bots

The Kraken botnet

From Kelly Jackson Higgins’s “New Massive Botnet Twice the Size of Storm” (DarkReading: 7 April 2008):

A new botnet twice the size of Storm has ballooned to an army of over 400,000 bots, including machines in the Fortune 500, according to botnet researchers at Damballa. (See The World’s Biggest Botnets and MayDay! Sneakier, More Powerful Botnet on the Loose.)

The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software.

Royal says like Storm, Kraken so far is mostly being used for spamming the usual scams — high interest loans, gambling, male enhancement products, pharmacy advertisements, and counterfeit watches, for instance.

Its bots are prolific, too: The firm has seen single Kraken bots sending out up to 500,000 pieces of spam in a day.

Just how Kraken is infecting machines is still unclear, but Royal says the malware seems to appear as an image file to the victim. When the victim tries to view the image, the malware is loaded onto his or her machine. “We know the picture… ends in an .exe, which is not shown” to the user, Royal says.

The Kraken botnet Read More »

80% of all spam from botnets

From Jacqui Cheng’s “Report: botnets sent over 80% of all June spam” (Ars Technica: 29 June 2009):

A new report (PDF) from Symantec’s MessageLabs says that more than 80 percent of all spam sent today comes from botnets, despite several recent shut-downs.

According to MessageLabs’ June report, spam accounted for 90.4 percent of all e-mail sent in the month of June—this was roughly unchanged since May. Botnets, however, sent about 83.2 percent of that spam, with the largest spam-wielding botnet being Cutwail. Cutwail is described as “one of the largest and most active botnets” and has doubled its size and output per bot since March of this year. As a result, it is now responsible for 45 percent of all spam, with others like Mega-D, Xarvester, Donbot, Grum, and Rustock making up much of the difference

80% of all spam from botnets Read More »

Storm made $7000 each day from spam

From Bruce Schneier’s “The Economics of Spam” (Crypto-Gram: 15 November 2008):

Researchers infiltrated the Storm worm and monitored its doings.

“After 26 days, and almost 350 million e-mail messages, only 28 sales resulted — a conversion rate of well under 0.00001%. Of these, all but one were for male-enhancement products and the average purchase price was close to $100. Taken together, these conversions would have resulted in revenues of $2,731.88 — a bit over $100 a day for the measurement period or $140 per day for periods when the campaign was active. However, our study interposed on only a small fraction of the overall Storm network — we estimate roughly 1.5 percent based on the fraction of worker bots we proxy. Thus, the total daily revenue attributable to Storm’s pharmacy campaign is likely closer to $7000 (or $9500 during periods of campaign activity). By the same logic, we estimate that Storm self-propagation campaigns can produce between 3500 and 8500 new bots per day.

“Under the assumption that our measurements are representative over time (an admittedly dangerous assumption when dealing with such small samples), we can extrapolate that, were it sent continuously at the same rate, Storm-generated pharmaceutical spam would produce roughly 3.5 million dollars of revenue in a year. This number could be even higher if spam-advertised pharmacies experience repeat business. A bit less than “millions of dollars every day,” but certainly a healthy enterprise.”

Storm made $7000 each day from spam Read More »

Could Green Dam lead to the largest botnet in history?

Green_Damn_site_blocked.jpg

From Rob Cottingham’s “From blocking to botnet: Censorship isn’t the only problem with China’s new Internet blocking software” (Social Signal: 10 June 2009):

Any blocking software needs to update itself from time to time: at the very least to freshen its database of forbidden content, and more than likely to fix bugs, add features and improve performance. (Most anti-virus software does this.)

If all the software does is to refresh the list of banned sites, that limits the potential for abuse. But if the software is loading new executable code onto the computer, suddenly there’s the potential for something a lot bigger.

Say you’re a high-ranking official in the Chinese military. And let’s say you have some responsibility for the state’s capacity to wage so-called cyber warfare: digital assaults on an enemy’s technological infrastructure.

It strikes you: there’s a single backdoor into more that 40 million Chinese computers, capable of installing… well, nearly anything you want.

What if you used that backdoor, not just to update blocking software, but to create something else?

Say, the biggest botnet in history?

Still, a botnet 40 million strong (plus the installed base already in place in Chinese schools and other institutions) at the beck and call of the military is potentially a formidable weapon. Even if the Chinese government has no intention today of using Green Dam for anything other than blocking pornography, the temptation to repurpose it for military purposes may prove to be overwhelming.

