Security: BotNets - Is Your Computer Working For Organized Crime?

BotNet is a jargon term for a collection of software agents, or robots, that run autonomously and automatically. The term is most commonly associated with malicious software, but it can also refer to a network of computers using distributed computing software. Distributing Computing means that part of the program runs of thousands of computers, and most folks don't even know they are part of the BotNet network. While BotNets are often named after their malicious software name, there are typically multiple BotNets in operation using the same malicious software families, but operated by different criminal entities. Fact is, BotNets has become a billion dollar industry, and most of it is run by organized crime.  Is your computer working for organized crime? Let's find out more!.

While the term "BotNet" can be used to refer to any group of bots, such as IRC bots, this word is generally used to refer to a collection of compromised computers (called zombie computers) running software, usually installed via drive-by downloads exploiting web browser vulnerabilities, worms, Trojan horses, or backdoors, under a common command-and-control infrastructure.

A BotNet's originator (aka "Bot herder" or "Bot master") can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command-and-control takes place via an IRC server or a specific channel on a public IRC network. This server is known as the command-and-control server ("C&C"). Though rare, more experienced BotNet operators program their own commanding protocols from scratch. The constituents of these protocols include a server program, client program for operation, and the program that embeds itself on the victim's machine (Bot). All three of these usually communicate with each other over a network using a unique encryption scheme for stealth and protection against detection or intrusion into the BotNet network.

A Bot typically runs hidden and uses a covert channel (e.g. the RFC 1459 (IRC) standard, FaceBook, twitter or IM) to communicate with its C&C server. Generally, the perpetrator of the BotNet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a Bot can scan and propagate through, the more valuable it becomes to a BotNet controller community. The process of stealing computing resources as a result of a system being joined to a "BotNet" is sometimes referred to as "scrumping."

BotNets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted BotNets, BotNet controllers have found other servers in small colleges, businesses, and home computer networks.

Geographical origins of BotNets, according to a 2009 Cisco Systems report, lists the origin of BotNets by country as follows:

(trillions of spam messages per year)

Brazil: 7.7

USA: 6.6

India: 3.6

South Korea: 3.1

Turkey: 2.6

Vietnam: 2.5

How to tell if you are part of a BotNet? The first thing you will notice is that your computer will slow down. BotNets tend to propagate like rabbits, meaning that an infected computer may soon have hundreds of BotNets, each one taking away a little computer (CPU) power, occupying a little ram memory, each one taking away a little internet bandwidth. Multiply each BotNet by 100 and your computer may simply stop working, and the internet may become unavailable. Keep in mind, now, that your computer is controlled by other people, and it may be used to spew out spam advertising for legitimate products, gambling, porn, or even fraudulent scams. Even worse, you little computer may be used to attack a company like Microsoft, or even a country (like your own)!

BotNets used in 2010:

1: Grum (Tedroo)Grum is the future for spam BotNets. It's a kernel-mode RootKit and thus hard to detect. It's also sneaky, infecting files used by Autorun registries. That guarantees it will be activated. This BotNet is of special interest to researchers. It's relatively small, only 600,000 members. Yet it accounts for almost 25 percent, or 40 billion spam-emails a day.

Grum focuses on pharmaceutical spam. You know the kind. There must be money in this, as most spam BotNets are involved with it to some degree.

2: Bobax (Kraken/Oderoor/Hacktool.spammer) confuses BotNet hunters, being somewhat related to the Kraken BotNet. Recently, Bobax went through a rewrite. The authors converted command and control traffic to HTTP, making it more difficult to block and trace.

Right now, Bobax has only 100,000 members, yet it produces 27 billion spam messages a day. That's 15 percent. Or more impressively, 1,400 spam email messages per Bot per minute. Bobax appears to be a BotNet for hire, as the type of spam varies.

3: Pushdo (Cutwail/Pandex) started at the same time as Storm, in 2007. Storm is all but gone. But Pushdo is still going strong, sending out approximately 19 billion spam email messages a day from one and a half million bots. Pushdo is the downloader, which gains access to the victim computer. It then downloads Cutwail, the spamming software.

The Pushdo/Cutwail BotNet spews spam with a wide variety of subject matter, including pharmaceuticals, online casinos, phishing schemes, and links to malware-laced Web sites.

