levels may have dropped, but botnets are still busy.
In fact, security researchers at this year’s RSA
Conference highlighted a mix of botnets both famous and unheard of that are
growing on the strength of do-it-yourself
kits and pay-per-install (PPI) systems.
Joe Stewart, director of malware research for Dell SecureWorks, reported
that the most prolific spam botnet today is Rustock, which he estimates has
250,000 bots in its army. While in the past Rustock has periodically been
overtaken by other botnets, it has pulled away because of the author’s
continued development to the botnet’s codebase. Among its tactics: not mapping
hostnames associated with the Rustock HTTP communication directly to the IP
address of a Rustock controller, and having Rustock control servers run a TOR
exit node to avoid disconnection by network administrators.
“It has probably the most thought and development, stealth, obfuscation
[and] evasion built in to what it’s doing, and it’s evolved these things over
the past few years,” he said.
But while Rustock has the name and the fame, there are other botnets many
people may not have heard of that have sneakily built up armies of bots by
piggybacking on the growth of other malware. An example of this can be found
with Lethic, which Stewart estimates has 75,000 bots. Lethic has been seen
lately being installed by another bot known as “Butterfly” or “Bfbot.”
Bfbot botnets have been seen installing other spam Trojans as well, making the
specific Bfbot system part of a growing ecosystem of pay-per-install
operations.
For more, read the eWeek article: RSA Conference: Researchers Go Inside the Botnet Threat.