Could Green Dam lead to the largest botnet in history? Read More »

Green Dam is easily exploitable

Green_Damn_site_blocked.jpg

From Scott Wolchok, Randy Yao, and J. Alex Halderman’s “Analysis of the Green Dam Censorware System” (The University of Michigan: 11 June 2009):

We have discovered remotely-exploitable vulnerabilities in Green Dam, the censorship software reportedly mandated by the Chinese government. Any web site a Green Dam user visits can take control of the PC.

According to press reports, China will soon require all PCs sold in the country to include Green Dam. This software monitors web sites visited and other activity on the computer and blocks adult content as well as politically sensitive material.

We examined the Green Dam software and found that it contains serious security vulnerabilities due to programming errors. Once Green Dam is installed, any web site the user visits can exploit these problems to take control of the computer. This could allow malicious sites to steal private data, send spam, or enlist the computer in a botnet. In addition, we found vulnerabilities in the way Green Dam processes blacklist updates that could allow the software makers or others to install malicious code during the update process.

We found these problems with less than 12 hours of testing, and we believe they may be only the tip of the iceberg. Green Dam makes frequent use of unsafe and outdated programming practices that likely introduce numerous other vulnerabilities. Correcting these problems will require extensive changes to the software and careful retesting. In the meantime, we recommend that users protect themselves by uninstalling Green Dam immediately.

Green Dam is easily exploitable Read More »

The Uncanny Valley, art forgery, & love

Apply new wax to old wood
Creative Commons License photo credit: hans s

From Errol Morris’ “Bamboozling Ourselves (Part 2)” (The New York Times: 28 May 2009):

[Errol Morris:] The Uncanny Valley is a concept developed by the Japanese robot scientist Masahiro Mori. It concerns the design of humanoid robots. Mori’s theory is relatively simple. We tend to reject robots that look too much like people. Slight discrepancies and incongruities between what we look like and what they look like disturb us. The closer a robot resembles a human, the more critical we become, the more sensitive to slight discrepancies, variations, imperfections. However, if we go far enough away from the humanoid, then we much more readily accept the robot as being like us. This accounts for the success of so many movie robots — from R2-D2 to WALL-E. They act like humans but they don’t look like humans. There is a region of acceptability — the peaks around The Uncanny Valley, the zone of acceptability that includes completely human and sort of human but not too human. The existence of The Uncanny Valley also suggests that we are programmed by natural selection to scrutinize the behavior and appearance of others. Survival no doubt depends on such an innate ability.

EDWARD DOLNICK: [The art forger Van Meegeren] wants to avoid it. So his big challenge is he wants to paint a picture that other people are going to take as Vermeer, because Vermeer is a brand name, because Vermeer is going to bring him lots of money, if he can get away with it, but he can’t paint a Vermeer. He doesn’t have that skill. So how is he going to paint a picture that doesn’t look like a Vermeer, but that people are going to say, “Oh! It’s a Vermeer?” How’s he going to pull it off? It’s a tough challenge. Now here’s the point of The Uncanny Valley: as your imitation gets closer and closer to the real thing, people think, “Good, good, good!” — but then when it’s very close, when it’s within 1 percent or something, instead of focusing on the 99 percent that is done well, they focus on the 1 percent that you’re missing, and you’re in trouble. Big trouble.

Van Meegeren is trapped in the valley. If he tries for the close copy, an almost exact copy, he’s going to fall short. He’s going to look silly. So what he does instead is rely on the blanks in Vermeer’s career, because hardly anything is known about him; he’s like Shakespeare in that regard. He’ll take advantage of those blanks by inventing a whole new era in Vermeer’s career. No one knows what he was up to all this time. He’ll throw in some Vermeer touches, including a signature, so that people who look at it will be led to think, “Yes, this is a Vermeer.”

