Risk
3/28/2011
11:54 AM
Dave Methvin
Dave Methvin
Commentary
50%
50%

Microsoft Wins A Botnet Battle

The Rustok botnet was estimated to be one million PCs strong, underlining the dangers that malware can cause to businesses and consumers.

If you noticed a decrease in spam recently, there could be a good reason. This month, Microsoft took down the Rustok botnet.

Microsoft's Digital Crime Unit reported that its "research shows there may be close to one million computers infected with Rustock malware, all under the control of the person or people operating the network like a remote army, usually without the computer's owner even aware that his computer has been hijacked. Bot-herders infect computers with malware in a number of ways, such as when a computer owner visits a Web site booby-trapped with malware and clicks on a malicious advertisement or opens an infected e-mail attachment. Bot-herders do this so discretely that owners often never suspect their PC is living a double life."

These botnets aren't just the toy of young hackers who like causing mischief. They aren't trying to crash or disable the computer; in fact it's just the opposite. That stealth aspect to the bot infection is key to its success. The user has no reason to think they need to get their PC fixed, because a good botnet infection doesn't raise suspicion. That is the key to the botnet's survival.

A botnet is a huge money-making tool for its creators. When bot-herders take over a PC, they have many ways to turn a profit. One way is to grab information they find on the PC, or can extract by monitoring the user's keystrokes. This can give them access to bank accounts, credit cards, and login information to sites such as eBay or PayPal. Before the user can do anything to stop it, the botnet operator can transfer the PayPal money to another account. Or they can purchase expensive items with the user's eBay account and get the seller to send it to an address where the botnet operator can pick it up.

Perhaps the most valuable thing a botnet provides its handler is a large pool of "innocent-looking" IP addresses. In the case of the Rustok botnet, that's one million IPs. If the bot-controlled PC appears to visit a Web site, click on a Google Adwords ad, or send a few dozen emails, it's not possible to block that action based merely on the IP address. So Rustok's botnet could send 10 million spam messages by having each PC send just 10 emails, and nothing looks suspicious.

Click fraud is another endless source of money for botnet operators. By setting up some shallow content sites with Google Adwords or other ad networks, the bot-herder can have the bots visit those sites and click on the ads to generate revenue. The bot-herder can also use click fraud to attack competitors, clicking on their ads in order to drain their ad budgets. This type of fraud can be extremely difficult for the ad networks to spot if the botnet operator keeps the fraud at a low level and doesn't get too greedy.

When botnets started to emerge a decade ago, the creators of the botnets often used them directly and managed all the money-making schemes themselves. Now, many bot-herders rent out their botnet to other groups that have specific goals in mind, such as spam, click fraud, or targeted attacks. Underground message boards let bot-herders communicate with their customers to "sell time" on the botnet.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8802
Published: 2015-01-23
The Pie Register plugin before 2.0.14 for WordPress does not properly restrict access to certain functions in pie-register.php, which allows remote attackers to (1) add a user by uploading a crafted CSV file or (2) activate a user account via a verifyit action.

CVE-2014-9623
Published: 2015-01-23
OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quote and cause a denial of service (disk consumption) by deleting an image in the saving state.

CVE-2014-9638
Published: 2015-01-23
oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a WAV file with the number of channels set to zero.

CVE-2014-9639
Published: 2015-01-23
Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (crash) via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access.

CVE-2014-9640
Published: 2015-01-23
oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.