Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/31/2009
01:07 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Attack Of The Mini-Botnets

All eyes may be on the big spamming botnets, but it's the small, silent ones that are most dangerous

Big-name botnets like Kraken/Bobax, Srizbi, Rustock, the former Storm -- and even the possible botnet-in-waiting, Conficker -- have gained plenty of notoriety, but it's the smaller and less conspicuous ones you can't see that are doing the most damage in the enterprise.

These mini-botnets range in size from tens to thousands versus the hundreds of thousands, or even millions, of bots that the biggest botnets deploy. They are typically specialized and built to target an organization or person, stealing corporate and personal information, often without a trace. They don't attract the attention of the big spamming botnets that cast a wide net and generate lots of traffic; instead they strike quietly, under the radar.

"There's definitely specialization [in botnets] these days," says Joe Stewart, senior director of malware research for SecureWorks. "There are botnets designed for fraud, and they have been around for a while and don't seem to cross over [with the bigger spamming botnets]," he says.

These mini-botnets specialize in identity theft, fraud, and stealing corporate information, and are much more difficult to spot and infiltrate than a big spamming botnet. "We have to rely on the few anecdotal instances, where we've managed to get a look at the back-end," Stewart says.

Tripp Cox, vice president of engineering at Damballa, says most of the bots his company finds within its enterprise clients' networks are from obscure botnets, not the big spamming zombie networks. Spam-bot infections account for only about 2 percent of the compromised bot machines Damballa has uncovered, while 20 percent are bots used for targeted, malicious purposes, like data theft or fraud, he says. The other 75- to 80 percent are from blended threats -- multipurpose Trojans, downloaders, and worms for various purposes.

The main goal of specialized botnets is to steal user names and passwords, banking credentials, intellectual property, and other valuable information, he says. "We've seen them target banking credentials used by the enterprise to conduct corporate banking," Cox says. "We've also seen particular executives targeted who are involved in intellectual property development and research activities.

"There's a strong tie there between what information the [targeted] employee has access to and the value that asset has to the attacker."

SecureWorks' Stewart says small botnets are more worrisome than Conficker's next move. These botnets include Clampi (a.k.a. Ligats and Rscan), Torpig (a.k.a. Sinowal, Anserin), Zeus (a.k.a. prg/zbot), Pinch (a.k.a. ldpinch), and SilentBanker Cimuz -- all named after the malware they use -- plus one that has been around for some time, Coreflood (a.k.a. Afcore), which Stewart has studied closely. "I am far more worried about some of the recent Clampi [activities] and some of the other ones," Stewart says. "They have made inroads to affect users and do something malicious, like steal their credentials" for committing identity theft and fraud, he says.

But why use a botnet instead of an old-fashioned hack in a targeted attack? "A botnet is a resilient foothold for a criminal to get inside the company -- it's persistent," Damballa's Cox says. "It's a way to distribute updates, activate new capabilities, and harvest information without having to copy information out of the network. If you think about data leakage protection, you can imagine a botnet enables you to search internally without extracting the document."

Steven Adair, a researcher with the Shadowserver Foundation, says his organization has seen targeted botnet attacks that have used anywhere from dozens to hundreds or more machines. "They are often a lot smaller than the spamming and DDoS botnets due to their target selection," Adair says.

These targeted botnet attacks often use spear-phishing email attacks, using malicious PDF attachments or links that appear legitimate because they contain information familiar to the user. Shadowserver has also seen mini-botnets infect Websites that cater to a specific group of users, Adair says. "The sites were specifically chosen due to their audience," he says.

Mini-botnets look a lot like big spamming botnets architecture-wise: They typically use HTTP or custom protocols to communicate, and they encrypt their traffic. But they don't use peer-to-peer communications like some of the big botnets, and the command-and-control servers are often in a multitier arrangement so they can remain obfuscated, SecureWorks' Stewart says. "They have a centralized command-and-control...because that gives them more control," he says. "They are trying to suck data out of these machines, so it's better to go back to one channel."

The recently exposed GhostNet network of some 1,300 infected machines appears to be an example of a targeted-attack botnet, says Nicolas Fischbach, senior manager for network engineering/security for European ISP COLT Telecom. "The recent GhostNet seems to be the tip of the iceberg," he says.

GhostNet was recently discovered by the Munk Centre for International Studies at the University of Toronto, which found the attackers used a Trojan program that gave them full control of the targeted machine such that they could search and download files, as well as spy on the victim via his or her Web camera and microphone.

But not all targeted attacks are botnet-driven. Fischbach says he sees some "old-school" hacks, with a few machines set up as a chain of "stepping stones" to evade being traced. "DDoS for money and for fun is over. There's more money to make in information- and intelligence-gathering," he says. "If you have a small botnet and cool exploitation techniques and tools, you want to infect a small, controllable number of machines to steal data or even influence decisions."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1619
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session ...
CVE-2019-1620
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could ex...
CVE-2019-1621
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device. The vulnerability is due to incorrect permissions settings on affected DCNM software. An attacker...
CVE-2019-1622
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software...
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.