View Full Version : The 2007 Pandemic of the botnets

2007-02-23, 11:51

- http://news.bbc.co.uk/1/hi/business/6298641.stm
25 January 2007 ~ "Criminals controlling millions of personal computers are threatening the internet's future, experts have warned. Up to a quarter of computers on the net may be used by cyber criminals in so-called botnets, said Vint Cerf, one of the fathers of the internet... Mr Cerf, who is one of the co-developers of the TCP/IP standard that underlies all internet traffic and now works for Google, likened the spread of botnets to a "pandemic"*. Of the 600 million computers currently on the internet, between 100 and 150 million were already part of these botnets, Mr Cerf said... "Despite all that, the net is still working, which is amazing. It's pretty resilient," said Mr Cerf... Whatever the solution, the fight against botnets was a "war" that could only be won if all parties - regulators, governments, telecoms firms, computer users and hardware and software makers - worked together."

- http://en.wikipedia.org/wiki/Botnet
"...Botnets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Often, a botnet will include a variety of connections, ranging from dial-up, ADSL and cable, and a variety of network types, including educational, corporate, government and even military networks. Sometimes, a controller will hide an IRC server installation on an educational or corporate site, where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently..."

* http://www.thefreedictionary.com/Pandemic
"...Epidemic over a wide geographic area and affecting a large proportion of the population.."

>>> http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.Botnets

:fear: :spider: :fear:

2007-03-24, 00:04

- http://isc.sans.org/diary.html?storyid=2495
Last Updated: 2007-03-23 21:28:02 UTC ~ "According to data by Shadowserver*, the number of botnet-controlled machines has tripled in the last month. Specifically the jump seemed to start on March 8th or so and has kept going ever since. For the most part, they haven't tracked a significant increase in the number of botnets (only about a 20% jump), just the number of machines. The biggest C&C nets are near New York, Southern California, and near Germany. The biggest concentrations of botnet infected machines are in China, Brazil, and Argentina. So it appears botnet controllers are getting better at increasing the size of their herds."

* http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.BotCounts#month

- http://www.securityfocus.com/brief/466
2007-03-22 ~ "...The weekly tally of bot-infected PCs tracked by the group rose to nearly 1.2 million this week, up from less than 400,000 infected machines two weeks ago. The surge reversed a sudden drop in infected systems--from 500,000 to less than 400,000--last December..."


2007-04-12, 12:53

(McAfee Threat Center - 2nd issue of McAfee Avert Labs security journal- Sage)
- http://www.mcafee.com/us/threat_center/default.asp
Apr 2007 ~ "...Botnets: Cybercrime Central - The largest enabler of cybercrime today is the “botnet,” a network of robot-infected PCs centrally controlled by an attacker, or bot herder. Bots gained their current status as a result of several factors. Perhaps the most important is that bots leverage the work of others. Several bot families are considered open source projects, developed collaboratively and refined by many. But even more important, bot developers piggyback on the work done by well-intentioned security researchers... When such vulnerabilities are made public in an effort to raise awareness, bot authors incorporate the work into new versions of their threats. If the payout for a crime exceeds the risks involved and the effort required, attackers will flock to it..."

(Monthly Botnet size currently at 2.4 million)
- http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.BotCounts#month


2007-05-15, 22:43

- http://www.pcworld.com/printable/article/id,131844/printable.html
May 15, 2007 ~ "A tech trade group and a leading cybersecurity vendor applauded new legislation introduced in the U.S. Congress that would broaden penalties for cybercrime, including first-time penalties for botnet attacks. The Cyber Security Enhancement Act, introduced Monday, would create for the first time criminal penalties for botnet attacks often used to aid identity theft, denial-of-service attacks and the spread of spam and spyware... The bill would also broaden the definition of electronic data theft related to interstate or foreign communication, and expand the cyber extortion statute."


2007-05-19, 11:55

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199601992
May 18, 2007 ~ "Criminal cyber gangs are trying to steal zombie computers from rival botnets so they can boost their own numbers and raise the price they get from spammers.
Two or three online criminal gangs are waging an all-out battle for control of the largest botnets, sending out waves of malware aimed at stealing zombie computers from rival gangs to build up their own army. Each online gang is trying to build up the biggest botnet because the bigger the army of infected computers they control, the more money spammers and hackers will pay to use them, explains Shane Coursen, a senior technical consultant for Kaspersky Lab. Since the gangs have their own botnets already built up, they're all trying to pilfer victimized computers from their rivals, to diminish their competitor's botnets while they build up their own... the author of the well-known Storm Worm, also known as Zhelatin, is going head to head with the author or authors of the Warezov and Bagle worms. It's unclear whether one group is responsible for both the Warezov worm and the Bagle worm or if different groups are behind each one... "Instead of just one group that was kind of active, now we're looking at two definite groups and possibly three groups. The activities have increased very significantly over the last six months. We see a huge increase in the amount of spam, and it's largely because of this war"."

