Researchers at Finjan have uncovered a massive botnet controlling some 1.9 million zombie computers.
The security vendor disclosed the discovery at the RSA Conference in San Francisco. According to reports, the nearly two million bots include machines in 77 government domains in the U.S., U.K. and other countries.
The size of the network would make it possibly the largest botnet under the control of cyber-thieves. Some 45 percent of the IP addresses under the control of the network are located in the U.S., compared to six percent in the U.K., three percent in France and four percent in Canada and Germany. The geo-location of 38 percent of the IP addresses could not be determined.
“We found that the botnet’s command and control server is hosted in Ukraine,” according to a post on Finjan’s blog. “The server has a nice backend management application making it easy for the attackers to manage the infected machines…overall, the cybergang can remotely execute anything it likes on the infected computers.”
Once infected, the attackers typically download additional malware to the victim’s computer without their consent. Some of the downloaded files that were identified include SENEKA(removed).DLL and Zch(Removed).exe. The files can read e-mail addresses and other details from the infected computer, communicate with other computers using HTTP protocol, visit Websites without end-users’ consent as well as a few dozen other commands.
The role of such networks in spam campaigns and schemes such as the sale of rogue anti-virus has been well documented. In a separate paper, researchers from Marshal8e6’s TRACElabs determined the Rustock and Xarvester botnets were responsible for sending 600,000 spam messages each over a 24-hour period.
According to reports, Finjan has shared information about the network with the law enforcement and intelligence community.