The World's Biggest Botnets

What makes three of today's largest botnets tick, what they're after - and a peek at the 'next' Storm

You know about the Storm Trojan, which is spread by the world's largest botnet. But what you may not know is there's now a new peer-to-peer based botnet emerging that could blow Storm away.

"We're investigating a new peer-to-peer botnet that may wind up rivaling Storm in size and sophistication," says Tripp Cox, vice president of engineering for startup Damballa, which tracks botnet command and control infrastructures. "We can't say much more about it, but we can tell it's distinct from Storm."

It's hard to imagine anything bigger and more complex than Storm, which despite its nefarious intent as a DDOS and spam tool has awed security researchers with its slick design and its ability to reinvent itself when it's at risk of detection or getting busted. Storm changed the botnet game, security experts say, and its successors may be even more powerful and wily. (See Attackers Hide in Fast Flux and Researchers Fear Reprisals From Storm.)

Botnets are no longer just annoying, spam-pumping factories -- they're big business for criminals. This shift has even awakened enterprises, which historically have either looked the other way or been in denial about bots infiltrating their organizations. (See Bots Rise in the Enterprise.)

"A year ago, the traditional method for bot infections was through malware. But now you're getting compromised servers, with drive-by downloads so prevalent that people are getting infected without realizing it," says Paul Ferguson, network architect for Trend Micro. "No one is immune."

Researchers estimate that there are thousands of botnets in operation today, but only a handful stand out by their sheer size and pervasiveness. Although size gives a botnet muscle and breadth, it can also make it too conspicuous, which is why botnets like Storm fluctuate in size and are constantly finding new ways to cover their tracks to avoid detection. Researchers have different head counts for different botnets, with Storm by far the largest (for now, anyway).

Damballa says its top three botnets are Storm, with 230,000 active members per 24 hour period; Rbot, an IRC-based botnet with 40,000 active members per 24 hour period; and Bobax, an HTTP-based botnet with 24,000 active members per 24 hour period, according to the company.

Here's a look at the world's top three biggest botnets.

Next Page: Storm


1. Storm

Size: 230,000 active members per 24 hour period

Type: peer-to-peer

Purpose: Spam, DDOS

Malware: Trojan.Peacomm (aka Nuwar)

Few researchers can agree on Storm's actual size -- while Damballa says its over 200,000 bots, Trend Micro says its more like 40,000 to 100,000 today. But all researchers say that Storm is a whole new brand of botnet. First, it uses encrypted decentralized, peer-to-peer communication, unlike the traditional centralized IRC model. That makes it tough to kill because you can't necessarily shut down its command and control machines. And intercepting Storm's traffic requires cracking the encrypted data.

But this also makes Storm easier to detect, says Joe Stewart, a senior security researcher with SecureWorks, who closely tracks Storm. "Before, we had difficulty distinguishing Storm traffic from eDonkey and other peer-to-peer traffic on Overnet," Stewart says. "eDonkey/Overnet traffic is very fingerprintable in size and frequency of packets, so now we can rule it out because it's not encrypted." And Storm uses fairly basic encryption, he says, which can be reverse engineered.

Storm also uses fast-flux, a round-robin method where infected bot machines (typically home computers) serve as proxies or hosts for malicious Websites. These are constantly rotated, changing their DNS records to prevent their discovery by researchers, ISPs, or law enforcement. And researchers say it's tough to tell how the command and control communication structure is set up behind the P2P botnet. "Nobody knows how the mother ships are generating their C&C," Trend Micro's Ferguson says.

Storm uses a complex combination of malware called Peacomm that includes a worm, rootkit, spam relay, and Trojan. Shane Coursen, senior technical consultant for Kaspersky Lab, says the worm component is the "gelatin" that compromises a machine and sends off SMTP-based emails. "The rootkit is only activated when a person who receives the spam email clicks on the attachment and launches it, for example," he says.

It's also spread through malicious Websites, when a user visits an infected site or clicks on a link to one.

"At the risk of giving them accolades, they've got a great business model... It's criminals catering to criminals, and I don’t see any slowdown," Coursen says.

Storm has survived thus far with its supersized spam runs, and the fact that the casual user won't know he's infected with a rootkit. But researchers don't know -- or can't say -- who exactly is behind Storm, except that it's likely a fairly small, tightly knit group with a clear business plan. "All roads lead back to Russia," Trend Micro's Ferguson says.

