On last.fm: Michael Jackson radio - Listen now!
BNET Business Network:
BNET
TechRepublic
ZDNet

May 20th, 2009

Inside the botnets that never make the news - a gallery

Posted by Dancho Danchev @ 1:30 pm

Categories: Anti Virus, Botnets, Browsers, Hackers, Malware, Phishing, Spam and Phishing, Viruses and Worms

Tags: Spamming, Cybercriminal, Spam, Security, Spam And Phishing, Dancho Danchev

If you ever wanted to take an inside view of targeted-botnets primarily run by novice cybercriminals sometimes utilizing outdated, but very effective methods - this ZDNet photo gallery is for you.

It offers an inside view of those “beneath the radar” botnets that never make the news. The images have been collected throughout the past year by using open source intelligence, namely, by either joining the command and control IRC channel upon infection, or monitoring ongoing communications between the botnet masters.

Why are small botnets so important anyway, and shouldn’t we keep an eye on the big ones such as Conficker, Torpig or the rest of the eye-popping ones? Smaller botnets are usually underestimated ones, however, they’re perfectly suitable for targeted attacks such as the recently exposed GhostNet espionage network. Moreover, despite the massive botnets run by sophisticated cybercriminals, evidence in the past (Storm Worm Hosting Pharmaceutical Scams; Money Mule Recruiters use ASProx’s Fast Fluxing Services; Inside the Srizbi Botnet Business Model) clearly indicates that they’re partitioning the botnets and reselling pieces of the pie to other cybercriminals, which would then simply remove the original malware and introduce one of their own.

These small botnets are also exclusively used for some of the sophisticated managed spam services currently offered on the underground marketplace. For instance, the managed spamming service exclusivelly profiled by Zero Day last year, was using only 5000 infected hosts for the purpose of sending 1 million spam messages. Another variation of it was offering only 1672 infected hosts, and was still capable of spamming 3215 emails per minute.

For the time being, the massive botnets we’re used to seeing aren’t going away, but in the long term the cybercriminals behind them could easily start splitting/partitioning them for operational security, and in order to avoid potential mass hijacking from competing cybecriminals or security researchers - the malicious economies of scale that cybercriminals achieve by standardizing the exploitation process also means that their crimeware botnets are vulnerable to the logical monocultural insecurities.

What do you think?

Dancho DanchevDancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.