:fear: :mad: :spider:

2007-05-20, 14:57
wow..... so basically there is an army of haxorz out there just spreading viruses like crazy? ......WOW over 100million shesh wtf!! im thinking there should be computers that are like are 100% immune to viruses,worms, and spyware i mean that would end most problems like the computer itselfs prevents from any of its important things to be deleted, anything being recorded like keystrokes, etc.
If that could happen it would be great..

2007-05-20, 16:06
"WOW over 100 million..."

Actually, the numbers are quite a bit less (currently estimated at 2.8 million).

See: http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.BotCounts#day

...but we're keeping a close watch, and will continue to do so.


2007-06-13, 02:47

February 2007 Root Server Attacks...
- http://preview.tinyurl.com/3dxn74
June 9, 2007 ~ Arbor Networks - "...Nice summary of what actually occurred during the February 6/7, 2007 DNS attacks... actual targets of this attack were:
* F-Root, G-Root, L-Root and M-Root
* And another set most folks haven’t heard of, ns[2-5].opihhkj.com
* and pehaps ns1.opihhkj.com, but not certain
He went on to cite more mis-information provided by the media and emphasized how difficult it was to find an accurate story... Some of the unique information that John shared about the attacks included details on the botnet involved (these were the numbers and distribution of the bots themselves, firepower from each varied):
* ~4500-5000 bots on Microsoft Windows Boxes
* ~65% from South Korea
* ~19% from United States
* ~3.5% from Canada
* ~2.5% from China
* The rest from various places
The botnet controller was HTTP-based, physically located in Dallas, TX, USA, and was located by the bots via DNS, with a backup DNS name as well. The botnet itself was associated with a Russian-affiliated reseller and has continued to be used for DDoS attacks up until 2007-05-23.
The attacks consisted of:
* bots performed one DNS query per victim
* bots setup three “threads” per victim
* unique but stable source port per thread
* each thread employed it’s own 1023-octet payload “seed”
* UDP packets were then flooded to each victim on port 53
* source address was NOT spoofed
* each UDP packet of random 0-1023 seed payload
* each thread was set to last 24 hours
As for mitigation, because non-spoofed some source-based mitigation/filtering could be employed but difficult... many of the other targets hit by the botnet were of “Russian origin”..."


2007-06-14, 05:14

Operation Bot Roast
- http://www.fbi.gov/page2/june07/botnet061307.htm
6.13.2007 ~ "...Operation Bot Roast was launched because the national security implications of the growing botnet threat are broad. The hackers may use the computers themselves, or they may rent out their botnets to the highest bidder. The more computers they control, the more they can charge their clients. A bot-herder can do a lot with compromised computers:
* Steal the computer owner’s identity;
* Launch massive spam campaigns;
* Engage in click-fraud—schemes which artificially inflate the number of visitors to a website; and
* Launch denial of service attacks that can cripple web servers and crash sites.
One of the difficulties in fighting this type of cyber crime is that it is difficult for computer owners to know if their machines have been infected. There is no easy way to tell, unfortunately. It may be running slowly, your outbox may be full of mail you didn’t send, and you may get mail stating you’ve sent spam. 'The majority of the victims are not even aware that their computers have been compromised or their personal information exploited,' said FBI Assistant Director James Finch, who heads our Cyber Division.
That’s why we urge every computer owner to implement the security precautions that are available. Prevention is always better than reaction."

(More detail at the URL above.)


2007-06-14, 14:18

FBI finds a million botnet victims
- http://www.theinquirer.net/default.aspx?article=40321
14 June 2007 ~ "THE US Department of Justice and the FBI said that they have found more than a million botnet crime victims during "Operation Bot Net"*. A team, which included members of the Computer Emergency Response Team Coordination Center at Carnegie Mellon University and Microsoft, aimed to notify as many of the victims as possible. The FBI hoped that through this process it might uncover additional incidents in which botnets have been used to facilitate other criminal activity..."
* http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm

Shadowserver - 13.06.2007: New Graph: Total Malware Count
- http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.Malware#count

- http://www.us-cert.gov/current/#fbi_charges_bot_herders
June 14, 2007


2007-09-16, 18:28

BotHunter Malware Analysis Automatic Summary Analysis Table
> http://www.cyber-ta.org/releases/malware-analysis/public/
(This is a government funded research project so there is no charge for the public distribution.)


