Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/31/2009
01:07 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Attack Of The Mini-Botnets

All eyes may be on the big spamming botnets, but it's the small, silent ones that are most dangerous

Big-name botnets like Kraken/Bobax, Srizbi, Rustock, the former Storm -- and even the possible botnet-in-waiting, Conficker -- have gained plenty of notoriety, but it's the smaller and less conspicuous ones you can't see that are doing the most damage in the enterprise.

These mini-botnets range in size from tens to thousands versus the hundreds of thousands, or even millions, of bots that the biggest botnets deploy. They are typically specialized and built to target an organization or person, stealing corporate and personal information, often without a trace. They don't attract the attention of the big spamming botnets that cast a wide net and generate lots of traffic; instead they strike quietly, under the radar.

"There's definitely specialization [in botnets] these days," says Joe Stewart, senior director of malware research for SecureWorks. "There are botnets designed for fraud, and they have been around for a while and don't seem to cross over [with the bigger spamming botnets]," he says.

These mini-botnets specialize in identity theft, fraud, and stealing corporate information, and are much more difficult to spot and infiltrate than a big spamming botnet. "We have to rely on the few anecdotal instances, where we've managed to get a look at the back-end," Stewart says.

Tripp Cox, vice president of engineering at Damballa, says most of the bots his company finds within its enterprise clients' networks are from obscure botnets, not the big spamming zombie networks. Spam-bot infections account for only about 2 percent of the compromised bot machines Damballa has uncovered, while 20 percent are bots used for targeted, malicious purposes, like data theft or fraud, he says. The other 75- to 80 percent are from blended threats -- multipurpose Trojans, downloaders, and worms for various purposes.

The main goal of specialized botnets is to steal user names and passwords, banking credentials, intellectual property, and other valuable information, he says. "We've seen them target banking credentials used by the enterprise to conduct corporate banking," Cox says. "We've also seen particular executives targeted who are involved in intellectual property development and research activities.

"There's a strong tie there between what information the [targeted] employee has access to and the value that asset has to the attacker."

SecureWorks' Stewart says small botnets are more worrisome than Conficker's next move. These botnets include Clampi (a.k.a. Ligats and Rscan), Torpig (a.k.a. Sinowal, Anserin), Zeus (a.k.a. prg/zbot), Pinch (a.k.a. ldpinch), and SilentBanker Cimuz -- all named after the malware they use -- plus one that has been around for some time, Coreflood (a.k.a. Afcore), which Stewart has studied closely. "I am far more worried about some of the recent Clampi [activities] and some of the other ones," Stewart says. "They have made inroads to affect users and do something malicious, like steal their credentials" for committing identity theft and fraud, he says.

But why use a botnet instead of an old-fashioned hack in a targeted attack? "A botnet is a resilient foothold for a criminal to get inside the company -- it's persistent," Damballa's Cox says. "It's a way to distribute updates, activate new capabilities, and harvest information without having to copy information out of the network. If you think about data leakage protection, you can imagine a botnet enables you to search internally without extracting the document."

Steven Adair, a researcher with the Shadowserver Foundation, says his organization has seen targeted botnet attacks that have used anywhere from dozens to hundreds or more machines. "They are often a lot smaller than the spamming and DDoS botnets due to their target selection," Adair says.

These targeted botnet attacks often use spear-phishing email attacks, using malicious PDF attachments or links that appear legitimate because they contain information familiar to the user. Shadowserver has also seen mini-botnets infect Websites that cater to a specific group of users, Adair says. "The sites were specifically chosen due to their audience," he says.

Mini-botnets look a lot like big spamming botnets architecture-wise: They typically use HTTP or custom protocols to communicate, and they encrypt their traffic. But they don't use peer-to-peer communications like some of the big botnets, and the command-and-control servers are often in a multitier arrangement so they can remain obfuscated, SecureWorks' Stewart says. "They have a centralized command-and-control...because that gives them more control," he says. "They are trying to suck data out of these machines, so it's better to go back to one channel."

The recently exposed GhostNet network of some 1,300 infected machines appears to be an example of a targeted-attack botnet, says Nicolas Fischbach, senior manager for network engineering/security for European ISP COLT Telecom. "The recent GhostNet seems to be the tip of the iceberg," he says.

GhostNet was recently discovered by the Munk Centre for International Studies at the University of Toronto, which found the attackers used a Trojan program that gave them full control of the targeted machine such that they could search and download files, as well as spy on the victim via his or her Web camera and microphone.

But not all targeted attacks are botnet-driven. Fischbach says he sees some "old-school" hacks, with a few machines set up as a chain of "stepping stones" to evade being traced. "DDoS for money and for fun is over. There's more money to make in information- and intelligence-gathering," he says. "If you have a small botnet and cool exploitation techniques and tools, you want to infect a small, controllable number of machines to steal data or even influence decisions."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25382
PUBLISHED: 2021-04-23
An improper authorization of using debugging command in Secure Folder prior to SMR Oct-2020 Release 1 allows unauthorized access to contents in Secure Folder via debugging command.
CVE-2021-26291
PUBLISHED: 2021-04-23
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be t...
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...