Botnets herds of compromised PCs used to conduct high-volume cybercrimes under the direction of Command and Control (C&C) server had another banner year last year. Despite successful C&C takedowns and ringleader arrests, botnets continue to be responsible for nearly 90 percent of spam. According to M86 Security Labs, most of this troublesome traffic originates from a small handful of botnets that evolve constantly to survive and thrive. To understand the world-wide war against botnets, lets look at some of the battles won and lost in 2010.
10. Waledac: This prolific descendent of the infamous Storm botnet used social engineering scams such as e-cards and coupons to enlist an estimated 90K hosts before being whacked. By February 2010, Waledac bots were spewing out 1.5 million spam emails per day up to 7K per hour per bot by following encrypted C&C instructions, including files hidden inside JPGs. Through back-channel analysis, researchers managed to identify and obtain a court order taking down 277 C&C server domain names, which were subsequently transferred to Microsoft. This action dealt a heavy blow to Waledac, but a few survivors continue to churn out spam, possibly coordinated via P2P in lieu of C&C server direction.
9. Mariposa: Some botnets fight back. Take Mariposa, composed of up to 12 million hosts infected over P2P, MSN, and USB channels. Powered by the Butterfly bot, Mariposa spent about a year harvesting identities and credentials from hacked PCs and being rented by third parties for a variety of cybercrime campaigns. In December 2009, the Mariposa Working Group (lead by Defence Intelligence) commandeered Mariposas C&C servers. But Mariposas operators soon regained control, countering with a DoS attack against Defence Intelligence. This battle ended when three suspected operators were arrested in Spain last February. The bots alleged creator was finally apprehended in Slovenia in July, driving another nail into Mariposas coffin.
8. Zeus: Botnets often serve as a springboard for organized crime. Zeus (a.k.a. Kneber) is a perfect example. This on-line banking trojan was spread by phishing email and drive-by downloads over a period of three years, infesting millions of PCs, herded into hundreds of botnets. According to officials, banking credentials stolen from Zeus victims were used to initiate fraudulent transfers to money mules who were paid to route stolen funds back to organizers. In October 2010, the FBI announced that one large international crime network had used Zeus to steal $70M from victim accounts, leading to 60 arrests in the US, 19 in the UK, and others in the Ukraine.
7. Bredolab: Nearly half of all malware delivered by spam during 1H10 carried Bredo. This trojan often arrives with phishing messages that pose as money orders or failed delivery notices. Once executed, Bredo not only establishes C&C contact but attempts to recruit more bots. Last August, Dutch hosting provider LeaseWeb discovered that it was harboring 143 Bredo C&C servers. Over the next three months, the Dutch National High Tech Crime Team learned those servers were the well-hidden core of a multi-layer botnet factory that proxied C&C commands through drive-by download servers hosted elsewhere. A pain-staking investigation lead to successful take-down of nearly the entire Bredolab botnet, notification of 30 million Bredo-infected PC owners, and arrest of an Armenian accused of orchestrating this botnet.
6. Pushdo: Botnets can be infuriatingly resilient. Consider Pushdo (a.k.a. Cutwail), responsible for up to 10 percent of all spam sent during the first half of 2010. Since 2007, Pushdo bots have issued a wide variety of spam blasts, from pharmaceutical ads to phishing messages and malware. In late August, researchers from LastLine identified 30 Pushdo C&C servers, hosted at 8 providers. Using provider notification, LastLine initiated a take down of 20, stopping nearly all Pushdo spam within 48 hours. Unfortunately, little cooperation could be obtained from other providers. Since then, Pushdo has recovered, operating under the control of those remaining C&C servers or perhaps new ones. Just last week, Pushdo variants were cited as the source of 22 percent of spam tracked by M86 Security Labs.
5. Grumbot: Grumbot (aka Tedroo) is an extremely prolific botnet that tends to focus on sending Canadian pharmaceutical spam. After chugging along steadily throughout 2009, Grum message lengths suddenly decreased in early 2010, enabling per-bot message rates to spike roughly 50 percent. By March, Grumbots were reportedly cranking out over one quarter of all world-wide spam. One year later, Grums share of the pie has fallen to 12 percent but only because other botnets have surged.
4. Lethic: Like Pushdo, Lethic has been slowed but not stopped by community efforts to dismantle this unusually fast botnet. Lethic C&C servers relay spam through an estimated 200-300K bots, which churn out copies at very high rates (12 to 60K per hour per bot). A Lethic C&C server take-down was organized by Neustar in January 2010, stopping roughly 10 percent of worldwide spam at that time. But by February, new C&C servers had appeared, ramping Lethic back up to a whopping 56 percent of all spam sent during 2Q10. Although the proportion of global spam represented by Lethic has since dropped, it continues to rank at or near the top of spambot lists (last week 22.5 percent).
3. Koobface: Given the profits at stake, botnet operators are highly motivated to adapt. Take Koobface, the botnet born by exploiting users of social networks like Facebook, Friendster, MySpace, and Twitter. According to Information Warfare Monitor, Koobface operators also used pay-per-click (PPC) and per-per-install (PPI) affiliate programs to make $2M over a one year period. Using URL redirection and fast flux DNS, Koobface earned its keep by presenting ads and selling fake AV programs. To keep investigators at bay, operators blocked their probes using IP blacklists, monitored malicious URL lists, abused short URLs in Twitter, and learned to bypass CAPTCHA. In short, Koobface demonstrated how creative criminals can turn defenses into evasion techniques.
2. Rustock: Occasionally, even spambots need a vacation. Or so it seems for Rustock, which until mid-December consistently sent about 46 billion spams per day (up to 25K per hour per bot). Rustock is notoriously resistant to anti-malware, using rootkit techniques and TLS-encrypted HTTP to stubbornly evade detection. As a result, researchers were surprised to see Rustock spam halt on December 25th. But two weeks later, the botnet sprang back, doubling world-wide spam rates which had dropped to a two-year low during Rustocks hiatus. But why did Rustock take a holiday break? One factor may have been business disruption caused by the September closure of SpamIt.org and its affiliate payment program.
1. Stuxnet: Perhaps the single-most sobering botnet event of 2010 was Stuxnet. According to a Symantec report, Stuxnet is highly-targeted weaponized malware that appears to have been injected into Iranian power plants over a 10 month period, from 5 identified vectors through infected USB drives. Detected in July 2010, Stuxnet exploited zero-day vulnerabilities in Windows and SCADA software to infect and spread among industrial control systems, organizing into a botnet of peripherals that were ready to spring into attack mode under command of a clearly-defined C&C. In short, Stuxnet is noteworthy not because of its size or speed, but because it raises the stakes. Clearly, botnets arent just about pesky spam or spreading fakeAV or even massive identity thefts. Botnets are a means to many ends in this case, with potentially devastating fallout.
What can we learn from last years botnet events? World-wide spam rates visibly plummeted with major take-downs, suggesting that eradicating just a few big players could have very significant impact. But recoveries also showed that it is not enough to disable just a portion of each botnets C&C infrastructure. Crime organizations profiting from botnets must be apprehended as well, and bot infections must be cleaned or better yet blocked in the first place.
Finally, botnet writers and operators have continued to refine their craft. According to Ciscos 2010 Annual Security Report, the average botnet is significantly smaller than 12 months ago, but this may not be good news. For cybercriminals, how many botnets you have in operation, and their size, are no longer important, said Seth Hanford, Intelligence Operations team lead at Cisco. Its what you can do with them. From Zeus to Koobface to Stuxnet, 2010 offered many illustrations of this point.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 29-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.