Categories: SecurityWorkspace

Inside The Botnet Threat Highlight At RSA

Spam levels may have dropped, but botnets are still busy.

In fact, security researchers at this year’s RSA Conference highlighted a mix of botnets both famous and unheard of that are growing on the strength of do-it-yourself kits and pay-per-install (PPI) systems.

Joe Stewart, director of malware research for Dell SecureWorks, reported that the most prolific spam botnet today is Rustock, which he estimates has 250,000 bots in its army.

Rustock’s Continued Development

While in the past Rustock has periodically been overtaken by other botnets, it has pulled away because of the author’s continued development to the botnet’s codebase.

Among its tactics: not mapping hostnames associated with the Rustock HTTP communication directly to the IP address of a Rustock controller, and having Rustock control servers run a TOR exit node to avoid disconnection by network administrators.

“It has probably the most I guess thought and development, stealth, obfuscation (and) evasion built-in to what it’s doing, and it’s evolved these things over the past few years,” he said.

But while Rustock has the name and the fame, there are other botnets many people may not have heard of that have sneakily built up armies of bots by piggybacking on the growth of other malware. An example of this can be found with Lethic, which Stewart estimates has 75,000 bots. Lethic has been seen lately being installed by another bot known as ‘Butterfly’, or ‘Bfbot’. Bfbot botnets have been seen installing other spam Trojans as well, making the specific Bfbot system part of a growing ecosystem of pay-per-install operations.

Festi represents another example of this phenomenon, and according to Stewart claims an estimated 60,000 bots. Festi is seeded by a pay-per-install system known as Virut, which has allowed Festi to reverse its fortunes. In years past, the botnet was near the bottom of Dell SecureWorks’ list of spamming operations, Stewart said.

“Virut is a file infector,” he said. “It will spread from PC to PC through infected executables, and it’s pretty hard to killwhen something’s delivered by Virut you see a lot of infections from it because it is so widespread.”

Damballa’s list (PDF) of the top 10 botnets was much different than Dell SecureWorks’ list, and classified the majority of them as “utility botnets” – meaning they can perform any function the botnet operator wishes.

“This has been the trend for quite some time,” said Gunter Ollmann, vice president of research at Damballa. “A typical timeline for botnet victim machines has them initially being infiltrated and all easily saleable information is copiedwhich is followed by standard key logging and Web scraping in order to steal and infiltrate bank accounts etc. The botnet operator then has enough information about the computer and user(s) of the compromised device to decide on whether they can launch more sophisticated attacks or sell/rent the victim to another operator.”

The prevalence of improved do-it-yourself kits and associated exploit packs led to the growth of previously unknown botnets, according to Damballa. For example, the RudeWarlockMob, FreakySpiderCartel, FourLakeRiders, WickedRockMonsters and OneStreetTroop all built their botnets based on popular construction kits, and often modified them throughout 2010 as their infection campaigns and fraud objectives changed, the company found.

“Of the top three, the ZeusBotnetB is most closely affiliated with DIY kits – and the operators behind that botnet have been using that kit throughout 2010,” Ollmann said. “The RogueAVBotnet (2nd place) includes many different families of malware – but all are customised for inclusion within their Fake AV executables.”

When it comes to cleaning machines in the enterprise, the prevalence of pay-per-install operations and exploit kits means organisations need to have a robust process in place for re-formatting computers after they have been compromised, Stewart said.

“How many other things, if you know that a system is compromised, how many other things got on there that same time with all these PPI systemsThere’s so many rootkits out there that are so advanced, and so well hidden, that you’re just taking too big of a risk in my opinion,” he said.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

1 hour ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

3 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

18 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

21 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

22 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

23 hours ago