opportunity show any progress in becoming more secure, the methods of choice for state-sponsored actors will filter down to other groups (and surely already have to some extent).

30. Sr. Product Manager, Security
Q&A
Any questions?
Jim Lippard
Sr. Product Manager, Security
EarthLink Business