Botnet Business Booming

Some dismantled botnets rank in the top ten most prevalent as old bot malware gets repurposed, according to new Fortinet report

Dark Reading Staff, Dark Reading

March 20, 2013

3 Min Read
Dark Reading logo in a gray background | Dark Reading

If there's one thing we've learned about botnets, it's that old botnets die hard -- if at all. And one-third of the top 10 botnets identified by Fortinet are nearly 10 years old, underscoring the difficulty of truly eradicating these easily built armies of infected machines.

Botnet takedowns over the past few years have temporarily suspended and crippled big chunks of pesky botnets, including Mariposa and Waledac, but that doesn't mean the malware, operators, or even segments of their infrastructures get completely eradicated.

The 10 most prevalent botnet infections found by Fortinet's FortiGuard Labs in February were (in order) ZeroAccess, Jeefo, Smoke, Mariposa, Grum/Tedroo, Lethic, Torpig, SpyEye, Waledac, and Zeus. And, yes, although Mariposa and Waledac had been dismantled, at least in part over the past few years, new variants of their malware live on.

"Once the Pandora's box has been opened and that software gets out there, you're unable to make it go away forever. A piece of botnet software might become obsolete or have different people behind it, or they go to prison, or stop developing it," says Richard Henderson, security strategist for Fortinet's FortiGuard Labs, which published a new botnet report last week. "For the people behind the botnets, it's a full-time job. They're always working on ways to generate new infections."

Henderson says the botnet business is as lucrative as ever, and plenty of botnet activity goes unseen. The ZeroAccess botnet is growing at a rate of 100,000 to 200,000 new infections per week, for example, he says, and its main goal is mining for Bitcoins.

"The guys behind it are so confident in getting new infections that they are paying affiliates five times the going rate to" infect machines for them, he says. The typical pay is about $100 per 1,000 machines, but the ZeroAccess gang pays out $500 for the same number of bots -- just for infecting the machines.

There are consulting services that help nontechnical botmasters get started for about $350 to $400, and professional botnet services charge thousands of dollars per month for bots and technical support.

Botnet rentals are also available: $535 for five hours per day of DDoS attacks per week, $40 for 20,000 spam emails, and $2 for 30 online forum and comment spam posts, according to Fortinet's report.

A single stolen user account sells for $5 to $15, and those accounts are typical sold in volume bundles.

How can you tell if a machine is a bot? Fortinet says some symptoms include:

>> System is running slower than usual

>> Hard drive LED is flashing wildly even though it is in idle mode

>> Files and folders have suddenly disappeared or have been changed

>> A friend or colleague has informed the user that they have received a spam email from their email account

>> A firewall on the computer informs the user that a program on the PC is trying to connect to the Internet

>> A launch icon from a program downloaded from the Internet suddenly disappears

> >More error messages than usual are popping up

>> Online bank is suddenly asking for personal information it has not required before

The full botnet report from Fortinet is available here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights