Dell SecureWorks and Damballa discuss the role do-it-yourself kits and pay-per-install operations are playing in the growth of botnets on the Web.
have dropped, but botnets are still busy.
In fact, security researchers at this year's RSA
Conference highlighted a mix of botnets both famous and unheard of that are
growing on the strength of do-it-yourself
and pay-per-install (PPI) systems.
Joe Stewart, director of malware research for Dell SecureWorks, reported
that the most prolific spam botnet today is Rustock, which he estimates has
250,000 bots in its army. While in the past Rustock has periodically been
overtaken by other botnets, it has pulled away because of the author's
continued development to the botnet's codebase. Among its tactics: not mapping
hostnames associated with the Rustock HTTP communication directly to the IP
address of a Rustock controller, and having Rustock control servers run a TOR
exit node to avoid disconnection by network administrators.
"It has probably the most thought and development, stealth, obfuscation
[and] evasion built in to what it's doing, and it's evolved these things over
the past few years," he said.
But while Rustock has the name and the fame, there are other botnets many
people may not have heard of that have sneakily built up armies of bots by
piggybacking on the growth of other malware. An example of this can be found
with Lethic, which Stewart estimates has 75,000 bots. Lethic has been seen
lately being installed by another bot known as "Butterfly," or "Bfbot."
Bfbot botnets have been seen installing other spam Trojans as well, making the
specific Bfbot system part of a growing ecosystem of pay-per-install
Festi represents another example of this phenomenon, and according to
Stewart claims an estimated 60,000 bots. Festi is seeded by a
pay-per-install system known as Virut, which has allowed Festi to reverse its
fortunes. In years past, the botnet was near the bottom of
Dell SecureWorks' list of spamming operations, Stewart said.
"Virut is a file infector," he said. "It will spread from PC
to PC through infected executables, and it's pretty hard to kill. ... When
something's delivered by Virut, you see a lot of infections from it because it
is so widespread."
(PDF) of the top 10 botnets was much different from Dell SecureWorks'
list, and classified the majority of them as "utility botnets"-meaning
they can perform any function the botnet operator wishes.
"This has been the trend for quite some time," said Gunter
Ollmann, vice president of research at Damballa. "A typical timeline for botnet
has them initially being infiltrated and all easily salable
information is copied ... which is followed by standard keylogging and Web
scraping in order to steal and infiltrate bank accounts, etc. The botnet
operator then has enough information about the computer and user(s) of the
compromised device to decide on whether they can launch more sophisticated
attacks or sell/rent the victim to another operator."
The prevalence of improved do-it-yourself kits and associated exploit packs
led to the growth of previously unknown botnets, according to Damballa. For
example, the RudeWarlockMob, FreakySpiderCartel, FourLakeRiders, WickedRockMonsters
and OneStreetTroop all built their botnets based on popular construction kits,
and often modified them throughout 2010 as their infection campaigns and fraud
objectives changed, the company found.
"Of the top three, the ZeusBotnetB is most closely affiliated with DIY
kits-and the operators behind that botnet have been using that kit throughout
2010," Ollmann said. "The RogueAVBotnet (2nd place) includes many
different families of malware-but all are customized for inclusion within their
Fake AV executables."
When it comes to cleaning machines in the enterprise, the prevalence of
pay-per-install operations and exploit kits means organizations need to have a
robust process in place for reformatting computers after they have been
compromised, Stewart said.
"How many other things, if you know that a system is compromised ... got
on there that same time with all these PPI systems. ... There's so many rootkits
out there that are so advanced, and so well hidden, that you're just taking too
big of a risk in my opinion," he said.