At TED this year Bonnie Bassler did a very interesting talk on bacteria. Bonnie and her team discovered that bacteria, despite being single celled organisms, have a sophisticated communication method using chemical 'words' in order to activate group behaviors. This communication is called Quorum Sensing and is vital for many purposes, but the one most interesting to me is bacteria launching an attack against the host. If a single bacteria, such as E.coli or Salmonella, were to release toxins in your body, it would have no effect. Instead the bacteria wait and multiply until billions are in the host and can launch a coordinated attack. They do this by having receptors that look for the chemical 'words' floating around. With enough of these 'words' in the environment the behavior is activated.
The concepts in Quorum Sensing can be applied to the IT world in positive ventures such as self-organizing networks or autonomous robot swarms, but being a security guy this immediately strikes me as very much relevant to today's malware. Typical botnets use a command and control (C&C) channel to activate a given behavior (usually IRC or HTTP). In the past, botnets were deactivated simply by compromising the command and control. Conficker is much more sophisticated in its latest incarnation and uses a system of rotating random domain names, but there is still an opportunity to cut it off. These botnets can be deactivated by going after the source, or preventing communication to the source. Newer P2P botnets avoid the normal client/server C&C channel but still often have detectable and preventable communications (based for instance on signature or protocol type).
If we applied Quorum Sensing to botnets we could have truly autonomous bots, spread by worms, trojans or backdoors that activate when they reach a critical mass, no C&C or master bot needed. Of course, to do this we can't rely on anything detectable being passed between computers or it would be just as preventable as those with C&C.
Quorum Sensing requires a form of communicating using 'words' in the blood stream. If you looked at computers as cells, and the internet as a body, I would argue that the blood is a mixture of IM, Email, and other commonly used P2P traffic. The malware however couldn't simply add custom headers to these communications or they would be detected and prevented from communicating. The malware could however make subtle changes to the communication that couldn't be detected or prevented. By applying a form of stegenography to the message body itself the malware could sense each others presence. For example, the malware could make subtle alterations such as taking out a space from common word patterns like 'of the', making it 'ofthe'. The receiver would see this as a simple typo, and you as the sender would be unaware the alteration was even made. They types of subtle modifications could be changed or evolved as each node senses more unique peers with the infection. The presence of the malware could be provided by altering white space, contractions, capitalization, word order and other changes indistinguishable from user error or writing style. Each instance would wait for a critical mass, at which point other specific alterations could accelerate other peer attacks.
The challenge with this of course is that the attack would be fixed in nature. If it was a DDoS payload the addresses would have to be pre-programed into the malware. This is unlike botnets with C&C that can change the mission as needed. Still there are many opportunities even with the static nature. The malware could launch click-fraud, provide SMTP relay or steal personal information. The malware also can still be detected and removed at the source, especially given that it would have to employ drivers or plugins to read and alter multiple forms of communications. The main benefit of this approach would be to cut prevention at the C&C and communications angle.
Quorum Sensing also has another potential benefit of limiting the saturation. Self-limiting is a common use of bacterial communication in environments where there survival is predicated on the survival of the host. If a botnet employed this technique to limit itself within local networks it may have a better chance of surviving (it may be seen as a lower threat if only infecting a small percentage, or may escape detection entirely). The two techniques could be employed together to limit local distribution while launching attacks once the Internet-wide distribution reached critical mass.
It's questionable how effective a communication method this would afford but, when you look at the bacterial world, amazing things have been done for millennium with just a few simple 'words'.
