Risk

3/28/2011
11:54 AM
Dave Methvin
Dave Methvin
Commentary
50%
50%

Microsoft Wins A Botnet Battle

The Rustok botnet was estimated to be one million PCs strong, underlining the dangers that malware can cause to businesses and consumers.

If you noticed a decrease in spam recently, there could be a good reason. This month, Microsoft took down the Rustok botnet.

Microsoft's Digital Crime Unit reported that its "research shows there may be close to one million computers infected with Rustock malware, all under the control of the person or people operating the network like a remote army, usually without the computer's owner even aware that his computer has been hijacked. Bot-herders infect computers with malware in a number of ways, such as when a computer owner visits a Web site booby-trapped with malware and clicks on a malicious advertisement or opens an infected e-mail attachment. Bot-herders do this so discretely that owners often never suspect their PC is living a double life."

These botnets aren't just the toy of young hackers who like causing mischief. They aren't trying to crash or disable the computer; in fact it's just the opposite. That stealth aspect to the bot infection is key to its success. The user has no reason to think they need to get their PC fixed, because a good botnet infection doesn't raise suspicion. That is the key to the botnet's survival.

A botnet is a huge money-making tool for its creators. When bot-herders take over a PC, they have many ways to turn a profit. One way is to grab information they find on the PC, or can extract by monitoring the user's keystrokes. This can give them access to bank accounts, credit cards, and login information to sites such as eBay or PayPal. Before the user can do anything to stop it, the botnet operator can transfer the PayPal money to another account. Or they can purchase expensive items with the user's eBay account and get the seller to send it to an address where the botnet operator can pick it up.

Perhaps the most valuable thing a botnet provides its handler is a large pool of "innocent-looking" IP addresses. In the case of the Rustok botnet, that's one million IPs. If the bot-controlled PC appears to visit a Web site, click on a Google Adwords ad, or send a few dozen emails, it's not possible to block that action based merely on the IP address. So Rustok's botnet could send 10 million spam messages by having each PC send just 10 emails, and nothing looks suspicious.

Click fraud is another endless source of money for botnet operators. By setting up some shallow content sites with Google Adwords or other ad networks, the bot-herder can have the bots visit those sites and click on the ads to generate revenue. The bot-herder can also use click fraud to attack competitors, clicking on their ads in order to drain their ad budgets. This type of fraud can be extremely difficult for the ad networks to spot if the botnet operator keeps the fraud at a low level and doesn't get too greedy.

When botnets started to emerge a decade ago, the creators of the botnets often used them directly and managed all the money-making schemes themselves. Now, many bot-herders rent out their botnet to other groups that have specific goals in mind, such as spam, click fraud, or targeted attacks. Underground message boards let bot-herders communicate with their customers to "sell time" on the botnet.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12697
PUBLISHED: 2018-06-23
A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.
CVE-2018-12698
PUBLISHED: 2018-06-23
demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the "Create an array for saving the template argument values" XNEWVEC call. This can occur during execution of objdump.
CVE-2018-12699
PUBLISHED: 2018-06-23
finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.
CVE-2018-12700
PUBLISHED: 2018-06-23
A Stack Exhaustion issue was discovered in debug_write_type in debug.c in GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion.
CVE-2018-11560
PUBLISHED: 2018-06-23
The webService binary on Insteon HD IP Camera White 2864-222 devices has a stack-based Buffer Overflow leading to Control-Flow Hijacking via a crafted usr key, as demonstrated by a long remoteIp parameter to cgi-bin/CGIProxy.fcgi on port 34100.