Attacks/Breaches
3/31/2009
01:07 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Attack Of The Mini-Botnets

All eyes may be on the big spamming botnets, but it's the small, silent ones that are most dangerous

Big-name botnets like Kraken/Bobax, Srizbi, Rustock, the former Storm -- and even the possible botnet-in-waiting, Conficker -- have gained plenty of notoriety, but it's the smaller and less conspicuous ones you can't see that are doing the most damage in the enterprise.

These mini-botnets range in size from tens to thousands versus the hundreds of thousands, or even millions, of bots that the biggest botnets deploy. They are typically specialized and built to target an organization or person, stealing corporate and personal information, often without a trace. They don't attract the attention of the big spamming botnets that cast a wide net and generate lots of traffic; instead they strike quietly, under the radar.

"There's definitely specialization [in botnets] these days," says Joe Stewart, senior director of malware research for SecureWorks. "There are botnets designed for fraud, and they have been around for a while and don't seem to cross over [with the bigger spamming botnets]," he says.

These mini-botnets specialize in identity theft, fraud, and stealing corporate information, and are much more difficult to spot and infiltrate than a big spamming botnet. "We have to rely on the few anecdotal instances, where we've managed to get a look at the back-end," Stewart says.

Tripp Cox, vice president of engineering at Damballa, says most of the bots his company finds within its enterprise clients' networks are from obscure botnets, not the big spamming zombie networks. Spam-bot infections account for only about 2 percent of the compromised bot machines Damballa has uncovered, while 20 percent are bots used for targeted, malicious purposes, like data theft or fraud, he says. The other 75- to 80 percent are from blended threats -- multipurpose Trojans, downloaders, and worms for various purposes.

The main goal of specialized botnets is to steal user names and passwords, banking credentials, intellectual property, and other valuable information, he says. "We've seen them target banking credentials used by the enterprise to conduct corporate banking," Cox says. "We've also seen particular executives targeted who are involved in intellectual property development and research activities.

"There's a strong tie there between what information the [targeted] employee has access to and the value that asset has to the attacker."

SecureWorks' Stewart says small botnets are more worrisome than Conficker's next move. These botnets include Clampi (a.k.a. Ligats and Rscan), Torpig (a.k.a. Sinowal, Anserin), Zeus (a.k.a. prg/zbot), Pinch (a.k.a. ldpinch), and SilentBanker Cimuz -- all named after the malware they use -- plus one that has been around for some time, Coreflood (a.k.a. Afcore), which Stewart has studied closely. "I am far more worried about some of the recent Clampi [activities] and some of the other ones," Stewart says. "They have made inroads to affect users and do something malicious, like steal their credentials" for committing identity theft and fraud, he says.

But why use a botnet instead of an old-fashioned hack in a targeted attack? "A botnet is a resilient foothold for a criminal to get inside the company -- it's persistent," Damballa's Cox says. "It's a way to distribute updates, activate new capabilities, and harvest information without having to copy information out of the network. If you think about data leakage protection, you can imagine a botnet enables you to search internally without extracting the document."

Steven Adair, a researcher with the Shadowserver Foundation, says his organization has seen targeted botnet attacks that have used anywhere from dozens to hundreds or more machines. "They are often a lot smaller than the spamming and DDoS botnets due to their target selection," Adair says.

These targeted botnet attacks often use spear-phishing email attacks, using malicious PDF attachments or links that appear legitimate because they contain information familiar to the user. Shadowserver has also seen mini-botnets infect Websites that cater to a specific group of users, Adair says. "The sites were specifically chosen due to their audience," he says.

Mini-botnets look a lot like big spamming botnets architecture-wise: They typically use HTTP or custom protocols to communicate, and they encrypt their traffic. But they don't use peer-to-peer communications like some of the big botnets, and the command-and-control servers are often in a multitier arrangement so they can remain obfuscated, SecureWorks' Stewart says. "They have a centralized command-and-control...because that gives them more control," he says. "They are trying to suck data out of these machines, so it's better to go back to one channel."

The recently exposed GhostNet network of some 1,300 infected machines appears to be an example of a targeted-attack botnet, says Nicolas Fischbach, senior manager for network engineering/security for European ISP COLT Telecom. "The recent GhostNet seems to be the tip of the iceberg," he says.

GhostNet was recently discovered by the Munk Centre for International Studies at the University of Toronto, which found the attackers used a Trojan program that gave them full control of the targeted machine such that they could search and download files, as well as spy on the victim via his or her Web camera and microphone.

But not all targeted attacks are botnet-driven. Fischbach says he sees some "old-school" hacks, with a few machines set up as a chain of "stepping stones" to evade being traced. "DDoS for money and for fun is over. There's more money to make in information- and intelligence-gathering," he says. "If you have a small botnet and cool exploitation techniques and tools, you want to infect a small, controllable number of machines to steal data or even influence decisions."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.