Criminals are increasingly using DIY crimeware kits such as Zeus and Neosploit to push out botnet-building malicious malware, but SpyEye was the real king in the first half of 2011.
Cyber-criminals may be
employing new tactics and technology to execute their online campaigns, but
botnets remain lucrative and effective, according to a report from Damballa.
New botnets emerged in the
first half of 2011 and were more active than older botnets, Damballa
researchers found in its Threat Report for the first half of 2011. The
criminals were also operating much smaller networks of infected machines,
according to the report, released Sept. 7.
Criminals are increasingly
using do-it-yourself crimeware construction kits and exploit packs to power
their malicious operations, Damballa found. Eight out of the top 10 botnet
operators used off-the-shelf kits and modified the code or added new kits as
the campaigns evolved, the report found. The "nearly
indestructible" TDL/TDSS botnet
and the one based on the Eleonore
malware family were the only ones on the top 10 list not using DIY kits.
continue to hone their craft in 2011 using crimeware that can be repurposed for
multiple fraud opportunities, sold or leased to other criminals," said
Gunter Ollmann, vice president of research for Damballa.
While botnet operators
"die," new ones are always being "born." Damballa found 67
more operators "set up shop" than went offline in the first half of
2011, meaning there were more botnets operating during that period than at the
end of 2010. The ones that went offline often did so because of consolidation
between various networks as an operator took over command-and-control for other
Despite the excitement over
this spring, "takedowns
tend to represent an insignificant percentage of the actual number of operators
," the report found.
Of the 10 largest botnets in
the first six months of 2011, only three of them were on the list in 2010,
Damballa said. OneStreetTroup, a botnet based on SpyEye crimeware, barely made
the list in December at No. 10. Six months later, it had shot up to the top of the
list and ranked No. 1 as the largest botnet observed during the period.
RudeWarlockMob (the TDL/TDSS
botnet) and FreakySpiderCartel (a botnet that pushed out fake antivirus
software) both slid down one position to rank No. 2 and No. 3 respectively. All
remaining botnets on the list, including the ones based on the Neosploit and
Eleonore kits, Zeus Trojan, Gbot worm and Virut file infectors, either
were first detected or grew dramatically during the first half of the year to
appear among the top 10 for the first time.
Damballa was not surprised
that OneStreetTroop, the botnet based on the SpyEye toolkit became so prominent
in the first half of the year. The integration of
Zeus source code into SpyEye
"combined the best of both crimeware
development kits into a single commercial package," making it more
powerful and capable than ever, the researchers wrote. The fact that a cracked
version of the SpyEye kit
is now readily available means there will be
"widespread adoption" of SpyEye in 2011 to launch additional
campaigns designed for fraud, according to the report.
The top three botnets
together accounted for about 25 percent of the infected population while the
entire top 10 botnets accounted for approximately 56 percent of all botnet
compromised victims, Damballa said. The top 10 list accounted for only 47
percent in 2010.
While large botnets
"get all the attention and notoriety," the majority of bot operators
are managing smaller networks, Damballa found. The number of operators managing
botnets with between 100 and 1,000 infected machines was more than double the
number of operators managing networks with over 1,000 victims, the report
The first half of 2011
"picks up where 2010 left off," the researchers wrote.