Attack Of The Mini-Botnets
All eyes may be on the big spamming botnets, but it's the small, silent ones that are most dangerous
March 31, 2009
Big-name botnets like Kraken/Bobax, Srizbi, Rustock, the former Storm -- and even the possible botnet-in-waiting, Conficker -- have gained plenty of notoriety, but it's the smaller and less conspicuous ones you can't see that are doing the most damage in the enterprise.
These mini-botnets range in size from tens to thousands versus the hundreds of thousands, or even millions, of bots that the biggest botnets deploy. They are typically specialized and built to target an organization or person, stealing corporate and personal information, often without a trace. They don't attract the attention of the big spamming botnets that cast a wide net and generate lots of traffic; instead they strike quietly, under the radar.
"There's definitely specialization [in botnets] these days," says Joe Stewart, senior director of malware research for SecureWorks. "There are botnets designed for fraud, and they have been around for a while and don't seem to cross over [with the bigger spamming botnets]," he says.
These mini-botnets specialize in identity theft, fraud, and stealing corporate information, and are much more difficult to spot and infiltrate than a big spamming botnet. "We have to rely on the few anecdotal instances, where we've managed to get a look at the back-end," Stewart says.
Tripp Cox, vice president of engineering at Damballa, says most of the bots his company finds within its enterprise clients' networks are from obscure botnets, not the big spamming zombie networks. Spam-bot infections account for only about 2 percent of the compromised bot machines Damballa has uncovered, while 20 percent are bots used for targeted, malicious purposes, like data theft or fraud, he says. The other 75- to 80 percent are from blended threats -- multipurpose Trojans, downloaders, and worms for various purposes.
The main goal of specialized botnets is to steal user names and passwords, banking credentials, intellectual property, and other valuable information, he says. "We've seen them target banking credentials used by the enterprise to conduct corporate banking," Cox says. "We've also seen particular executives targeted who are involved in intellectual property development and research activities.
"There's a strong tie there between what information the [targeted] employee has access to and the value that asset has to the attacker."
SecureWorks' Stewart says small botnets are more worrisome than Conficker's next move. These botnets include Clampi (a.k.a. Ligats and Rscan), Torpig (a.k.a. Sinowal, Anserin), Zeus (a.k.a. prg/zbot), Pinch (a.k.a. ldpinch), and SilentBanker Cimuz -- all named after the malware they use -- plus one that has been around for some time, Coreflood (a.k.a. Afcore), which Stewart has studied closely. "I am far more worried about some of the recent Clampi [activities] and some of the other ones," Stewart says. "They have made inroads to affect users and do something malicious, like steal their credentials" for committing identity theft and fraud, he says.
But why use a botnet instead of an old-fashioned hack in a targeted attack? "A botnet is a resilient foothold for a criminal to get inside the company -- it's persistent," Damballa's Cox says. "It's a way to distribute updates, activate new capabilities, and harvest information without having to copy information out of the network. If you think about data leakage protection, you can imagine a botnet enables you to search internally without extracting the document."
Steven Adair, a researcher with the Shadowserver Foundation, says his organization has seen targeted botnet attacks that have used anywhere from dozens to hundreds or more machines. "They are often a lot smaller than the spamming and DDoS botnets due to their target selection," Adair says.
These targeted botnet attacks often use spear-phishing email attacks, using malicious PDF attachments or links that appear legitimate because they contain information familiar to the user. Shadowserver has also seen mini-botnets infect Websites that cater to a specific group of users, Adair says. "The sites were specifically chosen due to their audience," he says.
Mini-botnets look a lot like big spamming botnets architecture-wise: They typically use HTTP or custom protocols to communicate, and they encrypt their traffic. But they don't use peer-to-peer communications like some of the big botnets, and the command-and-control servers are often in a multitier arrangement so they can remain obfuscated, SecureWorks' Stewart says. "They have a centralized command-and-control...because that gives them more control," he says. "They are trying to suck data out of these machines, so it's better to go back to one channel."
The recently exposed GhostNet network of some 1,300 infected machines appears to be an example of a targeted-attack botnet, says Nicolas Fischbach, senior manager for network engineering/security for European ISP COLT Telecom. "The recent GhostNet seems to be the tip of the iceberg," he says.
GhostNet was recently discovered by the Munk Centre for International Studies at the University of Toronto, which found the attackers used a Trojan program that gave them full control of the targeted machine such that they could search and download files, as well as spy on the victim via his or her Web camera and microphone.
But not all targeted attacks are botnet-driven. Fischbach says he sees some "old-school" hacks, with a few machines set up as a chain of "stepping stones" to evade being traced. "DDoS for money and for fun is over. There's more money to make in information- and intelligence-gathering," he says. "If you have a small botnet and cool exploitation techniques and tools, you want to infect a small, controllable number of machines to steal data or even influence decisions."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like