You may be familiar with "security through obscurity", a principle in security engineering which attempts to use secrecy of design, implementation, or other factors to provide security. Security through obscurity is a poor design concept in general and is widely derided among professionals. But what about security through ubiquity, "ubiquity" in this case meaning multiple points of control or backup? For botnet operators, it seems to be a tactic that's working.
As large-scale botnet operators have moved from top-down C&C infrastructures to more flexible, decentralized peer-to-peer designs, they've also been working on ways to keep their networks up and running once they're discovered.
When a botnet owner had only one or two command and control (C&C)servers in operation, keeping the command server online was critical to success. Lose the C&C server and you lose your botnet. It's still there, but it can't be used because you can't communicate with it. But the times there are a changing…
The new trend among botnet operators is to run dozens (or sometimes hundreds) of C&C servers around the world simultaneously. If one or two (or a dozen) get found and shutdown, it's not a problem- there are still plenty more available to be used.
With hundreds of C&C servers online, the effect of knocking out a handful of them is negligible. This makes "takedown" operations increasingly complicated, time-consuming, and ultimately less effective. That's security through ubiquity.
Security experts say that this change, which has become more and more prevalent over the last couple of years, has made life much more difficult for them. For example, security researchers have identified and cleaned literally hundreds of domains being used by the Gumblar botnet in recent months, but it's had virtually no effect at all on the botnet's overall operation.
So far it looks like the bad guys and their botnets are winning, and it doesn't look like that's going to change anytime soon, if ever.