Van Meegeren was sometimes careful, other times astonishingly reckless. He could have passed certain tests. What was peculiar, and what was quite startling to me, is that it turned out that nobody ever did any scientific test on Van Meegeren, even the stuff that was available in his day, until after he confessed. And to this day, people hardly ever test pictures, even multi-million dollar ones. And I was so surprised by that that I kept asking, over and over again: why? Why would that be? Before you buy a house, you have someone go through it for termites and the rest. How could it be that when you’re going to lay out $10 million for a painting, you don’t test it beforehand? And the answer is that you don’t test it because, at the point of being about to buy it, you’re in love! You’ve found something. It’s going to be the high mark of your collection; it’s going to be the making of you as a collector. You finally found this great thing. It’s available, and you want it. You want it to be real. You don’t want to have someone let you down by telling you that the painting isn’t what you think it is. It’s like being newly in love. Everything is candlelight and wine. Nobody hires a private detective at that point. It’s only years down the road when things have gone wrong that you say, “What was I thinking? What’s going on here?” The collector and the forger are in cahoots. The forger wants the collector to snap it up, and the collector wants it to be real. You are on the same side. You think that it would be a game of chess or something, you against him. “Has he got the paint right?” “Has he got the canvas?” You’re going to make this checkmark and that checkmark to see if the painting measures up. But instead, both sides are rooting for this thing to be real. If it is real, then you’ve got a masterpiece. If it’s not real, then today is just like yesterday. You’re back where you started, still on the prowl.

The Uncanny Valley, art forgery, & love Read More »

Criminal goods & service sold on the black market

From Ellen Messmer’s “Symantec takes cybercrime snapshot with ‘Underground Economy’ report” (Network World: 24 November 2008):

The “Underground Economy” report [from Symantec] contains a snapshot of online criminal activity observed from July 2007 to June 2008 by a Symantec team monitoring activities in Internet Relay Chat (IRC) and Web-based forums where stolen goods are advertised. Symantec estimates the total value of the goods advertised on what it calls “underground servers” was about $276 million, with credit-card information accounting for 59% of the total.

If that purloined information were successfully exploited, it probably would bring the buyers about $5 billion, according to the report — just a drop in the bucket, points out David Cowings, senior manager of operations at Symantec Security Response.

“Ninety-eight percent of the underground-economy servers have life spans of less than 6 months,” Cowings says. “The smallest IRC server we saw had five channels and 40 users. The largest IRC server network had 28,000 channels and 90,000 users.”

In the one year covered by the report, Symantec’s team observed more than 69,000 distinct advertisers and 44 million total messages online selling illicit credit-card and financial data, but the 10 most active advertisers appeared to account for 11% of the total messages posted and $575,000 in sales.

According to the report, a bank-account credential was selling for $10 to $1,000, depending on the balance and location of the account. Sellers also hawked specific financial sites’ vulnerabilities for an average price of $740, though prices did go as high as $2,999.

In other spots, the average price for a keystroke logger — malware used to capture a victim’s information — was an affordable $23. Attack tools, such as botnets, sold for an average of $225. “For $10, you could host a phishing site on someone’s server or compromised Web site,” Cowings says.

Desktop computer games appeared to be the most-pirated software, accounting for 49% of all file instances that Symantec observed. The second-highest category was utility applications; third-highest was multimedia productivity applications, such as photograph or HTML editors.

Criminal goods & service sold on the black market Read More »

Another huge botnet

From Kelly Jackson Higgins’ “Researchers Find Massive Botnet On Nearly 2 Million Infected Consumer, Business, Government PCs” (Dark Reading: 22 April 2009):

Researchers have discovered a major botnet operating out of the Ukraine that has infected 1.9 million machines, including large corporate and government PCs mainly in the U.S.

The botnet, which appears to be larger than the infamous Storm botnet was in its heyday, has infected machines from some 77 government-owned domains — 51 of which are U.S. government ones, according to Ophir Shalitin, marketing director of Finjan, which recently found the botnet. Shalitin says the botnet is controlled by six individuals and is hosted in Ukraine.

Aside from its massive size and scope, what is also striking about the botnet is what its malware can do to an infected machine. The malware lets an attacker read the victim’s email, communicate via HTTP in the botnet, inject code into other processes, visit Websites without the user knowing, and register as a background service on the infected machine, for instance.

Finjan says victims are infected when visiting legitimate Websites containing a Trojan that the company says is detected by only four of 39 anti-malware tools, according to a VirusTotal report run by Finjan researchers.

Around 45 percent of the bots are in the U.S., and the machines are Windows XP. Nearly 80 percent run Internet Explorer; 15 percent, Firefox; 3 percent, Opera; and 1 percent Safari. Finjan says the bots were found in banks and large corporations, as well as consumer machines.

Another huge botnet Read More »

Conficker creating a new gargantuan botneth

From Asavin Wattanajantra’s “Windows worm could create the ‘world’s biggest botnet’” (IT PRO: 19 January 2009):

The Downadup or “Conficker” worm has increased to over nine million infections over the weekend – increasing from 2.4 million in a four-day period, according to F-Secure.

