Risk
3/28/2011
11:54 AM
Dave Methvin
Dave Methvin
Commentary
50%
50%

Microsoft Wins A Botnet Battle

The Rustok botnet was estimated to be one million PCs strong, underlining the dangers that malware can cause to businesses and consumers.

If you noticed a decrease in spam recently, there could be a good reason. This month, Microsoft took down the Rustok botnet.

Microsoft's Digital Crime Unit reported that its "research shows there may be close to one million computers infected with Rustock malware, all under the control of the person or people operating the network like a remote army, usually without the computer's owner even aware that his computer has been hijacked. Bot-herders infect computers with malware in a number of ways, such as when a computer owner visits a Web site booby-trapped with malware and clicks on a malicious advertisement or opens an infected e-mail attachment. Bot-herders do this so discretely that owners often never suspect their PC is living a double life."

These botnets aren't just the toy of young hackers who like causing mischief. They aren't trying to crash or disable the computer; in fact it's just the opposite. That stealth aspect to the bot infection is key to its success. The user has no reason to think they need to get their PC fixed, because a good botnet infection doesn't raise suspicion. That is the key to the botnet's survival.

A botnet is a huge money-making tool for its creators. When bot-herders take over a PC, they have many ways to turn a profit. One way is to grab information they find on the PC, or can extract by monitoring the user's keystrokes. This can give them access to bank accounts, credit cards, and login information to sites such as eBay or PayPal. Before the user can do anything to stop it, the botnet operator can transfer the PayPal money to another account. Or they can purchase expensive items with the user's eBay account and get the seller to send it to an address where the botnet operator can pick it up.

Perhaps the most valuable thing a botnet provides its handler is a large pool of "innocent-looking" IP addresses. In the case of the Rustok botnet, that's one million IPs. If the bot-controlled PC appears to visit a Web site, click on a Google Adwords ad, or send a few dozen emails, it's not possible to block that action based merely on the IP address. So Rustok's botnet could send 10 million spam messages by having each PC send just 10 emails, and nothing looks suspicious.

Click fraud is another endless source of money for botnet operators. By setting up some shallow content sites with Google Adwords or other ad networks, the bot-herder can have the bots visit those sites and click on the ads to generate revenue. The bot-herder can also use click fraud to attack competitors, clicking on their ads in order to drain their ad budgets. This type of fraud can be extremely difficult for the ad networks to spot if the botnet operator keeps the fraud at a low level and doesn't get too greedy.

When botnets started to emerge a decade ago, the creators of the botnets often used them directly and managed all the money-making schemes themselves. Now, many bot-herders rent out their botnet to other groups that have specific goals in mind, such as spam, click fraud, or targeted attacks. Underground message boards let bot-herders communicate with their customers to "sell time" on the botnet.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-4801
Published: 2014-12-18
Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x through 2.0.1.1, 3.x before 3.0.1.6 iFix 4, 4.x before 4.0.7 iFix 2, and 5.x before 5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.