Botnets Still a Major Threat, Researchers Say at RSA

By CIOinsight  |  Posted 02-17-2011 Print Email
Dell SecureWorks and Damballa discuss the role do-it-yourself kits and pay-per-install operations are playing in the growth of botnets on the Web.

Spam levels may have dropped, but botnets are still busy.

In fact, security researchers at this year's RSA Conference highlighted a mix of botnets both famous and unheard of that are growing on the strength of do-it-yourself kits and pay-per-install (PPI) systems.

Joe Stewart, director of malware research for Dell SecureWorks, reported that the most prolific spam botnet today is Rustock, which he estimates has 250,000 bots in its army. While in the past Rustock has periodically been overtaken by other botnets, it has pulled away because of the author's continued development to the botnet's codebase. Among its tactics: not mapping hostnames associated with the Rustock HTTP communication directly to the IP address of a Rustock controller, and having Rustock control servers run a TOR exit node to avoid disconnection by network administrators.

"It has probably the most thought and development, stealth, obfuscation [and] evasion built in to what it's doing, and it's evolved these things over the past few years," he said.

But while Rustock has the name and the fame, there are other botnets many people may not have heard of that have sneakily built up armies of bots by piggybacking on the growth of other malware. An example of this can be found with Lethic, which Stewart estimates has 75,000 bots. Lethic has been seen lately being installed by another bot known as "Butterfly" or "Bfbot." Bfbot botnets have been seen installing other spam Trojans as well, making the specific Bfbot system part of a growing ecosystem of pay-per-install operations.


Submit a Comment

Loading Comments...