Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

11/9/2007
03:08 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

The World's Biggest Botnets

What makes three of today's largest botnets tick, what they're after - and a peek at the 'next' Storm

You know about the Storm Trojan, which is spread by the world's largest botnet. But what you may not know is there's now a new peer-to-peer based botnet emerging that could blow Storm away.

"We're investigating a new peer-to-peer botnet that may wind up rivaling Storm in size and sophistication," says Tripp Cox, vice president of engineering for startup Damballa, which tracks botnet command and control infrastructures. "We can't say much more about it, but we can tell it's distinct from Storm."

It's hard to imagine anything bigger and more complex than Storm, which despite its nefarious intent as a DDOS and spam tool has awed security researchers with its slick design and its ability to reinvent itself when it's at risk of detection or getting busted. Storm changed the botnet game, security experts say, and its successors may be even more powerful and wily. (See Attackers Hide in Fast Flux and Researchers Fear Reprisals From Storm.)

Botnets are no longer just annoying, spam-pumping factories -- they're big business for criminals. This shift has even awakened enterprises, which historically have either looked the other way or been in denial about bots infiltrating their organizations. (See Bots Rise in the Enterprise.)

"A year ago, the traditional method for bot infections was through malware. But now you're getting compromised servers, with drive-by downloads so prevalent that people are getting infected without realizing it," says Paul Ferguson, network architect for Trend Micro. "No one is immune."

Researchers estimate that there are thousands of botnets in operation today, but only a handful stand out by their sheer size and pervasiveness. Although size gives a botnet muscle and breadth, it can also make it too conspicuous, which is why botnets like Storm fluctuate in size and are constantly finding new ways to cover their tracks to avoid detection. Researchers have different head counts for different botnets, with Storm by far the largest (for now, anyway).

Damballa says its top three botnets are Storm, with 230,000 active members per 24 hour period; Rbot, an IRC-based botnet with 40,000 active members per 24 hour period; and Bobax, an HTTP-based botnet with 24,000 active members per 24 hour period, according to the company.

Here's a look at the world's top three biggest botnets.

Next Page: Storm

Contents:

1. Storm

Size: 230,000 active members per 24 hour period

Type: peer-to-peer

Purpose: Spam, DDOS

Malware: Trojan.Peacomm (aka Nuwar)

Few researchers can agree on Storm's actual size -- while Damballa says its over 200,000 bots, Trend Micro says its more like 40,000 to 100,000 today. But all researchers say that Storm is a whole new brand of botnet. First, it uses encrypted decentralized, peer-to-peer communication, unlike the traditional centralized IRC model. That makes it tough to kill because you can't necessarily shut down its command and control machines. And intercepting Storm's traffic requires cracking the encrypted data.

But this also makes Storm easier to detect, says Joe Stewart, a senior security researcher with SecureWorks, who closely tracks Storm. "Before, we had difficulty distinguishing Storm traffic from eDonkey and other peer-to-peer traffic on Overnet," Stewart says. "eDonkey/Overnet traffic is very fingerprintable in size and frequency of packets, so now we can rule it out because it's not encrypted." And Storm uses fairly basic encryption, he says, which can be reverse engineered.

Storm also uses fast-flux, a round-robin method where infected bot machines (typically home computers) serve as proxies or hosts for malicious Websites. These are constantly rotated, changing their DNS records to prevent their discovery by researchers, ISPs, or law enforcement. And researchers say it's tough to tell how the command and control communication structure is set up behind the P2P botnet. "Nobody knows how the mother ships are generating their C&C," Trend Micro's Ferguson says.

Storm uses a complex combination of malware called Peacomm that includes a worm, rootkit, spam relay, and Trojan. Shane Coursen, senior technical consultant for Kaspersky Lab, says the worm component is the "gelatin" that compromises a machine and sends off SMTP-based emails. "The rootkit is only activated when a person who receives the spam email clicks on the attachment and launches it, for example," he says.

It's also spread through malicious Websites, when a user visits an infected site or clicks on a link to one.

"At the risk of giving them accolades, they've got a great business model... It's criminals catering to criminals, and I don’t see any slowdown," Coursen says.

Storm has survived thus far with its supersized spam runs, and the fact that the casual user won't know he's infected with a rootkit. But researchers don't know -- or can't say -- who exactly is behind Storm, except that it's likely a fairly small, tightly knit group with a clear business plan. "All roads lead back to Russia," Trend Micro's Ferguson says.

"Storm is only thing now that keeps me awake at night and busy," he says. "It's professionalized crimeware... They have young, talented programmers apparently. And they write tools to do administrative [tracking], as well as writing cryptographic routines... and another will handle social engineering, and another will write the Trojan downloader, and another is writing the rootkit."

But the big worry is that Storm, which mostly has been used for spam, stealing credit-card information, and trafficking in stolen goods and fraud, will be channeled into more destructive uses. "The possibility exists that it could be used for more nefarious purposes," Ferguson says. "You can use your imagination."

Next Page: Rbot

2. Rbot

Size: 40,000 active members per 24 hour period

Type: IRC

Purpose: DDOS, spam, malicious operations

Malware: Windows worm

Rbot is basically an old-school IRC botnet that uses the Rbot malware kit. It isn't likely to ever reach Storm size because IRC botnets just can't scale accordingly. "An IRC server has to be a beefy machine to support anything anywhere close to the size of Peacomm/Storm," Damballa's Cox says.

The botnet mainly sends spam runs and executes DDOS attacks, but it can also be used for other criminal purposes. "It's difficult to predict the intent of it. It's a utility bot," he says. It self-propagates by scanning local networks for exploitable vulnerabilities, for instance, he says, as well as via DDOS attacks and email.

It can disable antivirus software, too. Rbot's underlying malware uses a backdoor to gain control of the infected machine, installing keyloggers, viruses, and even stealing files from the machine, as well as the usual spam and DDOS attacks. "The Rbot [malware] is readily available to anyone who wants try to apply some kind of criminal activity in the bot arena," Cox says.

Who's behind the Rbot botnet? "We've seen a lot [of activity] in the black market... for malware development," for instance, he says, adding that it's mostly in Eastern Europe and the former Soviet Republic.

Next Page: Bobax

3. Bobax

Size: 24,000 active members per 24 hour period

Type: HTTP

Purpose: Spam

Malware: Mass-mailing worm

Botnets that communicate via HTTP are as difficult to detect as those like Storm that talk via P2P networks. Bobax ranks as the third biggest botnet, with over 20,000 active bots per day, according to Damballa. "It's been around a long time," Cox says. "And it's still in our top three."

Bobax is specifically for spamming, Cox says, and uses the stealthier HTTP for sending instructions to its bots on who and what to spam. "HTTP bots in general do provide an additional level of security to the bot armies because the Web is the predominant type of traffic on the Net," he says. "We look for locations where the C&C is hosted, and that's how we track" Bobax and other HTTP-driven botnets.

According to Symantec, Bobax bores open a back door and downloads files onto the infected machine, and lowers its security settings. It spreads via a buffer overflow vulnerability in Windows, and inserts the spam code into the IE browser so that each time the browser runs, the virus is activated. And Bobax also does some reconnaissance to ensure that its spam runs are efficient: It can do bandwidth and network analysis to determine just how much spam it can send, according to Damballa. "Thus [they] are able to tailor their spamming so as not to tax the network, which helps them avoid detection," according to company research.

Even more frightening, though, is that some Bobax variants can block access to antivirus and security vendor Websites, a new trend in Website exploitation. (See Honeynet Project: Attackers Know Where You Live.)

Meanwhile, size doesn't always matter with botnets. "Depending on your motivations, you can likely accomplish pretty much whatever you want with less than 50 bots -- 4-Gbit/s DDOS, millions of spam per hour, and entire phishing system, etc.," says Danny McPherson, chief research officer for Arbor Networks. "Of course, lifting things like CD keys, pulling data from keystroke loggers, or lifting addresses from address books is more interesting with larger numbers" of bots, he says.

And the more professional botnet operators are staging more targeted, purposeful attacks. They are less into DDOSing-for-hire and more into gathering personal data for profit, notes André M. Di Mino, a director of The Shadowserver Foundation, which researches botnet activity. "That's a new and disturbing trend," he says.

The key, of course, is getting to the faces behind these bot armies, which is no simple task. "We've been trying to fight botnets from the bottom up by updating AV and network detection methods, which is effective. But to really get to root of it, you need to go after the people pulling the strings," Trend Micro's Ferguson says. "This is a criminal trade and needs to be treated that way."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Damballa Inc.
  • Trend Micro Inc.
  • SecureWorks Inc.
  • Arbor Networks Inc.

    Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
    Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
    The Flaw in Vulnerability Management: It's Time to Get Real
    Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
    Tough Love: Debunking Myths about DevOps & Security
    Jeff Williams, CTO, Contrast Security,  8/19/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    The State of IT Operations and Cybersecurity Operations
    The State of IT Operations and Cybersecurity Operations
    Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-5638
    PUBLISHED: 2019-08-21
    Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user accou...
    CVE-2019-6177
    PUBLISHED: 2019-08-21
    A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Le...
    CVE-2019-10687
    PUBLISHED: 2019-08-21
    KBPublisher 6.0.2.1 has SQL Injection via the admin/index.php?module=report entry_id[0] parameter, the admin/index.php?module=log id parameter, or an index.php?View=print&id[]= request.
    CVE-2019-11601
    PUBLISHED: 2019-08-21
    A directory traversal vulnerability in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.
    CVE-2019-11602
    PUBLISHED: 2019-08-21
    Leakage of stack traces in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to gather information about the file system structure.