Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:46 PM
Connect Directly

Old-School Botnet Still Thriving

New Trend Micro report details how IRC-based SDBOT is going strong with a new mission

Some old botnets never die: An old-school botnet is alive and well and now silently propagating pay-per-install scams, according to a new research paper released today. SDBOT, an IRC-based botnet that has been around for more than five years, is a low-profile botnet whose infections often go unnoticed.

Internet Relay Chat (IRC) botnets have slowly been fading in favor of more robust and stealthy types of botnets that use HTTP or peer-to-peer communications to control their infected bot machines. But according to Trend Micro, SDBOT and other botnets that use IRC operate almost silently. "These bot malware are neither heavy email spammers nor resource hogs. They hardly ever disrupt normal computer activities -- say, Internet browsing -- so their victims never notice that their computers have been infected," Trend Micro researchers blogged today.

SDBOT mainly attempts to download other malware files, including fake AV, Cutwail bot software, the Koobface worm, the Autorun worm, and other malware -- most likely for money from other cybercriminals in a pay-per-install arrangement. "It appears that this botnet too is in the business of renting out its reach and download capability to cybercriminals," Trend Micro blogged. "The use of the pay-per-install business model is also increasing as the model is easy to use."

It works like this: A botnet owner is paid to push and install fake AV on its already-infected bot machines, for instance.

So why use IRC technology? Trend Micro says it's because IRC-based bot threats have basically fallen off the radar screen in favor of higher profile ones, like Waledac, Koobface, Pushdo, and Zeus, that are under the researchers' microscope daily.

"These cybercriminals may either be interested in increasing their number of victims or in sending out spammed messages for various other purposes. This is a known malware business model wherein some cybercriminal gangs pay others to spread their malicious code. For the longest time, instead of conducting their own focused attacks, the SDBOT cybercriminal gang is keeping itself busy by responding to different business requests, such as installing FAKEAV, KOOBFACE, CUTWAIL, and other malware variants on their infected bots," according to the Trend Micro report.

Meanwhile, fake AV has become fairly lucrative for botnets like SDBOT: Just one successful installation garners $120 in the U.S., for instance.

Trend Micro says the best way to avoid becoming infected with SDBOT malware and becoming a bot in the botnet is to avoid clicking on links sent via IM applications -- one of the botnet's favorite attack vectors. Also, don't open unsolicited email or spam, and be sure to update security applications regularly.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I've never actually seen the corporate ladder before.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.