"Storm is only thing now that keeps me awake at night and busy," he says. "It's professionalized crimeware... They have young, talented programmers apparently. And they write tools to do administrative [tracking], as well as writing cryptographic routines... and another will handle social engineering, and another will write the Trojan downloader, and another is writing the rootkit."

But the big worry is that Storm, which mostly has been used for spam, stealing credit-card information, and trafficking in stolen goods and fraud, will be channeled into more destructive uses. "The possibility exists that it could be used for more nefarious purposes," Ferguson says. "You can use your imagination."

Next Page: Rbot

2. Rbot

Size: 40,000 active members per 24 hour period

Type: IRC

Purpose: DDOS, spam, malicious operations

Malware: Windows worm

Rbot is basically an old-school IRC botnet that uses the Rbot malware kit. It isn't likely to ever reach Storm size because IRC botnets just can't scale accordingly. "An IRC server has to be a beefy machine to support anything anywhere close to the size of Peacomm/Storm," Damballa's Cox says.

The botnet mainly sends spam runs and executes DDOS attacks, but it can also be used for other criminal purposes. "It's difficult to predict the intent of it. It's a utility bot," he says. It self-propagates by scanning local networks for exploitable vulnerabilities, for instance, he says, as well as via DDOS attacks and email.

It can disable antivirus software, too. Rbot's underlying malware uses a backdoor to gain control of the infected machine, installing keyloggers, viruses, and even stealing files from the machine, as well as the usual spam and DDOS attacks. "The Rbot [malware] is readily available to anyone who wants try to apply some kind of criminal activity in the bot arena," Cox says.

Who's behind the Rbot botnet? "We've seen a lot [of activity] in the black market... for malware development," for instance, he says, adding that it's mostly in Eastern Europe and the former Soviet Republic.

Next Page: Bobax

3. Bobax

Size: 24,000 active members per 24 hour period

Type: HTTP

Purpose: Spam

Malware: Mass-mailing worm

Botnets that communicate via HTTP are as difficult to detect as those like Storm that talk via P2P networks. Bobax ranks as the third biggest botnet, with over 20,000 active bots per day, according to Damballa. "It's been around a long time," Cox says. "And it's still in our top three."

Bobax is specifically for spamming, Cox says, and uses the stealthier HTTP for sending instructions to its bots on who and what to spam. "HTTP bots in general do provide an additional level of security to the bot armies because the Web is the predominant type of traffic on the Net," he says. "We look for locations where the C&C is hosted, and that's how we track" Bobax and other HTTP-driven botnets.

According to Symantec, Bobax bores open a back door and downloads files onto the infected machine, and lowers its security settings. It spreads via a buffer overflow vulnerability in Windows, and inserts the spam code into the IE browser so that each time the browser runs, the virus is activated. And Bobax also does some reconnaissance to ensure that its spam runs are efficient: It can do bandwidth and network analysis to determine just how much spam it can send, according to Damballa. "Thus [they] are able to tailor their spamming so as not to tax the network, which helps them avoid detection," according to company research.

Even more frightening, though, is that some Bobax variants can block access to antivirus and security vendor Websites, a new trend in Website exploitation. (See Honeynet Project: Attackers Know Where You Live.)

Meanwhile, size doesn't always matter with botnets. "Depending on your motivations, you can likely accomplish pretty much whatever you want with less than 50 bots -- 4-Gbit/s DDOS, millions of spam per hour, and entire phishing system, etc.," says Danny McPherson, chief research officer for Arbor Networks. "Of course, lifting things like CD keys, pulling data from keystroke loggers, or lifting addresses from address books is more interesting with larger numbers" of bots, he says.

And the more professional botnet operators are staging more targeted, purposeful attacks. They are less into DDOSing-for-hire and more into gathering personal data for profit, notes André M. Di Mino, a director of The Shadowserver Foundation, which researches botnet activity. "That's a new and disturbing trend," he says.

The key, of course, is getting to the faces behind these bot armies, which is no simple task. "We've been trying to fight botnets from the bottom up by updating AV and network detection methods, which is effective. But to really get to root of it, you need to go after the people pulling the strings," Trend Micro's Ferguson says. "This is a criminal trade and needs to be treated that way."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights