Net Infestation Continues to Spread

By Matthew Hines  |  Posted 2009-09-17 Print this article Print

Security researchers with Trend Micro have released the results of a new study that paints a dire picture in terms of the continued spread of online malware, resulting in incredibly high numbers of endpoints ending up infected with botnet programs or some other form of unwanted or nefarious programs.

Trend's study maintains that not only are there more machines than ever before contracting infections, but that the malware programs harbored by the devices are hanging around for longer periods of time before being somehow wiped out.

To arrive at its conclusions Trend looked into patterns of behavior exhibited by the infected IP addresses that it has located, versus devices themselves, but that would seem a pretty worthy source of generalized metrics anyway.

And as the researchers point out, since the study involved IPs, and not devices themselves, it's fair to assume that many of the locales actually involved multiple infected devices, so, the actual percentage of malware-ridden endpoints is likely a good deal higher than the reported results.

While some previous studies have estimated that compromised machines remain tainted for an average of 6 weeks before getting cleansed, Trend's study of roughly 100 million infected IP addresses found that some 50 percent of the connected devices stayed dirty for at least 300 days. Yup, that's almost one whole year.

Looking at the same devices over the course of one calendar month, about 80 percent remained somehow infected, the researchers found. That's impressive.

Broken down by the nature of the owners of the involved addresses, 75 percent of the infected IPs belonged to consumers, which is not entirely surprising as individuals mainly have to fend for themselves when it comes to security. But, the other 25 percent were controlled by enterprises, meaning that large numbers of organizations continue to struggle to get rid of malware infections despite having people on hand to manage the issue.

Botnets remain one of the biggest catalysts feeding the problem, with Koobface, Zeus and Clampi leading the way, according to TrendLabs. And the biggest botnets are growing to previously unforeseen heights, encompassing loads of distributed computing power, the company said.

"Overall, botnets control more compromised machines than had been previously believed," the experts noted in a blog post. "Only a handful of criminals have more than 100 million computers under their control. This means that cybercriminals have more computing power at their disposal than the entire world's supercomputers combined. It's no wonder then that more than 90 percent of all e-mail worldwide is now spam."

Using the example of the Koobface botnet, which has used a number of social networks to help spread itself, Trend reported that roughly 50,000 devices are involved in the zombie network at any given time, which actually seems on the low side to me.

However, the people controlling the attack have been able to enable it with a high level of resiliency against potential takedown as they continually shift command and control centers, the company said. Between mid-March and mid-August 2009, Trend said that it observed 46 different Koobface C&C domains.

And in the case of the Clampi/Ilomo botnet, close to 70 different C&Cs were unearthed.

So in summary, a select class of extremely empowered cyber-criminals is likely controlling much of the malicious activity in a top-down fashion, moving their assets around as need be. We've known for a while, with the emergence of fast flux techniques and the like, that botnet masters were faring pretty well in terms of growing their networks whenever they feel like it.

But contrary to the perception that they're doing so because they continue to see large swaths of their zombie armies wiped out by security programs, it appears that they've been able to build a pretty sturdy level of sustainability into their infection patterns.

It's botnet industry evolution before our eyes.

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel