Back to Page 1: The Top 10 Botnet Events of 2010

5. Grumbot: Grumbot (aka Tedroo) is an extremely prolific botnet that tends to focus on sending Canadian pharmaceutical spam. After chugging along steadily throughout 2009, Grum message lengths suddenly decreased in early 2010, enabling per-bot message rates to spike roughly 50 percent. By March, Grumbots were reportedly cranking out over one quarter of all world-wide spam. One year later, Grum’s share of the pie has fallen to 12 percent – but only because other botnets have surged.

4. Lethic: Like Pushdo, Lethic has been slowed but not stopped by community efforts to dismantle this unusually fast botnet. Lethic C&C servers relay spam through an estimated 200-300K bots, which churn out copies at very high rates (12 to 60K per hour per bot). A Lethic C&C server take-down was organized by Neustar in January 2010, stopping roughly 10 percent of worldwide spam at that time. But by February, new C&C servers had appeared, ramping Lethic back up to a whopping 56 percent of all spam sent during 2Q10. Although the proportion of global spam represented by Lethic has since dropped, it continues to rank at or near the top of spambot lists (last week 22.5 percent).

3. Koobface: Given the profits at stake, botnet operators are highly motivated to adapt. Take Koobface, the botnet born by exploiting users of social networks like Facebook, Friendster, MySpace, and Twitter. According to Information Warfare Monitor, Koobface operators also used pay-per-click (PPC) and per-per-install (PPI) affiliate programs to make $2M over a one year period. Using URL redirection and fast flux DNS, Koobface earned its keep by presenting ads and selling fake AV programs. To keep investigators at bay, operators blocked their probes using IP blacklists, monitored malicious URL lists, abused short URLs in Twitter, and learned to bypass CAPTCHA. In short, Koobface demonstrated how creative criminals can turn defenses into evasion techniques.

2. Rustock: Occasionally, even spambots need a vacation. Or so it seems for Rustock, which until mid-December consistently sent about 46 billion spams per day (up to 25K per hour per bot). Rustock is notoriously resistant to anti-malware, using rootkit techniques and TLS-encrypted HTTP to stubbornly evade detection. As a result, researchers were surprised to see Rustock spam halt on December 25th. But two weeks later, the botnet sprang back, doubling world-wide spam rates which had dropped to a two-year low during Rustock’s hiatus. But why did Rustock take a holiday break? One factor may have been business disruption caused by the September closure of SpamIt.org and its affiliate payment program.

1. Stuxnet: Perhaps the single-most sobering botnet event of 2010 was Stuxnet. According to a Symantec report, Stuxnet is highly-targeted weaponized malware that appears to have been injected into Iranian power plants over a 10 month period, from 5 identified vectors through infected USB drives. Detected in July 2010, Stuxnet exploited zero-day vulnerabilities in Windows and SCADA software to infect and spread among industrial control systems, organizing into a botnet of peripherals that were ready to spring into attack mode under command of a clearly-defined C&C. In short, Stuxnet is noteworthy not because of its size or speed, but because it raises the stakes. Clearly, botnets aren’t just about pesky spam or spreading fakeAV or even massive identity thefts. Botnets are a means to many ends – in this case, with potentially devastating fallout.

What can we learn from last year’s botnet events? World-wide spam rates visibly plummeted with major take-downs, suggesting that eradicating just a few big players could have very significant impact. But recoveries also showed that it is not enough to disable just a portion of each botnet’s C&C infrastructure. Crime organizations profiting from botnets must be apprehended as well, and bot infections must be cleaned – or better yet blocked in the first place.

Finally, botnet writers and operators have continued to refine their craft. According to Cisco’s 2010 Annual Security Report, the average botnet is significantly smaller than 12 months ago, but this may not be good news. “For cybercriminals, how many botnets you have in operation, and their size, are no longer important,” said Seth Hanford, Intelligence Operations team lead at Cisco. “It’s what you can do with them.” From Zeus to Koobface to Stuxnet, 2010 offered many illustrations of this point.

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 29-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.

Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.

Back to Page 1: The Top 10 Botnet Events of 2010