1Coreflood: April 2011
2Rustock: March 2011
U.S. Marshals seized servers located at five hosting providers in seven U.S. cities—Denver; Scranton, Pa.; Kansas City, Mo.; Dallas; Chicago; Seattle; and Columbus, Ohio—to shut down Rustock, which at one point was singlehandedly pumping out nearly half of the world’s spam. Microsoft also blocked the IP addresses controlling the botnet as part of the March 16 takedown.
3Bredolab: October 2010
The Dutch National Crime Squad’s High Tech Crime Team seized 143 C&C servers controlling Bredolab and arrested the person running the operation Oct. 26, 2010. However, Blue Coat’s malware lab continues to see new samples of Bredolab malware, suggesting the botnet is “still running strong, just in a different form,” Cummins said. Since Bredolab was sold as an online kit, new networks could emerge with the same behavior and characteristics as the old one.
4Cutwail/Pushdo: August 2010
5Waledac: February 2010
A Virginia federal judge issued a temporary restraining order that authorized Microsoft to cut off 277 Internet domains associated with Waledac on Feb. 22, 2010. However, Blue Coat researchers still intercept 80,000 to 150,000 requests resembling the original Waledac C&C traffic. There’s speculation that Waledac 2.0 and Kelihos are the same botnet.
6Harnig/Piptea: March 2011
FireEye’s researchers noticed that C&C servers belonging to Harnig stopped responding shortly after Rustock was taken offline, suggesting there was some kind of a relationship between the two botnets. Even though there has been no Harnig-related activity for some time, with the servers remaining under the owners’ control, a resurrection remains possible.
7Mariposa: March 2010
Security firms Defense Intelligence and Panda Security collaborated to shut down Mariposa in December 2009. Furthermore, police in Spain arrested three men who ran the botnet in March 2010. One of the largest malware botnets in operation at the time, it stole bank account details and log-in credentials, and used enslaved PCs to launch denial-of-service attacks.
Zeus/SpyEye is a little unusual. While a few Zbot networks have been taken offline, it continues to proliferate because it is available on underground markets as a crimeware kit that anyone can use to create their own botnet, said Richard Wang, manager of Sophos Labs. “The takedowns of individual Zeus botnets are less significant,” said Wagner.
9Win32/Swizzor: February 2011
Like Harnig, Swizzor appears to have ceased operations on its own. ESET’s researchers detected a decline in Win32/Swizzor infections and found that the botnet had stopped distributing new malware in February. Win32/Swizzor evaded detection through highly obfuscated code, frequent updates and anti-emulation tricks. It’s not known why Swizzor’s operators shut down.
The botnet is presumed long dead after the FBI arrested mastermind Oleg Nikolaenko on Dec. 2, 2010. The spam operation netted Nikolaenko $465,000 during a six-month period, authorities said.