RSA Conference: Researchers Go Inside the Botnet Threat

Dell SecureWorks and Damballa discuss the role do-it-yourself kits and pay-per-install operations are playing in the growth of botnets on the Web.

Spam levels may have dropped, but botnets are still busy.

In fact, security researchers at this year's RSA Conference highlighted a mix of botnets both famous and unheard of that are growing on the strength of do-it-yourself kits and pay-per-install (PPI) systems.

Joe Stewart, director of malware research for Dell SecureWorks, reported that the most prolific spam botnet today is Rustock, which he estimates has 250,000 bots in its army. While in the past Rustock has periodically been overtaken by other botnets, it has pulled away because of the author's continued development to the botnet's codebase. Among its tactics: not mapping hostnames associated with the Rustock HTTP communication directly to the IP address of a Rustock controller, and having Rustock control servers run a TOR exit node to avoid disconnection by network administrators.

"It has probably the most thought and development, stealth, obfuscation [and] evasion built in to what it's doing, and it's evolved these things over the past few years," he said.

But while Rustock has the name and the fame, there are other botnets many people may not have heard of that have sneakily built up armies of bots by piggybacking on the growth of other malware. An example of this can be found with Lethic, which Stewart estimates has 75,000 bots. Lethic has been seen lately being installed by another bot known as "Butterfly," or "Bfbot." Bfbot botnets have been seen installing other spam Trojans as well, making the specific Bfbot system part of a growing ecosystem of pay-per-install operations.

Festi represents another example of this phenomenon, and according to Stewart claims an estimated 60,000 bots. Festi is seeded by a pay-per-install system known as Virut, which has allowed Festi to reverse its fortunes. In years past, the botnet was near the bottom of Dell SecureWorks' list of spamming operations, Stewart said.

"Virut is a file infector," he said. "It will spread from PC to PC through infected executables, and it's pretty hard to kill. ... When something's delivered by Virut, you see a lot of infections from it because it is so widespread."

Damballa's list (PDF) of the top 10 botnets was much different from Dell SecureWorks' list, and classified the majority of them as "utility botnets"-meaning they can perform any function the botnet operator wishes.

"This has been the trend for quite some time," said Gunter Ollmann, vice president of research at Damballa. "A typical timeline for botnet victim machines has them initially being infiltrated and all easily salable information is copied ... which is followed by standard keylogging and Web scraping in order to steal and infiltrate bank accounts, etc. The botnet operator then has enough information about the computer and user(s) of the compromised device to decide on whether they can launch more sophisticated attacks or sell/rent the victim to another operator."

The prevalence of improved do-it-yourself kits and associated exploit packs led to the growth of previously unknown botnets, according to Damballa. For example, the RudeWarlockMob, FreakySpiderCartel, FourLakeRiders, WickedRockMonsters and OneStreetTroop all built their botnets based on popular construction kits, and often modified them throughout 2010 as their infection campaigns and fraud objectives changed, the company found.

"Of the top three, the ZeusBotnetB is most closely affiliated with DIY kits-and the operators behind that botnet have been using that kit throughout 2010," Ollmann said. "The RogueAVBotnet (2nd place) includes many different families of malware-but all are customized for inclusion within their Fake AV executables."

When it comes to cleaning machines in the enterprise, the prevalence of pay-per-install operations and exploit kits means organizations need to have a robust process in place for reformatting computers after they have been compromised, Stewart said.

"How many other things, if you know that a system is compromised ... got on there that same time with all these PPI systems. ... There's so many rootkits out there that are so advanced, and so well hidden, that you're just taking too big of a risk in my opinion," he said.