According to the ShadowServer Foundation, a group sharing information about botnet activity, the number of identified botnets, which started to take off about half a dozen years ago, has grown from about 1,500 two years ago to 3,500 today.
So far the botnet-directed attacks against the United States and South Korea, believed carried out through hidden manipulation of about 50,000 compromised computers using an updated version of an old virus, MyDoom, have done no lasting harm to the many Web sites struck, although several American government departments, including the Federal Trade Commission and Department of Transportation suffered outages, while FTC.gov still is struggling, according to Keynote Systems, which measures and monitors Web site use. And the DDoS botnet episode is ongoing, with more hits expected on South Korean banks and a newspaper, says South Korean antivirus firm AhnLab, which analyzed malware samples associated with the attacks.
It’s not just DDoS attacks that are associated with botnets. Botnets are usually specialized, designed for criminal tasks that range from spam distribution; stealing identity credentials such as passwords, bank account data or credit cards and keylogging; click fraud; and warez (stealing intellectual property or obtaining pirated software).
“There’s usually a primary purpose to a botnet,” says Jose Nazario, manager of security research at Arbor Networks. “There are turf wars out there as criminals are vying for the desktop. They try to kick each other off.”
Although botnets come and go, the more successful ones have endured for years as large command-and-control systems operated by shadowy groups that have taken over hundreds of thousands of desktops and sometimes servers.
These botnets are bequeathed names — usually quirky ones — by researchers probing them, with the first to identify a new botnet typically getting to name it.
Gammima (gaming password stealer), Conficker (fake antivirus) and Zeus (information stealer), are among what are believed to be the largest, according to security firm Damballa.
But sizing botnets up in terms of actual numbers of compromised computers, under their control as bots (sometimes called “drones”) is tough, many experts say.
That’s because these numerical counts, typically based on detected numbers of infected machines, are often based on IP addresses where numbers are influenced up or down by network technologies such as network-address translation. And there’s constant change.
The irony of Conficker, which has infected an estimated 1 million to 10 million machines and has made attempts to sell fake antivirus to its victims, is that it remains so quiet.
“It’s one of the largest botnets out there but currently it’s doing nothing,” says Nazario, who believes Conficker has infected about five million Windows-based computers.
The easiest type of botnet to count seems to be the spam botnets. According to Symantec’s MessageLabs division, the top botnet in June was one called Cutwail, which generated more than 45 per cent of all spam worldwide through a botnet controlling about 1.4 million to 2.1 million compromised computers at any time.
But the Federal Trade Commission’s shutdown last month of Web hosting firm Pricewert, accused of illegal activities involving botnets and child porn (which Pricewert denies) has disrupted the Cutwail botnet, says Matt Sergeant, chief antispam technologist at MessageLabs.
Cutwail, which exists as two distinct malware versions “is not currently No. 1 anymore,” Sergeant says. He predicts that by the end of July, it’s likely the No. 2 botnet, Rustock, which had only controlled 4.5 per cent of the world’s spam, will jump to about 50 per cent of spam, with Cutwail knocked down, though struggling for a comeback.
The buyers of spam services in the underground economy appear to be switching from Cutwail to Rustock, Sergeant suspects. Both botnets have existed for several years, with their master controllers suspected to be in Ukraine or Russian-speaking countries. Several other researchers see strong ties to Ukraine and Russia in general for all manner of botnets.
Nazario and Sergeant both say prosecuting illegal botnet activity is very difficult across the jurisdictional boundaries of different countries, though they credit the Federal Bureau of Investigation with determined law-enforcement efforts on this front today.
One of the most dangerous botnets out there, by many accounts, is Torpig, which is designed to steal identity credentials, credit cards, bank account and PayPal information, and more.
“It’s very sophisticated, hiding on your machine with a rootkit to survive,” says Joe Stewart, director of malware research at SecureWorks. “It will silently sit there in the system and grab bank account log-in and silently send them out of your machine.”
Infiltrating the Torpig botnet to find out exactly what it was doing was the mission undertaken earlier this year by eight researchers at the University of California, Santa Barbara, in the Department of Computer Science’s security group. They set up a server in an undisclosed location and simply waited for Torpig to find it, based on an analysis of Torpig malware.
“We knew in advance what were the sequence of addresses they would visit so we just waited,” says Giovanni Vigna, the UC Santa Barbara computer science professor who teamed with staff and graduate students to bust into Torpig.
Last month they published the eye-popping account of what happened in the 10 days before they were dropped from Torpig, apparently because its operators discovered the infiltration.
The report, “Your Botnet is My Botnet: Analysis of a Botnet Takeover,” details how the Torpig botnet was seen to have made more than 180,000 infections on victim’s machines and recorded 70 GB of data collected by the bots in just 10 days.
Torpig obtained the credentials of 8,310 accounts at 410 different institutions. The top targeted were PayPal, Poste Italiane, Capital One, E*Trade and Chase. About 38 per cent of the credentials stolen by Torpig were obtained from the password manager of browsers, rather than by intercepting an actual log-in session, according to the report. Torpig also collected 1,660 unique credit and debit cards, prominently Visa, MasterCard and American Express, with 49 per cent of the victims thought to be in the United States. Torpig in those 10 days was seen to grab 297,962 unique credentials from 52,540 different Torpig-infected machines, with the top Web account credentials identified for Google, Facebook, MySpace, netlog.com, libero.IT, Yahoo, nasza-klasa.pl, alice.it, live.com and hi5.com.
The UC Santa Barbara researchers also observed traffic that suggested individuals thought infections were cleaned up when they weren’t.
The main means of infection with Torpig comes from drive-by downloads from legitimate Web sites that have become compromised with malware by attackers, or occasionally attack sites set up for the purpose.
The effect of the drive-by download is “it modifies your browser so it becomes different,” Vigna says. When you next visit your banking Web site, the Torpig-infected desktop displays a fake Web page that tricks the victim into entering his banking password and log-in, for example. Torpig then has it and sends it off to the Torpig operators.
The UC Santa Barbara researchers suspect Torpig is a “malware service” accessible to third parties for a fee.
Vigna says the researchers never discovered who runs Torpig, but did share data with the FBI. UC Santa Barbara was assisted in the Torpig infiltration project by funding from the National Science Foundation, which is supporting a five-year effort to explore the underground economy.
The Torpig botnet suggests a pattern of cooperation between attackers compromising Web sites with malware that directly helps those operating Torpig gain more victims, and it’s a trend that likely extends beyond Torpig.
“One of the biggest things we’ve seen is the dramatic shift to the Web browser,” Nazario says about the problem of drive-by downloads. Like other researchers, Nazario says botnets mainly exploit Windows-based machines. “It has become the biggest door into the PC.” Users have to stay up to date with patching and benefit from using the latest version of browsers.