The worm has password cracking capabilities, which is often successful because company passwords sometimes match a predefined password list that the worm carries.

Corporate networks around the world have already been infected by the network worm, which is particularly hard to eradicate as it is able to evolve – making use of a long list of websites – by downloading another version of itself.

Rik Ferguson, solution architect at Trend Micro, told IT PRO that the worm was very difficult to block for security companies as they had to make sure that they blocked every single one of the hundreds of domains that it could download from.

Ferguson said that the worm was creating a staggering amount of infections, even if just the most conservative infection estimates are taken into account. He said: “What’s particularly interesting about this worm is that it is the first hybrid with old school worm infection capabilities and command and control infrastructure.”

Conficker creating a new gargantuan botneth Read More »

The end of Storm

From Brian Krebs’ “Atrivo Shutdown Hastened Demise of Storm Worm” (The Washington Post: 17 October 2008):

The infamous Storm worm, which powered a network of thousands of compromised PCs once responsible for sending more than 20 percent of all spam, appears to have died off. Security experts say Storm’s death knell was sounded by the recent shutdown of Atrivo, a California based ISP that was home to a number of criminal cyber crime operations, including at least three of the master servers used to control the Storm network.

Three out of four of [Storm’s] control servers were located at Atrivo, a.k.a. Intercage, said Joe Stewart, a senior security researcher with Atlanta based SecureWorks who helped unlock the secrets of the complex Storm network. The fourth server, he said, operated out of Hosting.ua, an Internet provider based in the Ukraine.

Stewart said the final spam run blasted out by Storm was on Sept. 18.Three days later, Atrivo was forced off the Internet after its sole remaining upstream provider — Pacific Internet Exchange (PIE) — decided to stop routing for the troubled ISP. In the weeks leading up to that disconnection, four other upstream providers severed connectivity to Atrivo, following detailed reports from Security Fix and Host Exploit that pointed to a massive amount of spam, malicious software and a host of other cyber criminal operations emanating from it.

Stewart said spam sent by the Storm network had been steadily decreasing throughout 2008, aided in large part by the inclusion of the malware in Microsoft’s malicious software removal tool, which has scrubbed Storm from hundreds of thousands of PCs since last fall. Stewart said it’s impossible to tell whether the Storm worm was disrupted by the Atrivo shutdown or if the worm’s authors pulled the plug themselves and decided to move on. But at least 30,000 systems remain infected with the Storm malware.

The end of Storm Read More »

The end of Storm?

From “Storm Worm botnet cracked wide open” (Heise Security: 9 January 2009):

A team of researchers from Bonn University and RWTH Aachen University have analysed the notorious Storm Worm botnet, and concluded it certainly isn’t as invulnerable as it once seemed. Quite the reverse, for in theory it can be rapidly eliminated using software developed and at least partially disclosed by Georg Wicherski, Tillmann Werner, Felix Leder and Mark Schlösser. However it seems in practice the elimination process would fall foul of the law.

Over the last two years, Storm Worm has demonstrated how easily organised internet criminals have been able to spread this infection. During that period, the Storm Worm botnet has accumulated more than a million infected computers, known as drones or zombies, obeying the commands of a control server and using peer-to-peer techniques to locate new servers. Even following a big clean-up with Microsoft’s Malicious Software Removal Tool, around 100,000 drones probably still remain. That means the Storm Worm botnet is responsible for a considerable share of the Spam tsunami and for many distributed denial-of-service attacks. It’s astonishing that no one has succeeded in dismantling the network, but these researchers say it isn’t due to technical finesse on the part of the Storm Worm’s developers.

Existing knowledge of the techniques used by the Storm Worm has mainly been obtained by observing the behaviour of infected systems, but the researchers took a different approach to disarm it. They reverse translated large parts of the machine code of the drone client program and analysed it, taking a particularly close look at the functions for communications between drones and with the server.

Using this background knowledge, they were able to develop their own client, which links itself into the peer-to-peer structure of a Storm Worm network in such a way that queries from other drones, looking for new command servers, can be reliably routed to it. That enables it to divert drones to a new server. The second step was to analyse the protocol for passing commands. The researchers were astonished to find that the server doesn’t have to authenticate itself to clients, so using their knowledge they were able to direct drones to a simple server. The latter could then issue commands to the test Storm worm drones in the laboratory so that, for example, they downloaded a specific program from a server, perhaps a special cleaning program, and ran it. The students then went on to write such a program.

