Coordinated Malware Resists Eradication

Botnetwebs prove impervious to anti-virus suites

<b>Phishing for details</b><br>Looking all cute, blue and fluffy this sneaky virus gets your details by asking you to confirm your online account details.<br>Normally you can't see a virus and so don't really find it a threat. In this 3D visual representation created by [[xref: http://www.sq.ro/malwarez.php|digital artist Alex Dragulescu]], he was able to create the images by entering a sample of the actual code from each online threat into a proprietary computer program and combining his artistic talent with the end result.

Phishing for details
Looking all cute, blue and fluffy this sneaky virus gets your details by asking you to confirm your online account details.
Normally you can't see a virus and so don't really find it a threat. In this 3D visual representation created by [[xref: http://www.sq.ro/malwarez.php|digital ...

How do you make a terrible thing even worse? If you're a crook who operates a botnet--an often-expansive network of malware-infected PCs--you link botnets together to form a gargantuan "botnetweb." And you do it in a way that's hard for an antivirus suite to fight.

Botnetwebs don't just enable crooks to send spam or malware to millions of PCs at once. They also represent a highly resilient infection that uses multiple files. An attempt at disinfection might eliminate some files, but those left behind will often redownload the scrubbed ones.

The culprits "are not a bunch of nerds sitting in some dark room developing these botnets for fun," writes Atif Mushtaq of FireEye, the Milpitas, California, security company that coined the term botnetweb. "These are organized people running this in the form of a sophisticated business."

You Scratch My Back...

In the past, competition among malware writers sometimes meant that one infection might hunt for a rival's infection on a machine and then remove it. More recently, the attention-grabbing Conficker worm patched the Windows vulnerability that it exploited to infect machines, effectively shutting the door behind itself to prevent infections by other malware.

FireEye found evidence not of competition, but of cooperation and coordination among major spam botnets, representing a sea change in the way malware works. The company investigated the command and control (C&C) servers used to send marching orders to the bots, which might include relaying spam or downloading additional malicious files. In the case of the Pushdo, Rustock, and Srizbi botnets, it discovered that the C&C servers at the head of each botnet were in the same hosting facility; the IP addresses used for the servers also fell within the same ranges. If the disparate botnets had been competing, they likely wouldn't have digitally rubbed elbows.

A Botnetweb That's Millions of PCs Strong

More evidence of botnetwebs came from Finjan, a network security equipment company in California. Finjan reported finding a C&C server capable of sending spam, malware, or remote-control commands to a whopping 1.9 million bots.

The C&C server had six administrator accounts, plus a cache of dirty programs. Ophir Shalitin, Finjan marketing director, says Finjan doesn't know which of the programs might have infected which of the PCs -- or more important, which malware made the initial infection. The firm traced the (now defunct) C&C server's IP address to Ukraine, and found evidence that the botnet resources were rented out for $100 per 1000 bots per day.

According to Alex Lanstein, a FireEye senior security researcher, a distributed collection of botnets gives bad guys many advantages. If law enforcement or a security firm were to shut down the C&C server for any single botnet, the crook could still make a profit from the surviving botnets.

Creating such botnets typically starts with "dropper" malware, Lanstein says, that uses "plain-Jane, vanilla techniques" and no strange coding or actions that may raise a red flag for antivirus apps. Once a dropper enters a PC (often via a drive-by download or an e-mail attachment), it may pull in a Trojan horse, such as the Hexzone malware being sent by the server Finjan found. That Hexzone variant was initially detected by only 4 out of 39 antivirus engines at VirusTotal.

Whack-a-Mole Disinfection

And these days, multiple malware files are often involved, which makes an intruder much more resilient in the face of attempts to eradicate it.

In an observed attempt to clean the Zeus Trojan horse by Malwarebyte's RogueRemover, which Lanstein says is a generally capable disinfector, RogueRemover found some but not all of the files. After a few minutes, Lanstein says, one of the leftover files communicated with its C&C server and promptly redownloaded the deleted files.

"The odds of cleaning it all up just by running a given antivirus tool are moderate," says Randy Abrams, director of technical education with antivirus maker Eset. Abrams, Lanstein, and other security gurus emphasize that if your antivirus "removes" an infection, you should not assume the malware is gone. You can try downloading and running extra tools, like RogueRemover. Others, such as HijackThis or Eset's SysInspector, will analyze your PC and create a log for you to post at sites like Bleeping Computer, where experienced volunteers offer tailored advice.

A better tactic is to make sure your PC isn't infected in the first place. Install updates to close the holes that drive-by-download sites might exploit -- not just in Windows, but also in apps such as Adobe Reader. And to guard against poisoned e-mail attachments or other files, don't open any unexpected attachments or downloads; run anything you're not sure about through VirusTotal, the same free scanning site that many experts use.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Erik Larkin

PC World (US online)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?