Email Dancho Danchev

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 88 Talkback(s)
As you can see...
... even the people that responded to my own question
can't agree on any answer. Some say that the ISPs
should police all their customers. (Do you have any
idea just how many customers Com... (Read the rest)
Posted by: vulpine@... Posted on: 06/10/09 You are currently: a Guest | | Terms of Use
Botnets  gertruded | 05/20/09
Guess you missed...  gnesterenko | 05/21/09
You conveniently ignore...  vulpine@... | 05/21/09
But....  Average-IT-Guy | 05/21/09
Social Engineering  jbroche18 | 05/22/09
i didn't ignore anything  gnesterenko | 05/21/09
But 9999 times out of 10,000 the problem IS on (because of) Windows [NT]  Mikael_z | 05/25/09
...  TechBoyZ | 05/21/09
2 true...  agohige | 05/21/09
Windows Box as a Server?  jrbeaman | 05/21/09
Who is this fool?  sfaid | 05/21/09
RE: Inside the botnets that never make the news - a gallery  ator1940 | 05/21/09
Platform they damage?  Average-IT-Guy | 05/21/09
ery petty and quite stupid  gertruded | 05/21/09
No Windoze = no software  rolf.ernst@... | 05/21/09
You are right, but...  dave@... | 05/21/09
No medical apps for Mac?  rx7racer | 05/25/09
And it's this kind of captive Winbloze audience thinking...  UAC nanny screen | 05/21/09
not at all  gnesterenko | 05/21/09
Correction:  UAC nanny screen | 05/21/09
Firefox  Eddy-ICUR12 | 05/21/09
That's true, but...  UAC nanny screen | 05/21/09
RE: ery petty and quite stupid  gdstark13 | 05/21/09
meh!  magallanes | 05/21/09
dumb  Jimster480 | 05/21/09
Quit making excuses  UAC nanny screen | 05/21/09
The blame ...  jongunn@... | 05/21/09
Really?  UAC nanny screen | 05/22/09
RE: Inside the botnets that never make the news - a gallery  vulpine@... | 05/21/09
RE: User Security  QuimaxW | 05/21/09
Re reply User Security  andypiesse@... | 05/21/09
It needs to come from the ISP  homant@... | 05/21/09
Agree  TechBoyZ | 05/21/09
Unworkable  UAC nanny screen | 05/21/09
Unworkable? - Then lets do nothing.  jrbeaman | 05/21/09
That's right, do nothing  UAC nanny screen | 05/21/09
You don't get it.  jrbeaman | 05/21/09
No, YOU don't get it  UAC nanny screen | 05/21/09
False Positives  b5rangerjt@... | 05/21/09
Bummer  jrbeaman | 05/21/09
So much for your ISP cure  UAC nanny screen | 05/21/09
You don't get it.  jrbeaman | 05/21/09
Why don't you accept the fact...  UAC nanny screen | 05/21/09
The ISP is the key.  jrbeaman | 05/21/09
I think...  thx-1138_@... | 05/21/09
The Magic of Google.  joe.smetona@... | 05/26/09
BINGO!  sporkfighter | 05/29/09
You can't  cburkitt2 | 05/21/09
Network driver's license..  TechBoyZ | 05/21/09
OK But...  agohige | 05/21/09
Network driver's license..  Eddy-ICUR12 | 05/21/09
More UAC-like nanny screens...  UAC nanny screen | 05/21/09
LOL....  jrbeaman | 05/21/09
LOL is right...  UAC nanny screen | 05/21/09
Wanna bet?  UAC nanny screen | 05/21/09
As you can see...  vulpine@... | 06/10/09
security rethink needed  gdstark13 | 05/21/09
Sounds Liike Microsoft.  jrbeaman | 05/21/09
RE: Sounds Liike Microsoft.  gdstark13 | 05/21/09
With the current economy...  jrbeaman | 05/21/09
To stop botnets, Go after the money  Scubajrr | 05/21/09
Agreed  gnesterenko | 05/21/09
Order 66  jparr | 05/21/09
RE: Inside the botnets that never make the news - a gallery  quito392 | 05/21/09
Worthless & uninformed posts about Linux.  joe.smetona@... | 05/21/09
I just don't think Linux fanboys get the point...  timaok | 05/21/09
Another thought  lmenningen | 05/21/09
Actually...  joe.smetona@... | 05/21/09
They moved from a virus jungle ...  jongunn@... | 05/22/09
Food for thought.  joe.smetona@... | 05/22/09
Why?  UAC nanny screen | 05/21/09
Linux is not pablum.  jrbeaman | 05/21/09
Another uninformed, wayward post.  joe.smetona@... | 05/21/09
great argument  gnesterenko | 05/21/09
It's not that easy to find people aware of equivalent programs.  joe.smetona@... | 05/21/09
Exactamundo.  jrbeaman | 05/21/09
It's about just giving it a try (at least.)  joe.smetona@... | 05/22/09
agree  desamuelson | 05/22/09
Does Microsoft get the point  shis-ka-bob | 05/29/09
re: Worthless & uninformed posts about Linux.  astro_z | 05/29/09
RE: Worthless & uninformed posts about Linux.  jaredo | 05/21/09
You are missing the point.  jrbeaman | 05/21/09
Typical mode of operation at ZDNet.  joe.smetona@... | 05/22/09
RE: Inside the botnets that never make the news - a gallery  andypiesse@... | 05/21/09
banging of heads  stevehayr@... | 05/21/09
What do you mean?  jsargent | 05/22/09
Maybe...  joe.smetona@... | 05/22/09
Audacity  dreslough | 05/23/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Enterprise Applications

  • Check out some of the easiest and most powerful ways to boost productivity while saving money on your application infrastructure. See ZDNet's comprehensive Enterprise Application resource center, now!
  • New Online Dashboard
  • Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline