Tag Archive for 'botnet'

Page 3 of 5

How Big is Big? Some Botnet Statistics

Published on May 23, 2011 in Malware & Virus Analysing and Monitoring & Reporting. 2 Comments Tags: , , .

There is a lot of malware out there, and sometimes it’s very difficult for security researchers or AV-vendors to estimate the extent of such a threat (eg. a trojan). One technique to do is called sinkholing: The goal is to register malicious botnet domains proactively or reactively to prevent the criminals exerting command and control over hijacked/infected computers, and at the same time warn ISPs of infected computers.

Some of you might already know that I am running a sinkhole. Therefore I thought it might be interesting to reveal some botnet Statistic based on the drone data I have collected on my sinkhole.

The following data has been collected over a period of 2 months. During this time I’ve sinkholed several botnets. To generate the statistics shown below I have picked out the highest peak of each malware family and printed it to the bar chart. In short this means that the chart shows the highest peak of each malware family during the past two months (within a 24 hour period).

First of all, let’s have a look at each malware family I’ve sinkholed during this time.

Trojan Aliases Reference
Artro Renos, CodecPack Kaspersky Lab
Carberp - Symantec
Gbot - Sonicwall
Gozi - SecureWorks
Ponmocup Swisyn, Changeup Microsoft
Ramnit - abuse.ch
SpyEye EyeStye Symantec
TDSS Alureon, Tidsserv, TDL4 ESET
ZeuS Zbot, WSNPoem, ntos Symantec

As shown in the table above we have some banking trojans (Carberp, Gozi, SpyEye and ZeuS), some trojan droppers (Gbot, Ponmocup), a worm (Ramnit) and some Click fraud trojans (Artro, TDSS).

Note: The numbers of infected IPs for each trojan mentioned below does not necessarily reflect the exact botnet size. It does however work fairly well as a relative indication. Some trojans are malware kits being used to run several different botnets (Like ZeuS or SpyEye), where all are not being sinkholed.

Let’s take a look at the sinkhole statistics:

The chart above shows the total number of new and total IPs seen within 24hrs for each malware family. What really sticks out is the fact that the trojans that are being used to attack financial institutions (banking trojans) has a relatively small amount of infected computer (drones) compared to Gbot (that is used to drop/install additional malware on the victims computer) and the well-known click fraud rootkit called TDSS. The size of the TDSS botnet is 6 times the size of the Carberp botnet.

Why is this the case? It’s not very difficult to infect computers today. The trick is to find a good way to monetize the botnet. For banking trojans, the problem becomes getting money mules that the criminal can use for transferring/laundering the stolen money. A cybercriminal won’t benefit from a big botnet if he’s not able to cash out the money from the bank accounts of the victims. Also, banking trojans rather quickly gets attention from both Law Enforcement and individuals in the infosec community.

Doing click fraud is much easier: Who cares about click fraud? Nobody, except the companies that are actually offering/selling online advertisement. If you call someone and tell him “Hey, your computer is infected with a click fraud trojan” you will most probably get a answer like “WTF is click fraud?!?” and even if you explain the situation to him I’m pretty sure you will get an answer like “Well I don’t care, I hate online advertisements anyway. They only distract me when I’m surfing on porn sites… *erm* when I’m doing online shopping”.

Still, I’m not surprised that there are botnets out there that are even bigger than TDSS/TDL:

The chart above shows a botnet that is called Artro. It is also known as “The advertisement botnet” (Kaspersky) or Renos/CodecPack. It is 1,5 times bigger than TDSS. However, Artro is also doing some click fraud stuff. I sinkholed the Artro botnet a year ago. Back then, the botnet had a size of 330’000 infected computers (of course within 24hrs)!

So I’m asking myself: Does this answer our question “How Big is Big”? If we are serious we can say that 330’000 infected computers is quite enough and really big. That’s nearly the same amount of computers as there are inhabitants in the largest Swiss city (Zurich).

What would you say if I told you that there is a botnet out there that is much bigger than the Artro botnet?

Some weeks ago I came across a huge botnet that was pretty unknown to me and that I never had heard of before. Doing some research I came to the conclusion that this trojan was known as Ponmocup. When I’ve started to sinkhole this botnet I was shocked as I saw that more than 1,2 million (yes, 1’200’000) unique IPs connected to my sinkhole just within 24 hours..

Probably most of you don’t even know Ponmocup, so you may ask yourself how this botnet became that big. Well you already answered this question: The criminal obviously managed to stay under the radar for months (maybe even years). I’m sure there are even more botnets out there (like Artro and Ponmocup) that are quite big and still under the radar of the AV-industry / infosec community.

*** Conclusion ***
We have learned that the botnet sizes doesn’t really matter. The criminals don’t need to have a big botnet to make a lot of money: It always depends on the business model the criminals wants to adopt (doing ebanking fraud, clickfraud or whatever).

But what do we have to do to mitigate these threats? My approach is to try to identify such botnets and sinkhole them. Doing so I’m able to collecting data from the connecting bots, which are being fed into the Shadowserver Drone database. If you are an ISP, a company or running your own network/AS you can obtain free-of-charge Drone feed from Shadowserver for your AS. This allows you to get informed about infected computers within your network on a daily basis.

If you are an ISP/network owner I highly recommend you to subscribe to Shadowservers Drone feed (if you are not already subscribed).

You can subscribe and/or obtain more information about Shadowserver’s Reporting Service here:
http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork

Follow me on Twitter:
twitter.com/abuse_ch

*** Further links ***

Insight a ZeuS C&C server

Published on March 20, 2009 in Malware & Virus Analysing. 0 Comments Tags: , , , , .

During my work on the ZeuS Tracker I often see insecure ZeuS installations that allow easy access to the ZeuS MySQL database or the ZeuS Admin Panel of a Command&Control server; In some cases the MySQL database appear for a short time on unprotected, public webservers without even a password protection, usually in order to transfer data between different criminal groups. Some time ago I had the occasion to copy such an unprotected database and mirror the ZeuS admin panel software on my own test system. This allowed me to study the Admin interface and document it in this post, so I can reveal you details about the ZeuS internals.

First of all I give you some information and statistical data about the ZeuS C&C server concerned:

Let’s say that the ZeuS C&C server is hosted on veryevilzeusdomain.tld. The botnet has a size of 3’985 infected clients (total installations). The server is currently offline and was hosted on AS9800 (UNICOM CHINA UNICOM). The C&C server was online for 25 days (2009-02-13 until 2009-03-09). During this period, the cybercriminal has captured over 3’677’358 datasets.

Below you can see some statistical data about this ZeuS Command&Control server:

Botnet size per day

ZeuS botnet size per day

Botnet geo location

ZeuS botnet geo location
Number of captured datasets

ZeuS crimeware: Number of captured datasets

Insight ZeuS

Let’s start with the ZeuS Admin Panel. Here we go…
Normally, the ZeuS Admin Panel is located on a file called “in.php”. Example:

http://veryevilzeusdomain.tld/zs/in.php

The login page of the ZeuS Panel looks like this:

ZeuS Admin Panel: Login page

On the login page, you can choose between two different languages: Russia and English. After a successful login, you will be redirected to the statistical summary of the ZeuS installation:

ZeuS Admin Panel: statistical summary

On this page you are able to group the infected clients (bots) to different botnets. This can be very useful. For example: You can group infected machines which have a fast internet connection to one “botnet”. You can also see some interesting data like how many logs are in the database, the time of first install and the total bot count.

On the section botnet->Online bots you can see some information about each bot which is currently online:

ZeuS Admin Panel: Online bots

The function Screenshot is quit interesting. With this function the cybercriminal is able to get a screenshot of each infected system, which is currently online. As you can see, the ZeuS trojan installs a backdoor which creates a SOCKS proxy and a Web proxy on the infected system. The cybercriminal can use these proxies to hide his identity while he access eg. the victims online banking account to steal money from them. By clicking on a proxy, the cybercriminal can get some information about the proxy (e.g. on which port the proxy is installed or whether the proxy is already used or not):

ZeuS Admin Panel: Proxy information

On the tab Remote commands the cybercrime can define commands for a hole botnet, bots from a specified country or just a single computer:

zeuspanel5

For example, such command can advise a infected client to download more malicious code:

ZeuS Admin Panel: Send commands to the infected systems (bots)

Here is a list of commands, which are available in the ZeuS crimeware:

  • block_url
  • unblock_url
  • rexeci
  • lexeci
  • delsf
  • resetgrab
  • getmff
  • delmff
  • getcert
  • addsff
  • rexec
  • lexec
  • getfile
  • upcfg
  • kos

    • On the navigation tab Logs the cybercriminal is able to start a log search. There, he can set a filter and search for a specified string and/or a specified Log typ. The Logs search has also a function to search in a specified time range. For example: Let’s start a search for FTP credentials which the ZeuS crimeware has captured on the 6. march:

    ZeuS Panel: Search for stolen FTP credentials

    Here is a list of Log types which the cybercriminal can search for:

  • any
  • HTTP
  • HTTPs
  • HTTP/HTTPs
  • FTP
  • POP3
  • Grabbed data
  • Protected Storage
  • IE history
  • Other

    • As you can see, the cybercriminal is also able to search for captured HTTPS credentials:

    ZeuS Panel: Search for captured HTTPS credentials

    On the screenshot above you can see that the crimeware has already stole credentials for online services like Windows Live and Google. But the crimeware is even worse: It is able to capture credentials for Online Banking accounts from HTTPS connections and from the protected storage (Pstore):

    ZeuS Panel: Stolen credentials for online banking accounts

    Last but not least on the System settings in the navigation the cybercriminal can add / edit profiles:

    ZeuS Panel: Add / Edit profile

    Conclusion

    The ZeuS crimeware kit is a big security issue and is still spearing thru Drive-By infections and mass spam campaigns like the spoofed Delta Air Line spam on February 09 (Link).

    If we take a look into the ZeuS Tracker, we can see over 100 ZeuS config files which are currently online. Additionally the tracker has already captured over 250 unique binaries.

  • browse ZeuS binaries
  • browse ZeuS config files

    • I highly recommend corporate networks to use the ZeuS blocklist to block malicious traffic from and to well known ZeuS C&C servers on the corporate web gateway/ firewall.

    Disclaimer

    The test system I used for the screenshots below was never connected to the internet, so no outbound network accesses occured during those tests. It was not required to enter any passwords or other credentials on any servers to obtain this copy of the database or the ZeuS admin panel software I mirrored – all of that was available for short periods of time unprotected on the net. But, as stated above, many real live ZeuS systems actually are insecure and would allow third parties to break in – events, that seem to occur regularly when botnets from one group are stolen by other groups.
    economics-recluse
    Scene
    Urgent!