2007-09-18, 21:12

Arbor Networks annual security survey
- http://www.theregister.com/2007/09/18/arbor_botnet_survey/
18 September 2007 - "Arbor Networks' third annual worldwide infrastructure security report* found that, for the first time, botnets surpassed distributed denial of service attacks as the top operational threat identified by service providers. Botnet networks of compromised PCs act as resources to distribute spam, launch denial of service attacks or get up to other forms of mischief. Distributed denial of service (DDoS) attacks represent a major problem, with attack trends changing. While mid-level DDoS attacks have plagued the internet since 2000, survey respondents report a widening gap between common mid-level "amateur" attacks and multi-gigabit "professional" efforts involving tens of thousands of zombie hosts. Most surveyed ISPs reported significant improvements in the sophistication and coordination of DDoS attacks. Surveyed ISPs reported sustained attack rates exceeding 24 Gbps. Most individual core internet backbone links today are no larger than 10 Gbps, which means most of the larger attacks inflict collateral damage on net infrastructures way upstream from the targets of attacks, Arbor notes..."

* http://www.arbornetworks.com/report
"Worldwide Infrastructure Security Report Highlights:
* Bots overtake DDoS as chief security concern - Respondents believed bots and botnets to be a larger threat than DDoS attacks.
* DDoS attacks going pro - Survey respondents report a widening gap between common mid-level “amateur” attacks and multi-gigabit “professional” efforts.
* Attacks outpace ISP network growth - Surveyed ISPs reported sustained attack rates exceeding 24 Gbps – more than double the size of these recently upgraded links.
* VoIP is vulnerable - Only 20 percent of ISPs surveyed currently have specific tools or mechanisms to monitor and detect threats against VoIP.
* Rise of managed security services - There is a significant increase in the number of service providers offering managed DDoS detection and mitigation services..."


2007-09-21, 13:45

Hackers control PCs while users unaware
- http://www.reuters.com/article/technologyNews/idUSN0923261120070921?sp=true
Sep 21, 2007 - "...More important than security software, users need to monitor their own behavior. The bulk of malware is installed on computers by users who either click on a Web link or on a file that is attached to an email or instant message. PC users can greatly reduce the risk of infection by only visiting familiar Web sites and avoiding unknown attachments..."


2007-11-29, 13:50

- http://www.fbi.gov/pressrel/pressrel07/botroast112907.htm
November 29, 2007 - "The FBI today announced the results of the second phase of its continuing investigation into a growing and serious problem involving criminal use of botnets. Since Operation 'Bot Roast' was announced last June, eight individuals have been indicted, pled guilty, or been sentenced for crimes related to botnet activity. Additionally, 13 search warrants were served in the U.S. and by overseas law enforcement partners in connection with this operation. This ongoing investigative effort has thus far uncovered more than $20 million in economic loss and more than one million victim computers. FBI Director Robert S. Mueller, III said, "Today, botnets are the weapon of choice of cyber criminals. They seek to conceal their criminal activities by using third party computers as vehicles for their crimes. In Bot Roast II, we see the diverse and complex nature of crimes that are being committed through the use of botnets. Despite this enormous challenge, we will continue to be aggressive in finding those responsible for attempting to exploit unknowing Internet users"..."
- http://abcnews.go.com/print?id=3927818


2007-12-07, 13:46

- http://www.darkreading.com/document.asp?doc_id=140797&print=true
DECEMBER 6, 2007 - "The average life span of a command and control server in an Internet Relay Chat (IRC)-based botnet is less than two months. And these machines and their drones that make up a botnet are typically scattered around the world, a new study* on IRC botnets reveals. German and Chinese researchers from Peking University in Beijing and from the University of Mannheim in Germany teamed up to track and study traditional IRC-based botnets over the last year. They found and followed 3,290 IRC-based botnets in the wild, using a honeynet of 17 nodes in 16 provinces in China and some automated tools... The researchers found more proof of what bot hunters have been saying all along: that IRC is becoming less and less the mode of communication for botnet operators as they attempt to evade detection and stay alive. "Botnets seem to shift away from IRC to protocols like HTTP, Peer-to-Peer-based protocols, or custom protocols," the report says. Still, the researchers consider the relatively short life expectancy of the C&C servers a sign of how flexible these traditional botnet infrastructures are..."
* http://honeyblog.org/junkyard/reports/botnet-china-TR.pdf


2008-01-01, 00:35

SRI Honeynet and BotHunter Malware Analysis
- http://www.cyber-ta.org/releases/malware-analysis/public/
last updated: Mon Dec 31 2007 - "The malware infections displayed in our daily infection log summaries were harvested live from the SRI high-interaction honeynet. The daily infection logs (right) present each day's infection summary, and are 100% autogenerated and posted each morning (PT)..."


