Botnets – herds of compromised PCs used to conduct high-volume cybercrimes under the direction of Command and Control (C&C) server – had another banner year last year. Despite successful C&C takedowns and ringleader arrests, botnets continue to be responsible for nearly 90 percent of spam. According to M86 Security Labs, most of this troublesome traffic originates from a small handful of botnets that evolve constantly to survive and thrive. To understand the world-wide war against botnets, let’s look at some of the battles won and lost in 2010.

10. Waledac: This prolific descendent of the infamous Storm botnet used social engineering scams such as e-cards and coupons to enlist an estimated 90K hosts before being whacked. By February 2010, Waledac bots were spewing out 1.5 million spam emails per day – up to 7K per hour per bot – by following encrypted C&C instructions, including files hidden inside JPGs. Through back-channel analysis, researchers managed to identify and obtain a court order taking down 277 C&C server domain names, which were subsequently transferred to Microsoft. This action dealt a heavy blow to Waledac, but a few survivors continue to churn out spam, possibly coordinated via P2P in lieu of C&C server direction.

9. Mariposa: Some botnets fight back. Take Mariposa, composed of up to 12 million hosts infected over P2P, MSN, and USB channels. Powered by the Butterfly bot, Mariposa spent about a year harvesting identities and credentials from hacked PCs and being rented by third parties for a variety of cybercrime campaigns. In December 2009, the Mariposa Working Group (lead by Defence Intelligence) commandeered Mariposa’s C&C servers. But Mariposa’s operators soon regained control, countering with a DoS attack against Defence Intelligence. This battle ended when three suspected operators were arrested in Spain last February. The bot’s alleged creator was finally apprehended in Slovenia in July, driving another nail into Mariposa’s coffin.

8. Zeus: Botnets often serve as a springboard for organized crime. Zeus (a.k.a. Kneber) is a perfect example. This on-line banking trojan was spread by phishing email and drive-by downloads over a period of three years, infesting millions of PCs, herded into hundreds of botnets. According to officials, banking credentials stolen from Zeus victims were used to initiate fraudulent transfers to “money mules” who were paid to route stolen funds back to organizers. In October 2010, the FBI announced that one large international crime network had used Zeus to steal $70M from victim accounts, leading to 60 arrests in the US, 19 in the UK, and others in the Ukraine.

7. Bredolab: Nearly half of all malware delivered by spam during 1H10 carried Bredo. This trojan often arrives with phishing messages that pose as money orders or failed delivery notices. Once executed, Bredo not only establishes C&C contact but attempts to recruit more bots. Last August, Dutch hosting provider LeaseWeb discovered that it was harboring 143 Bredo C&C servers. Over the next three months, the Dutch National High Tech Crime Team learned those servers were the well-hidden core of a multi-layer “botnet factory” that proxied C&C commands through drive-by download servers hosted elsewhere. A pain-staking investigation lead to successful take-down of nearly the entire Bredolab botnet, notification of 30 million Bredo-infected PC owners, and arrest of an Armenian accused of orchestrating this botnet.

6. Pushdo: Botnets can be infuriatingly resilient. Consider Pushdo (a.k.a. Cutwail), responsible for up to 10 percent of all spam sent during the first half of 2010. Since 2007, Pushdo bots have issued a wide variety of spam blasts, from pharmaceutical ads to phishing messages and malware. In late August, researchers from LastLine identified 30 Pushdo C&C servers, hosted at 8 providers. Using provider notification, LastLine initiated a take down of 20, stopping nearly all Pushdo spam within 48 hours. Unfortunately, little cooperation could be obtained from other providers. Since then, Pushdo has recovered, operating under the control of those remaining C&C servers or perhaps new ones. Just last week, Pushdo variants were cited as the source of 22 percent of spam tracked by M86 Security Labs.

Page 2: The Top 10 Botnet Events of 2010