Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:38 PM
George V. Hulme
George V. Hulme

Hundreds Of Thousands Of Bots Lay Dormant

According to a story that ran in our sister site, DarkReading.com, 500,000 bots from a recently severed botnet army may now lay dormant, awaiting their next set of orders.

According to a story that ran in our sister site, DarkReading.com, 500,000 bots from a recently severed botnet army may now lay dormant, awaiting their next set of orders.This news follows last week's sudden fall of the McColo hosting service, credited to Brian Krebs, security reporter for The Washington Post, who said at the time that the McColo hosting service could have been responsible for 75% of the spam circulating the Internet.

Now that the master network has been crushed, DarkReading's Kelly Jackson Higgins asks: what's now going on with all of those dislocated bots that had previously been used to generate all of that spam:

Researchers have spotted these errant bots over the past week attempting to phone home to their former command and control (C&C) servers. While the industry continues to celebrate a nearly 70% nosedive (albeit temporary) in spam volume without McColo to host the world's biggest spamming botnets anymore, these orphaned bots are still at risk -- and possibly still spewing spam, security experts say.

"They are probably already infected with multiple things. You hardly ever find just one bot on these computers," says Joe Stewart, director of malware research for SecureWorks. "You may find three or four different spam bots on the same machine. And who knows what else -- password stealers and other rogue ware."

Stewart is no doubt correct. The systems acting as a home to these bots are most likely infected with numerous types of malware. If history is any indication, either the previous owner of the bot network will regain control, or others will start trying to highjack as many of those bots as they can for their own networks.

It should be interesting to see how this shakes out in the coming weeks.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
This affects all versions of package jquery-ui; all versions of package org.fujion.webjars:jquery-ui. When the "dialog" is injected into an HTML tag more than once, the browser and the application may crash.
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...