The team has not yet taken the final step of putting the whole thing into action with a genuine Storm Worm botnet in the wild. From a legal point of view, that could involve many problems. Any unauthorised access to third-party computers could be regarded as tampering with data, which is punishable under paragraph § 303a of the German Penal Code. That paragraph threatens up to two years’ imprisonment for unlawfully deleting, suppressing, making unusable or changing third-party data. Although this legal process would only come into effect if there was a criminal complaint from an injured party, or if there was special public interest in the prosecution of the crime.

Besides risks of coming up against the criminal law, there is also a danger of civil claims for damages by the owners of infected PCs, because the operation might cause collateral damage. There are almost certain to be configurations in which the cleaning goes wrong, perhaps disabling computers so they won’t run any more. Botnet operators could also be expected to strike back, causing further damage.

The end of Storm? Read More »

Three top botnets

From Kelly Jackson Higgins’ “The World’s Biggest Botnets” (Dark Reading: 9 November 2007):

You know about the Storm Trojan, which is spread by the world’s largest botnet. But what you may not know is there’s now a new peer-to-peer based botnet emerging that could blow Storm away.

“We’re investigating a new peer-to-peer botnet that may wind up rivaling Storm in size and sophistication,” says Tripp Cox, vice president of engineering for startup Damballa, which tracks botnet command and control infrastructures. “We can’t say much more about it, but we can tell it’s distinct from Storm.”

Researchers estimate that there are thousands of botnets in operation today, but only a handful stand out by their sheer size and pervasiveness. Although size gives a botnet muscle and breadth, it can also make it too conspicuous, which is why botnets like Storm fluctuate in size and are constantly finding new ways to cover their tracks to avoid detection. Researchers have different head counts for different botnets, with Storm by far the largest (for now, anyway).

Damballa says its top three botnets are Storm, with 230,000 active members per 24 hour period; Rbot, an IRC-based botnet with 40,000 active members per 24 hour period; and Bobax, an HTTP-based botnet with 24,000 active members per 24 hour period, according to the company.

1. Storm

Size: 230,000 active members per 24 hour period

Type: peer-to-peer

Purpose: Spam, DDOS

Malware: Trojan.Peacomm (aka Nuwar)

Few researchers can agree on Storm’s actual size — while Damballa says its over 200,000 bots, Trend Micro says its more like 40,000 to 100,000 today. But all researchers say that Storm is a whole new brand of botnet. First, it uses encrypted decentralized, peer-to-peer communication, unlike the traditional centralized IRC model. That makes it tough to kill because you can’t necessarily shut down its command and control machines. And intercepting Storm’s traffic requires cracking the encrypted data.

Storm also uses fast-flux, a round-robin method where infected bot machines (typically home computers) serve as proxies or hosts for malicious Websites. These are constantly rotated, changing their DNS records to prevent their discovery by researchers, ISPs, or law enforcement. And researchers say it’s tough to tell how the command and control communication structure is set up behind the P2P botnet. “Nobody knows how the mother ships are generating their C&C,” Trend Micro’s Ferguson says.

Storm uses a complex combination of malware called Peacomm that includes a worm, rootkit, spam relay, and Trojan.

But researchers don’t know — or can’t say — who exactly is behind Storm, except that it’s likely a fairly small, tightly knit group with a clear business plan. “All roads lead back to Russia,” Trend Micro’s Ferguson says.

“Storm is only thing now that keeps me awake at night and busy,” he says. “It’s professionalized crimeware… They have young, talented programmers apparently. And they write tools to do administrative [tracking], as well as writing cryptographic routines… and another will handle social engineering, and another will write the Trojan downloader, and another is writing the rootkit.”

Rbot

Size: 40,000 active members per 24 hour period

Type: IRC

Purpose: DDOS, spam, malicious operations

Malware: Windows worm

Rbot is basically an old-school IRC botnet that uses the Rbot malware kit. It isn’t likely to ever reach Storm size because IRC botnets just can’t scale accordingly. “An IRC server has to be a beefy machine to support anything anywhere close to the size of Peacomm/Storm,” Damballa’s Cox says.

It can disable antivirus software, too. Rbot’s underlying malware uses a backdoor to gain control of the infected machine, installing keyloggers, viruses, and even stealing files from the machine, as well as the usual spam and DDOS attacks.

Bobax

Size: 24,000 active members per 24 hour period

Type: HTTP

Purpose: Spam

Malware: Mass-mailing worm

Bobax is specifically for spamming, Cox says, and uses the stealthier HTTP for sending instructions to its bots on who and what to spam. …

According to Symantec, Bobax bores open a back door and downloads files onto the infected machine, and lowers its security settings. It spreads via a buffer overflow vulnerability in Windows, and inserts the spam code into the IE browser so that each time the browser runs, the virus is activated. And Bobax also does some reconnaissance to ensure that its spam runs are efficient: It can do bandwidth and network analysis to determine just how much spam it can send, according to Damballa. “Thus [they] are able to tailor their spamming so as not to tax the network, which helps them avoid detection,” according to company research.

Even more frightening, though, is that some Bobax variants can block access to antivirus and security vendor Websites, a new trend in Website exploitation.

Three top botnets Read More »

Largest botnet as of 2006: 1.5 M machines

From Gregg Keizer’s “Dutch Botnet Bigger Than Expected” (InformationWeek: 21 October 2005):

Dutch prosecutors who last month arrested a trio of young men for creating a large botnet allegedly used to extort a U.S. company, steal identities, and distribute spyware now say they bagged bigger prey: a botnet of 1.5 million machines.

According to Wim de Bruin, a spokesman for the Public Prosecution Service (Openbaar Ministerie, or OM), when investigators at GOVCERT.NL, the Netherlands’ Computer Emergency Response Team, and several Internet service providers began dismantling the botnet, they discovered it consisted of about 1.5 million compromised computers, 15 times the 100,000 PCs first thought.

The three suspects, ages 19, 22, and 27, were arrested Oct. 6 …

The trio supposedly used the Toxbot Trojan horse to infect the vast number of machines, easily the largest controlled by arrested attackers.

Largest botnet as of 2006: 1.5 M machines Read More »

Why botnet operators do it: profit, politics, & prestige

From Clive Akass’ “Storm worm ‘making millions a day’” (Personal Computer World: 11 February 2008):

The people behind the Storm worm are making millions of pounds a day by using it to generate revenue, according to IBM’s principal web security strategist.

Joshua Corman, of IBM Internet Security Systems, said that in the past it had been assumed that web security attacks were essential ego driven. But now attackers fell in three camps.

‘I call them my three Ps, profit, politics and prestige,’ he said during a debate at a NetEvents forum in Barcelona.

The Storm worm, which had been around about a year, had been a tremendous financial success because it created a botnet of compromised machines that could be used to launch profitable spam attacks.

Not only do the criminals get money simply for sending out the spam in much more quantity than could be sent by a single machine but they get a cut of any business done off the spam.

Why botnet operators do it: profit, politics, & prestige Read More »

Srizbi, Bobax, & Storm – the rankings

From Gregg Keizer’s “RSA – Top botnets control 1M hijacked computers” (Computerworld: 4 October 2008):

Joe Stewart, director of malware research at SecureWorks, presented his survey at the RSA Conference, which opened Monday in San Francisco. The survey ranked the top 11 botnets that send spam; by extrapolating their size, Stewart estimated the bots on his list control just over a million machines and are capable of flooding the Internet with more than 100 billion spam messages every day.

The botnet at the top of the chart is Srizbi. According to Stewart, this botnet — which also goes by the names “Cbeplay” and “Exchanger” — has an estimated 315,000 bots and can blast out 60 billion messages a day.

While it may not have gotten the publicity that Storm has during the last year, it’s built around a much more substantial collection of hijacked computers, said Stewart. In comparison, Storm’s botnet counts just 85,000 machines, only 35,000 of which are set up to send spam. Storm, in fact, is No. 5 on Stewart’s list.

“Storm is pretty insignificant at this point,” said Stewart. “It got all this attention, so Microsoft added it to its malicious software detection tool [in September 2007], and that’s removed hundreds of thousands of compromised PCs from the botnet.”

The second-largest botnet is “Bobax,” which boasts an estimated 185,000 hacked systems in its collection. Able to spam approximately nine billion messages a day, Bobax has been around for some time, but recently has been in the news again, albeit under one of its several aliases.

Srizbi, Bobax, & Storm – the rankings Read More »

Number of bots drops 20% on Christmas

From Robert Lemos’ “Bot-infected PCs get a refresh” (SecurityFocus: 28 December 2006):

On Christmas day, the number of bots tracked by the Shadowserver group dropped nearly 20 percent.

The dramatic decrease in weekly totals–from more than 500,000 infected systems to less than 400,000 computers–puzzled researchers. The Internet Storm Center, a threat monitoring group managed by the SANS Institute, confirmed a drop of about 10 percent.

One of the Internet Storm Center’s network monitoring volunteers posited that the decrease was due to the large number of computers given as gifts this Christmas. The systems running Microsoft Windows XP will be using Service Pack 2, which also means the firewall will be on by default, adding an additional hurdle for bot herder looking to reclaim their drones.

“Many of the infected machines are turned off, the new shiny ones have not been infected, and the Internet is momentarily a safer place,” Marcus Sachs, director of the ISC, stated in a diary entry. “But like you said, give it a few weeks and we’ll be right back to where we started from.”

Number of bots drops 20% on Christmas Read More »

1/4 of all Internet computers part of a botnet?

From Nate Anderson’s “Vint Cerf: one quarter of all computers part of a botnet” (Ars Technica: 25 January 2007):

The BBC’s Tim Weber, who was in the audience of an Internet panel featuring Vint Cerf, Michael Dell, John Markoff of the New York Times, and Jon Zittrain of Oxford, came away most impressed by the botnet statistics. Cerf told his listeners that approximately 600 million computers are connected to the Internet, and that 150 million of them might be participants in a botnet—nearly all of them unwilling victims. Weber remarks that “in most cases the owners of these computers have not the slightest idea what their little beige friend in the study is up to.”

In September 2006, security research firm Arbor Networks announced that it was now seeing botnet-based denial of service attacks capable of generating an astonishing 10-20Gbps of junk data. The company notes that when major attacks of this sort began, ISPs often do exactly what the attacker wants them to do: take the target site offline.

1/4 of all Internet computers part of a botnet? Read More »

Prices for various services and software in the underground

From Tom Espiner’s “Cracking open the cybercrime economy” (CNET News: 14 December 2007):

“Over the years, the criminal elements, the ones who are making money, making millions out of all this online crime, are just getting stronger and stronger. I don’t think we are really winning this war.”

As director of antivirus research for F-Secure, you might expect Mikko Hypponen to overplay the seriousness of the situation. But according to the Finnish company, during 2007 the number of samples of malicious code on its database doubled, having taken 20 years to reach the size it was at the beginning of this year.

“From Trojan creation sites out of Germany and the Eastern bloc, you can purchase kits and support for malware in yearly contracts,” said [David Marcus, security research manager at McAfee Avert Labs]. “They present themselves as a cottage industry which sells tools or creation kits. It’s hard to tell if it’s a conspiracy or a bunch of autonomous individuals who are good at covering their tracks.”

Joe Telafici, director of operations at McAfee’s Avert Labs, said Storm is continuing to evolve. “We’ve seen periodic activity from Storm indicating that it is still actively being maintained. They have actually ripped out core pieces of functionality to modify the obfuscation mechanisms that weren’t working any more. Most people keep changing the wrapper until it gets by (security software)–these guys changed the functionality.”

Peter Gutmann, a security researcher at the University of Auckland, says in a report that malicious software via the affiliate model–in which someone pays others to infect users with spyware and Trojans–has become more prevalent in 2007.

The affiliate model was pioneered by the iframedollars.biz site in 2005, which paid Webmasters 6 cents per infected site. Since then, this has been extended to a “vast number of adware affiliates,” according to Gutmann. For example, one adware supplier pays 30 cents for each install in the United States, 20 cents in Canada, 10 cents in the United Kingdom, and 1 or 2 cents elsewhere.

Hackers also piggyback malicious software on legitimate software. According to Gutmann, versions of coolwebsearch co-install a mail zombie and a keystroke logger, while some peer-to-peer and file-sharing applications come with bundled adware and spyware.

In March, the price quoted on malware sites for the Gozi Trojan, which steals data and sends it to hackers in an encrypted form, was between $1,000 and $2,000 for the basic version. Buyers could purchase add-on services at varying prices starting at $20.

In the 2007 black economy, everything can be outsourced, according to Gutmann. A scammer can buy hosts for a phishing site, buy spam services to lure victims, buy drops to send the money to, and pay a cashier to cash out the accounts. …

Antidetection vendors sell services to malicious-software and botnet vendors, who sell stolen credit card data to middlemen. Those middlemen then sell that information to fraudsters who deal in stolen credit card data and pay a premium for verifiably active accounts. “The money seems to be in the middlemen,” Gutmann says.

One example of this is the Gozi Trojan. According to reports, the malware was available this summer as a service from iFrameBiz and stat482.com, who bought the Trojan from the HangUp team, a group of Russian hackers. The Trojan server was managed by 76service.com, and hosted by the Russian Business Network, which security vendors allege offered “bullet-proof” hosting for phishing sites and other illicit operations.

According to Gutmann, there are many independent malicious-software developers selling their wares online. Private releases can be tailored to individual clients, while vendors offer support services, often bundling antidetection. For example, the private edition of Hav-rat version 1.2, a Trojan written by hacker Havalito, is advertised as being completely undetectable by antivirus companies. If it does get detected then it will be replaced with a new copy that again is supposedly undetectable.

Hackers can buy denial-of-service attacks for $100 per day, while spammers can buy CDs with harvested e-mail addresses. Spammers can also send mail via spam brokers, handled via online forums such as specialham.com and spamforum.biz. In this environment, $1 buys 1,000 to 5,000 credits, while $1,000 buys 10,000 compromised PCs. Credit is deducted when the spam is accepted by the target mail server. The brokers handle spam distribution via open proxies, relays and compromised PCs, while the sending is usually done from the client’s PC using broker-provided software and control information.

Carders, who mainly deal in stolen credit card details, openly publish prices, or engage in private negotiations to decide the price, with some sources giving bulk discounts for larger purchases. The rate for credit card details is approximately $1 for all the details down to the Card Verification Value (CVV); $10 for details with CVV linked to a Social Security number; and $50 for a full bank account.

Prices for various services and software in the underground Read More »

Criminals working together to improve their tools

From Dan Goodin’s “Crimeware giants form botnet tag team” (The Register: 5 September 2008):

The Rock Phish gang – one of the net’s most notorious phishing outfits – has teamed up with another criminal heavyweight called Asprox in overhauling its network with state-of-the-art technology, according to researchers from RSA.

Over the past five months, Rock Phishers have painstakingly refurbished their infrastructure, introducing several sophisticated crimeware packages that get silently installed on the PCs of its victims. One of those programs makes infected machines part of a fast-flux botnet that adds reliability and resiliency to the Rock Phish network.

Based in Europe, the Rock Phish group is a criminal collective that has been targeting banks and other financial institutions since 2004. According to RSA, they are responsible for half of the worldwide phishing attacks and have siphoned tens of millions of dollars from individuals’ bank accounts. The group got its name from a now discontinued quirk in which the phishers used directory paths that contained the word “rock.”

The first sign the group was expanding operations came in April, when it introduced a trojan known alternately as Zeus or WSNPOEM, which steals sensitive financial information in transit from a victim’s machine to a bank. Shortly afterward, the gang added more crimeware, including a custom-made botnet client that was spread, among other means, using the Neosploit infection kit.

Soon, additional signs appeared pointing to a partnership between Rock Phishers and Asprox. Most notably, the command and control server for the custom Rock Phish crimeware had exactly the same directory structure of many of the Asprox servers, leading RSA researchers to believe Rock Phish and Asprox attacks were using at least one common server. …

RSA researchers also noticed that a decrease in phishing attacks hosted on Rock Phishers’ old servers coincided with never-before-seen phishing attacks used on the Asprox botnet.

In this case, Rock Phishers seem to be betting that the spoofed pages used in their phishing attacks will remain up longer using fast-flux technology from Asprox.

“It just shows that these guys know each other and are willing to provide services to each other,” said Joe Stewart, a researcher at SecureWorks who has spent years tracking Asprox and groups that use fast-flux botnets. “This goes on in the underground all the time.”

Criminals working together to improve their tools Read More »

Old botnets dead; new botnets coming

From Joel Hruska’s “Meet Son of Storm, Srizbi 2.0: next-gen botnets come online” (Ars Technica: 15 January 2009):

First the good news: SecureWorks reports that Storm is dead, Bobax/Kraken is moribund, and both Srizbi and Rustock were heavily damaged by the McColo takedown; Srizbi is now all but silent, while Rustock remains viable. That’s three significant botnets taken out and one damaged in a single year; cue (genuine) applause.

The bad news kicks in further down the page with a fresh list of botnets what need to be watched. Rustock and Mega-D (also known as Ozdok) are still alive and kicking, while newcomers Xarvester and Waledac could cause serious problems in 2009. Xarvester, according to Marshal may be an updated form of Srizbi; the two share a number of common features, including:

* HTTP command and control over nonstandard ports
* Encrypted template files contain several files needed for spamming
* Bots don’t need to do their own DNS lookups to send spam
* Config files have similar format and data
* Uploads Minidump crash file

Old botnets dead; new botnets coming Read More »