Dan Goodin of The Register has a gem of a story about the life of a teenage botmaster and how he got busted by the feds. While this smells of a low hanging fruit conviction, it provides compelling insight into just how little skill a person needs to illegally turn a tidy profit by compromising users machines and committing fraudulent acts. It also begs the question of how much the people with some decent skills are making whom also TRY NOT to get caught.
Who knows some of them could be the same people clever enough to install SQL injection tools on bots as a copycat of the massive attacks going around. “The bots then Google for .asp pages with specific terms -- and then hit the sites found in the search return with SQL injection attacks, says Joe Stewart, director of malware research for SecureWorks”. Bill Pennington lays out the future of botnet attacks leveraging custom web application vulnerabilities like XSS and CSRF. Bigger potential that SQLi. Get ready everyone! This is going to be an interesting year.