Binary Intelligence

A year ago, I did a write up about the potential for botnets migrating to non traditional computing platforms. My conclusion was that seventh generation video game systems have the most potential from as a botnet platform based on a model that I defined in the write up.

Here we are a year later, and as it turns out, nope, no botnet on any video game system. So on that point, I have to hang my head and admit I am no better then any random caller to Art Bell. On the other hand, I do stand by my conclusion that video game platforms would make a good platform for for the creation of a botnet. However, the model I created needs work. There was a variable I did not account for.

I previously defined my model as "Attractiveness of target = Size of install base x Uniformity of platform x Ease of exploitation x Utility of system". To steal from myself, each point was defined as:

Size of install base - A platform must be of adequate size to justify the effort required for development. This is one of the reasons that in the past Microsoft Windows has been the most targeted platform. Recently, Apple’s OS X has had malware released which could lead to a zombie infection, leading many to speculate this was a trial run on testing OS X as a zombie platform. It is no accident this coincides with the platform’s recent gains in market share.

Uniformity of platform - There has to be a reasonable expectation that the install base will have similarly configured systems and/or installed applications. Often this will mean default applications or configurations that are expected by common popular services. Windows Media Player, Microsoft Office, web browsers and common browser plugins (flash, adobe acrobat, etc.) are often targeted in such manner. Widespread applications and configurations provide creators with a known environment to target.

Ease of exploitation - The infection process must be adequately simple to prevent errors from occurring during the infection process. A complex infection process has more points to go wrong, reducing the number of infected hosts which will be harvested. In recent history, this has lead to social engineering attacks being heavily involved in most malware infections. What this translates into is the system is only as secure as the user is clever enough to not be tricked into taking actions which would be adverse to the users’ interest.

Utility of system - There has to be a degree of usefulness of the system to an attacker after infection. This may be computing power for distributed computing efforts, sensitive data stored on the infected host, bandwidth for distributed denial of service attacks, or the ability to infect other more attractive systems.

The problem with the model however is, I left out a variable. A obvious mistake in hindsight, which I thought I would take this opportunity to correct. So, my new model is:

Attractiveness of target = (Size of install base x Uniformity of platform x Ease of exploitation x Utility of system/service) - Attractiveness of alternative targets

With the new variable defined as:

Attractiveness of alternative targets - The overall result of positive factors must be reduced by the result of attractiveness of alternative targets. A platform will not be targeted for attack as long as alternative platforms exist with the same relative utility and other variables higher then the platform in question.

And a modification to a previous variable to define it as:

Utility of system/service - There has to be a degree of usefulness of the system or service to an attacker after exploitation. This may be computing power for distributed computing efforts, sensitive data stored on the infected host, bandwidth for distributed denial of service attacks, privilege level of the service, or the ability to infect other more attractive systems.

This current model I think reflects the real world much better then the previous, however I am still open to input if anyone sees any flaws. This model should be enough to judge most platforms and applications as to the possibility of them being targeted in the future. This can be valuable when doing risk assessments, or during penetration testing on selecting where to focus your efforts. I think we all do this to some degree, but having a formalized way to defining it is helpful for all.

Any input to this model is welcome.