4: Rustock (Costrat)Rustock) is another survivor. It was almost destroyed when McColo was shuttered in 2008. But it's back and currently the largest BotNet, with almost two million bots. Before McColo, Rustock's trademark was to generate huge amounts of spam, then go dormant for several months. Today, Rustock's signature is to deliver spam only from 3 a.m. to 7 a.m. EST (GM-5) daily.

Rustock is also known for forging legitimate email newsletters using image files. Image spam is undetectable by most filtering software. In addition, Rustock does the usual pharmaceutical and Twitter-based spam to the tune of 17 billion spam messages a day.

5: Bagle (Beagle/Mitglieder/Lodeight)Bagle) is an interesting BotNet because of its industrious author. Since 2004, it has gone through hundreds of iterations. Two years ago, the developer decided to start making money, using Bagle to cultivate and sell email address databases.

Now, Bagle bots act as relay proxies, forwarding spam email messages to their final destination. Bagle has at most 500,000 bots, but it still moves 14 billion pieces of spam each day.

6: Mega-D (Ozdok) is famous — or infamous, depending on your point of view. In November 2009, researchers at FireEye were able to shut the BotNet down by registering its command and control domains ahead of the BotMaster. But the malware is programmed to constantly generate new domains, allowing the BotMaster to eventually regain control.

Of the top 10 BotNets, Mega-D is the smallest, consisting of 50,000 members. That's not very many, considering it pushes out 11 billion pieces of spam daily. It's second only to Bobax, when considering spam per Bot per minute. Mega-D's spam consists of advertisements for an online pharmacy and, of course, male-enhancement drugs.

7: MaazbenMaazben has been around only since June 2009. Yet it's of special interest to researchers. Maazben is the first BotNet that can use either proxy-based or template-based bots. Spammers prefer proxy-based bots because the spam source remains hidden. But proxy-based bots don't work if the infected computer is behind a NAT device.

The new technique must be working. Maazben is the fastest-growing BotNet of the top 10, increasing membership five percent in one month. With 300,000 bots, Maazben spreads two and a half billion casino-related spam messages per day.

8: Xarvester (Rlsloup/Pixoliz)Xarvester) came into the picture after the McColo shutdown. Researchers feel the Xarvester BotNet picked up a few customers from the closure. Researchers also see many similarities between Xarvester and the infamous Srizbi BotNet, one of the BotNets affected by the closing of the McColo data center.

Currently, the Xarvester BotNet contains 60,000 members, sending out approximately two and a half billion spam messages a day. The email messages could contain spam for pharmaceuticals, fake diplomas, replica watches, and Russian-specific spam.

9: Donbot (Buzus) BotNet is unique. It is one of the first BotNets to use URL shortening, in an attempt to hide malicious links in the spam email. The thought is to increase the likelihood of someone clicking on the link. Donbot also seems to be divided into multiple individually run networks, each one pushing different types of spam.

Donbot has 100,000 members and sends out about 800 million spam emails a day. Spam content varies from weight loss drugs to stock pump-and-dump to debt settlement offers.

10: Gheg (Tofsee/Mondera)Three things stand out about the number 10 BotNet.

First, almost 85 percent of the spam from it originates in South Korea.

Second, Gheg is one of the few BotNets that encrypt traffic from the command and control servers using a nonstandard SSL connection on port 443.

Third, Gheg has options in how it sends spam email. It can act as a conventional proxy SpamBot. Or it can route spam messages through the victim's Internet provider's mail server. Gheg has 60,000 members and pushes out about 400 million spam emails daily, concentrating on pharmaceutical spam.

80 percent of all spam is sent by these 10 BotNets.

These 10 BotNets send 135 billion spam messages a day.

Five million computers belong to the 10 BotNets.

MessageLabs, the research arm of Symantec, just released the February 2010 Intelligence Report, and it's full of valuable information. I thought it would be a good idea to share the link and mention some of the highlights. The paper pointed out that Grum and Rustock are the current heavyweights, accounting for 32 percent of all spam delivered. The following figure (courtesy of MessageLabs) shows the output from the 10 most active spam-sending BotNets. That's a lot of green (Rustock) and purple (Grum).

Two additional notable statistics: