Hi malware fighters,
The number of botnets that uses HTTP to communicate with infested machines has doubled during the last six months. Traditionally botnets were commanded through Internet Relay Chat (IRC) , but that development has stopped. The number of IRC-based botnets stopped to grow at approx. 400, while HTTP-based botnets grew from 800 to 1600. That growth has to do with the low costs of HTTP-bot-building toolkits, according to Team Cymru, a non-profit anti-cybercrime organisation .
Toolkits
These toolkits are getting more and more functional and the ease to use the HTTP interface will make that botherders has left the IRC-platform as communication channel massively. HTTP botnets are more and more used for Distributed Denial of Service (DDoS)-Attacks. "There are different ways to make money from this kind of attacks, while other alternative use of botnets are to be preferred with less risk."
Most Command & Controle servers, both for IRC and HTTP, are located in the United States of America. Also the North of Europe with the Netherlands, plays an important role. Despite of the fact that IRC-based botnets showed no growth, their number did not go down either. That is why Team Cymru predicts this kind of bots are to play a further role, but the future lies with the HTTP-based bots. Link:
http://www.team-cymru.org/ReadingRoom/Whitepapers/2010/developing-botnets.pdfpolonus
P.S. Another fact is HTTP-based bots can be easily relocated...and webadmins have monitored port
6667 while HTTP goes more under the detection-radar. Default and standard IPS/IDS systems just through DPI will filter for "/join"..... and then bye bye botnet. HTTP is more difficult while it looks like legit traffic,
Damian