Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/19/2013
05:11 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Botnet Business Booming

Some dismantled botnets rank in the top ten most prevalent as old bot malware gets repurposed, according to new Fortinet report

If there's one thing we've learned about botnets, it's that old botnets die hard -- if at all. And one-third of the top 10 botnets identified by Fortinet are nearly 10 years old, underscoring the difficulty of truly eradicating these easily built armies of infected machines.

Botnet takedowns over the past few years have temporarily suspended and crippled big chunks of pesky botnets, including Mariposa and Waledac, but that doesn't mean the malware, operators, or even segments of their infrastructures get completely eradicated.

The 10 most prevalent botnet infections found by Fortinet's FortiGuard Labs in February were (in order) ZeroAccess, Jeefo, Smoke, Mariposa, Grum/Tedroo, Lethic, Torpig, SpyEye, Waledac, and Zeus. And, yes, although Mariposa and Waledac had been dismantled, at least in part over the past few years, new variants of their malware live on.

"Once the Pandora's box has been opened and that software gets out there, you're unable to make it go away forever. A piece of botnet software might become obsolete or have different people behind it, or they go to prison, or stop developing it," says Richard Henderson, security strategist for Fortinet's FortiGuard Labs, which published a new botnet report last week. "For the people behind the botnets, it's a full-time job. They're always working on ways to generate new infections."

Henderson says the botnet business is as lucrative as ever, and plenty of botnet activity goes unseen. The ZeroAccess botnet is growing at a rate of 100,000 to 200,000 new infections per week, for example, he says, and its main goal is mining for Bitcoins.

"The guys behind it are so confident in getting new infections that they are paying affiliates five times the going rate to" infect machines for them, he says. The typical pay is about $100 per 1,000 machines, but the ZeroAccess gang pays out $500 for the same number of bots -- just for infecting the machines.

There are consulting services that help nontechnical botmasters get started for about $350 to $400, and professional botnet services charge thousands of dollars per month for bots and technical support.

Botnet rentals are also available: $535 for five hours per day of DDoS attacks per week, $40 for 20,000 spam emails, and $2 for 30 online forum and comment spam posts, according to Fortinet's report.

A single stolen user account sells for $5 to $15, and those accounts are typical sold in volume bundles.

How can you tell if a machine is a bot? Fortinet says some symptoms include:

>> System is running slower than usual

>> Hard drive LED is flashing wildly even though it is in idle mode

>> Files and folders have suddenly disappeared or have been changed

>> A friend or colleague has informed the user that they have received a spam email from their email account

>> A firewall on the computer informs the user that a program on the PC is trying to connect to the Internet

>> A launch icon from a program downloaded from the Internet suddenly disappears

> >More error messages than usual are popping up

>> Online bank is suddenly asking for personal information it has not required before

The full botnet report from Fortinet is available here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Inside North Korea's Rapid Evolution to Cyber Superpower
Kelly Sheridan, Staff Editor, Dark Reading,  12/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27409
PUBLISHED: 2020-12-04
OpenSIS Community Edition before 7.5 is affected by a cross-site scripting (XSS) vulnerability in SideForStudent.php via the modname parameter.
CVE-2020-27408
PUBLISHED: 2020-12-04
OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users.
CVE-2020-27765
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/segment.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause ot...
CVE-2020-27766
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned long`. This would most likely lead to an impact to application availability, b...
CVE-2020-27767
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of types `float` and `unsigned char`. This would most likely lead to an impact to application avai...