By Ryan Naraine  |  Posted 2005-06-04 Print this article Print

Thor Larholm, senior security researcher at PivX Solutions LLC, said theres enough evidence that the sophisticated botnet activity is highly organized by small groups of skilled hackers. "Over the last year or so, weve seen how easy these guys have created these armies of zombie machines. We believe there are less than 200 people controlling 95 percent of all the botnets out there."

Click here to read about Sasser, the last big network worm.
Larholm said the botnet owners have shied away from using major network worms and have instead turned to very small attacks. "Were not seeing the Slammer and Sasser attacks anymore. Were now seeing these virus variants infecting just 20 or 30 machines. The attacks are smaller and the botnets are smaller, and that allows them to stay under the radar," he said.

Both Thompson and Larholm said they see a direct connection between the botnets-for-rent and the adware/spyware scourge. "Botnets are not just for spamming anymore. They are being rented to install spyware," Larholm said.

He said the complicated affiliate schemes that pay commissions based on spyware installs have created a lucrative market for botnet controllers.

Computer Associates Thompson agreed. "I think that the adware component is becoming clearer, particularly on the bigger botnets. Whenever someone yells at the adware providers, they blame the affiliates. Well, thats the problem. The affiliates are using criminal means to install spyware, and these botnets are a key part of the puzzle."

Andrew Jaquith, security analyst at Yankee Group Research Inc., said the notion of purchasing the use of botnets, or zombie grids, is well-known in the industry. "Theres a sharp uptake in the amount of spam being generated by these zombies. Its pretty well-organized," Jaquith said.

"I see this particular malware cocktail as being more evolutionary than revolutionary. The so-called blended threat that it represents is just a combination of existing techniques, updated and tweaked," Jaquith added.

He said he had independent information that zombies are rented out for illegal use and said Computer Associates assertion of a 5 cents-per-machine market price is quite eye-opening.

"Whats interesting about the general trend in malware such as this is that the goal is not to do damage on the victims system per se, but to enlist it in the attackers zombie network," Jaquith said. "Its more useful to the bad guys to leave their targets alive. All Grannys going to notice is that her computer is running slowly while, unbeknownst to her, its blasting out spam or assisting in a denial-of-service attack."

Even worse, CAs Thompson said, "I think the bad guys are in danger of winning."

"Here we have people who understand how anti-virus works and are smart enough to release multiple approaches to get the seeds through. This wasnt your usual mass-mailer," Thompson said.

Shane Coursen, senior technology consultant at Kaspersky Lab, said CAs theory of a small band of organized criminals is very credible. "Were seeing all kinds of coordination and communication between Trojans, botnets and virus writers."

In an interview, Coursen said theres a massive race among malicious hackers to build and control massive botnets. "Its a very lucrative business, so this is not a surprise at all."


With the rapid proliferation of new types of virus, Trojan and worm attacks, PC users are urged to be strict about following security guidance.

This includes never opening and executing file attachments from unknown sources. Even if the source of the attachment is known, a good rule of thumb is to double check with the sender to make sure it is a legitimate file.

Microsoft Corp. offers detailed information on how to protect against viruses. These include applying security patches in a timely manner and using an Internet firewall. For computers running Windows XP SP2 (Service Pack 2), Microsoft suggests turning on automatic updates and using the Windows Firewall that is enabled by default.

It is also important to subscribe to industry standard anti-virus software and to keep updates current.

Microsoft also offers free clean-up tools, including a malicious software removal tool and an anti-spyware application.

Symantec Corp. also provides a free removal tool for the Bagel virus and its variants.

Editors Note: This story was updated to include instructions regarding protection and disinfection. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel