Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:08 AM
Connect Directly

The World's Biggest Botnets

What makes three of today's largest botnets tick, what they're after - and a peek at the 'next' Storm

You know about the Storm Trojan, which is spread by the world's largest botnet. But what you may not know is there's now a new peer-to-peer based botnet emerging that could blow Storm away.

"We're investigating a new peer-to-peer botnet that may wind up rivaling Storm in size and sophistication," says Tripp Cox, vice president of engineering for startup Damballa, which tracks botnet command and control infrastructures. "We can't say much more about it, but we can tell it's distinct from Storm."

It's hard to imagine anything bigger and more complex than Storm, which despite its nefarious intent as a DDOS and spam tool has awed security researchers with its slick design and its ability to reinvent itself when it's at risk of detection or getting busted. Storm changed the botnet game, security experts say, and its successors may be even more powerful and wily. (See Attackers Hide in Fast Flux and Researchers Fear Reprisals From Storm.)

Botnets are no longer just annoying, spam-pumping factories -- they're big business for criminals. This shift has even awakened enterprises, which historically have either looked the other way or been in denial about bots infiltrating their organizations. (See Bots Rise in the Enterprise.)

"A year ago, the traditional method for bot infections was through malware. But now you're getting compromised servers, with drive-by downloads so prevalent that people are getting infected without realizing it," says Paul Ferguson, network architect for Trend Micro. "No one is immune."

Researchers estimate that there are thousands of botnets in operation today, but only a handful stand out by their sheer size and pervasiveness. Although size gives a botnet muscle and breadth, it can also make it too conspicuous, which is why botnets like Storm fluctuate in size and are constantly finding new ways to cover their tracks to avoid detection. Researchers have different head counts for different botnets, with Storm by far the largest (for now, anyway).

Damballa says its top three botnets are Storm, with 230,000 active members per 24 hour period; Rbot, an IRC-based botnet with 40,000 active members per 24 hour period; and Bobax, an HTTP-based botnet with 24,000 active members per 24 hour period, according to the company.

Here's a look at the world's top three biggest botnets.

Next Page: Storm


1. Storm

Size: 230,000 active members per 24 hour period

Type: peer-to-peer

Purpose: Spam, DDOS

Malware: Trojan.Peacomm (aka Nuwar)

Few researchers can agree on Storm's actual size -- while Damballa says its over 200,000 bots, Trend Micro says its more like 40,000 to 100,000 today. But all researchers say that Storm is a whole new brand of botnet. First, it uses encrypted decentralized, peer-to-peer communication, unlike the traditional centralized IRC model. That makes it tough to kill because you can't necessarily shut down its command and control machines. And intercepting Storm's traffic requires cracking the encrypted data.

But this also makes Storm easier to detect, says Joe Stewart, a senior security researcher with SecureWorks, who closely tracks Storm. "Before, we had difficulty distinguishing Storm traffic from eDonkey and other peer-to-peer traffic on Overnet," Stewart says. "eDonkey/Overnet traffic is very fingerprintable in size and frequency of packets, so now we can rule it out because it's not encrypted." And Storm uses fairly basic encryption, he says, which can be reverse engineered.

Storm also uses fast-flux, a round-robin method where infected bot machines (typically home computers) serve as proxies or hosts for malicious Websites. These are constantly rotated, changing their DNS records to prevent their discovery by researchers, ISPs, or law enforcement. And researchers say it's tough to tell how the command and control communication structure is set up behind the P2P botnet. "Nobody knows how the mother ships are generating their C&C," Trend Micro's Ferguson says.

Storm uses a complex combination of malware called Peacomm that includes a worm, rootkit, spam relay, and Trojan. Shane Coursen, senior technical consultant for Kaspersky Lab, says the worm component is the "gelatin" that compromises a machine and sends off SMTP-based emails. "The rootkit is only activated when a person who receives the spam email clicks on the attachment and launches it, for example," he says.

It's also spread through malicious Websites, when a user visits an infected site or clicks on a link to one.

"At the risk of giving them accolades, they've got a great business model... It's criminals catering to criminals, and I don’t see any slowdown," Coursen says.

Storm has survived thus far with its supersized spam runs, and the fact that the casual user won't know he's infected with a rootkit. But researchers don't know -- or can't say -- who exactly is behind Storm, except that it's likely a fairly small, tightly knit group with a clear business plan. "All roads lead back to Russia," Trend Micro's Ferguson says.

"Storm is only thing now that keeps me awake at night and busy," he says. "It's professionalized crimeware... They have young, talented programmers apparently. And they write tools to do administrative [tracking], as well as writing cryptographic routines... and another will handle social engineering, and another will write the Trojan downloader, and another is writing the rootkit."

But the big worry is that Storm, which mostly has been used for spam, stealing credit-card information, and trafficking in stolen goods and fraud, will be channeled into more destructive uses. "The possibility exists that it could be used for more nefarious purposes," Ferguson says. "You can use your imagination."

Next Page: Rbot

2. Rbot

Size: 40,000 active members per 24 hour period

Type: IRC

Purpose: DDOS, spam, malicious operations

Malware: Windows worm

Rbot is basically an old-school IRC botnet that uses the Rbot malware kit. It isn't likely to ever reach Storm size because IRC botnets just can't scale accordingly. "An IRC server has to be a beefy machine to support anything anywhere close to the size of Peacomm/Storm," Damballa's Cox says.

The botnet mainly sends spam runs and executes DDOS attacks, but it can also be used for other criminal purposes. "It's difficult to predict the intent of it. It's a utility bot," he says. It self-propagates by scanning local networks for exploitable vulnerabilities, for instance, he says, as well as via DDOS attacks and email.

It can disable antivirus software, too. Rbot's underlying malware uses a backdoor to gain control of the infected machine, installing keyloggers, viruses, and even stealing files from the machine, as well as the usual spam and DDOS attacks. "The Rbot [malware] is readily available to anyone who wants try to apply some kind of criminal activity in the bot arena," Cox says.

Who's behind the Rbot botnet? "We've seen a lot [of activity] in the black market... for malware development," for instance, he says, adding that it's mostly in Eastern Europe and the former Soviet Republic.

Next Page: Bobax

3. Bobax

Size: 24,000 active members per 24 hour period

Type: HTTP

Purpose: Spam

Malware: Mass-mailing worm

Botnets that communicate via HTTP are as difficult to detect as those like Storm that talk via P2P networks. Bobax ranks as the third biggest botnet, with over 20,000 active bots per day, according to Damballa. "It's been around a long time," Cox says. "And it's still in our top three."

Bobax is specifically for spamming, Cox says, and uses the stealthier HTTP for sending instructions to its bots on who and what to spam. "HTTP bots in general do provide an additional level of security to the bot armies because the Web is the predominant type of traffic on the Net," he says. "We look for locations where the C&C is hosted, and that's how we track" Bobax and other HTTP-driven botnets.

According to Symantec, Bobax bores open a back door and downloads files onto the infected machine, and lowers its security settings. It spreads via a buffer overflow vulnerability in Windows, and inserts the spam code into the IE browser so that each time the browser runs, the virus is activated. And Bobax also does some reconnaissance to ensure that its spam runs are efficient: It can do bandwidth and network analysis to determine just how much spam it can send, according to Damballa. "Thus [they] are able to tailor their spamming so as not to tax the network, which helps them avoid detection," according to company research.

Even more frightening, though, is that some Bobax variants can block access to antivirus and security vendor Websites, a new trend in Website exploitation. (See Honeynet Project: Attackers Know Where You Live.)

Meanwhile, size doesn't always matter with botnets. "Depending on your motivations, you can likely accomplish pretty much whatever you want with less than 50 bots -- 4-Gbit/s DDOS, millions of spam per hour, and entire phishing system, etc.," says Danny McPherson, chief research officer for Arbor Networks. "Of course, lifting things like CD keys, pulling data from keystroke loggers, or lifting addresses from address books is more interesting with larger numbers" of bots, he says.

And the more professional botnet operators are staging more targeted, purposeful attacks. They are less into DDOSing-for-hire and more into gathering personal data for profit, notes André M. Di Mino, a director of The Shadowserver Foundation, which researches botnet activity. "That's a new and disturbing trend," he says.

The key, of course, is getting to the faces behind these bot armies, which is no simple task. "We've been trying to fight botnets from the bottom up by updating AV and network detection methods, which is effective. But to really get to root of it, you need to go after the people pulling the strings," Trend Micro's Ferguson says. "This is a criminal trade and needs to be treated that way."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Damballa Inc.
  • Trend Micro Inc.
  • SecureWorks Inc.
  • Arbor Networks Inc.

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    FluBot Malware's Rapid Spread May Soon Hit US Phones
    Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
    7 Modern-Day Cybersecurity Realities
    Steve Zurier, Contributing Writer,  4/30/2021
    How to Secure Employees' Home Wi-Fi Networks
    Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-05-06
    An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel i...
    PUBLISHED: 2021-05-06
    A heap memory corruption problem (use after free) can be triggered in libgetdata v0.10.0 when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library. This vulnerability may lead to arbi...
    PUBLISHED: 2021-05-06
    aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap.
    PUBLISHED: 2021-05-06
    The administrator application on ASUS GT-AC2900 devices before allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_chec...
    PUBLISHED: 2021-05-06
    An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.