2008-02-22, 16:44

Canadian botnet busted
- http://www.sophos.com/pressoffice/news/articles/2008/02/botnet-busted.html
21 February 2008 - "...In a co-ordinated series of dawn raids, the Sûreté du Québec and Royal Canadian Mounted Police, arrested people in 12 different towns, ranging in age from 17 to 26 years old. One of those arrested is a nineteen year old woman. The gang is believed to have run a zombie network (also known as a botnet) of up to one million computers, spanning 100 countries around the globe. Seven people were charged charged with illegally obtaining computer services, illegally possessing computer passwords, and hacking. Police confiscated computer equipment during the raids, and information found on the PCs may lead to more charges against other alleged gang members. If found guilty, gang members could face up to 10 years behind bars, head of the computer crime squad Captain Frédérick Gaudreau told the media, adding that hundreds of officers were involved in the investigation into the gang after complaints were made in the summer of 2006 from business and government computer users..."


2008-03-13, 13:02

Rent-a-bot gang... spewing malware-laden 3D-screensavers and the like...
- http://www.channelregister.co.uk/2008/03/13/loadscc_rises_again/
13 Mar 2008 - "A notorious malware gang that rented out botnets by the hour has resurfaced after being knocked off line two months ago by a rival band of criminals. The Loads.cc group has been spotted by researchers at Sunbelt Software* pushing toxic 3D screensavers on unsuspecting end users. The software installs malware that points to a server controlled by Loads.cc and then lies in wait for instructions from a command and control server... The gang came to prominence by renting out a botnet that fellow online criminals could use to install and maintain their malware. In October, it boasted more than 35,000 infected machines, according to this post** by researcher Dancho Danchev. Prices ranged from $110 to $220 per thousand infections depending on where they were located..."
* http://sunbeltblog.blogspot.com/2008/03/dangerous-loadscc-malware-gang-re.html

** http://ddanchev.blogspot.com/2007/10/botnet-on-demand-service.html


2008-03-19, 22:09

- http://www.darkreading.com/document.asp?doc_id=148801&print=true
MARCH 19, 2008 - "Federal law enforcement agencies have received a guilty plea from one of the botmasters nabbed last year under Operation Bot Roast. Robert Matthew Bentley, 21, of Panama City, Fla., has pleaded guilty to conspiracy to commit computer fraud and computer fraud, according to the U.S. Department of Justice*. Bentley, one of eight spammers and bot herders nabbed so far under the law enforcement initiative called Operation Bot Roast, reportedly agreed to a detailed factual summary filed at the time of his guilty plea outlining his role in the computer intrusions. Bentley and other unnamed co-conspirators are charged with infecting hundreds of computers in Europe with adware that cost tens of thousands of dollars to detect and neutralize. Bentley and others received payment through a Western European-based operation called Dollar Revenue for unauthorized intrusions and placement of the adware, according to the U.S. Secret Service, which investigated the crime. Bentley used computers in the Northern District of Florida to accomplish the intrusions and to receive payment. Bentley is scheduled to be sentenced by U.S. District Judge Richard Smoak on May 28, 2008. He faces a maximum penalty of 10 years imprisonment, a $250,000 fine, and three years of supervised release for each charge. He must also pay a special monetary assessment of $100 for each charge. Federal authorities say Bentley might get "special consideration" if he agrees to help convict his co-conspirators...
"The use of botnets is a major focus of computer-related criminal investigations worldwide," Miller said. "Botnets are responsible for much of the malicious activity conducted on the Internet. [Bot herders] operate within a group of computer hackers on a global scale, making this computer crime one of the most pervasive forms of organized criminal activity plaguing law enforcers in this country and abroad.""
* http://jacksonville.fbi.gov/dojpressrel/pressrel08/hacker030608.htm

2008-03-19, 23:40

- http://www.theregister.co.uk/2008/03/19/dslreports_under_ddos_attack/
19 March 2008 - "DSL Reports, a website for broadband users, popped back online after being taken down by a distributed denial of service attack. At least 1,100 bot-infested machines took part in the assault, which at one point directed nearly 48MBps of malicious data at the site. The flood continues, although changes to the site's front-end server drastically improved its defenses. Several hours after the attack began, the DDoS was throwing about 12MBps of data at the site, enough for it to stay online... According to researcher Jose Nazario at Arbor Networks, the command and control center of the attacking botnet appears to be located at IP address He is encouraging ISPs to block port 80 traffic to that server, which he says is "a busy DDoS net which has attacked numerous sites around the world..."
* http://www.dslreports.com/forum/r20189090-Todays-DDOS-site-down