Risk
3/28/2011
11:54 AM
Dave Methvin
Dave Methvin
Commentary
50%
50%

Microsoft Wins A Botnet Battle

The Rustok botnet was estimated to be one million PCs strong, underlining the dangers that malware can cause to businesses and consumers.

If you noticed a decrease in spam recently, there could be a good reason. This month, Microsoft took down the Rustok botnet.

Microsoft's Digital Crime Unit reported that its "research shows there may be close to one million computers infected with Rustock malware, all under the control of the person or people operating the network like a remote army, usually without the computer's owner even aware that his computer has been hijacked. Bot-herders infect computers with malware in a number of ways, such as when a computer owner visits a Web site booby-trapped with malware and clicks on a malicious advertisement or opens an infected e-mail attachment. Bot-herders do this so discretely that owners often never suspect their PC is living a double life."

These botnets aren't just the toy of young hackers who like causing mischief. They aren't trying to crash or disable the computer; in fact it's just the opposite. That stealth aspect to the bot infection is key to its success. The user has no reason to think they need to get their PC fixed, because a good botnet infection doesn't raise suspicion. That is the key to the botnet's survival.

A botnet is a huge money-making tool for its creators. When bot-herders take over a PC, they have many ways to turn a profit. One way is to grab information they find on the PC, or can extract by monitoring the user's keystrokes. This can give them access to bank accounts, credit cards, and login information to sites such as eBay or PayPal. Before the user can do anything to stop it, the botnet operator can transfer the PayPal money to another account. Or they can purchase expensive items with the user's eBay account and get the seller to send it to an address where the botnet operator can pick it up.

Perhaps the most valuable thing a botnet provides its handler is a large pool of "innocent-looking" IP addresses. In the case of the Rustok botnet, that's one million IPs. If the bot-controlled PC appears to visit a Web site, click on a Google Adwords ad, or send a few dozen emails, it's not possible to block that action based merely on the IP address. So Rustok's botnet could send 10 million spam messages by having each PC send just 10 emails, and nothing looks suspicious.

Click fraud is another endless source of money for botnet operators. By setting up some shallow content sites with Google Adwords or other ad networks, the bot-herder can have the bots visit those sites and click on the ads to generate revenue. The bot-herder can also use click fraud to attack competitors, clicking on their ads in order to drain their ad budgets. This type of fraud can be extremely difficult for the ad networks to spot if the botnet operator keeps the fraud at a low level and doesn't get too greedy.

When botnets started to emerge a decade ago, the creators of the botnets often used them directly and managed all the money-making schemes themselves. Now, many bot-herders rent out their botnet to other groups that have specific goals in mind, such as spam, click fraud, or targeted attacks. Underground message boards let bot-herders communicate with their customers to "sell time" on the botnet.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0750
Published: 2015-05-22
The administrative web interface in Cisco Hosted Collaboration Solution (HCS) 10.6(1) and earlier allows remote authenticated users to execute arbitrary commands via crafted input to unspecified fields, aka Bug ID CSCut02786.

CVE-2012-1978
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Simple PHP Agenda 2.2.8 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator via a request to auth/process.php, (2) delete an administrator via a request to auth/admi...

CVE-2015-0741
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Prime Central for Hosted Collaboration Solution (PC4HCS) 10.6(1) and earlier allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCut04596.

CVE-2015-0742
Published: 2015-05-21
The Protocol Independent Multicast (PIM) application in Cisco Adaptive Security Appliance (ASA) Software 9.2(0.0), 9.2(0.104), 9.2(3.1), 9.2(3.4), 9.3(1.105), 9.3(2.100), 9.4(0.115), 100.13(0.21), 100.13(20.3), 100.13(21.9), and 100.14(1.1) does not properly implement multicast-forwarding registrati...

CVE-2015-0746
Published: 2015-05-21
The REST API in Cisco Access Control Server (ACS) 5.5(0.46.2) allows remote attackers to cause a denial of service (API outage) by sending many requests, aka Bug ID CSCut62022.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.