Harnig Botnet Returns, But Without Rustock

The takedown of the Rustock botnet earlier this year has had ripple effects throughout the malware and spam ecosystems, with some large reductions in spam levels and attacks. However, some of the components of the malware machine driven by Rustock are beginning to come back online now. Researchers say that the Harnig pay-per-install malware is making a comeback, sans Rustock, however.

HarnigThe takedown of the Rustock botnet earlier this year has had ripple effects throughout the malware and spam ecosystems, with some large reductions in spam levels and attacks. However, some of the components of the malware machine driven by Rustock are beginning to come back online now. Researchers say that the Harnig pay-per-install malware is making a comeback, sans Rustock, however.

Harnig is one of the small pilot fish that lived in the shadow of the Rustock botnet, often downloading the Rustock bot onto compromised machines as part of its own infection routine. Once on a new machine, the malware would reach out to a remote server and begin downloading a cocktail of other malicious applications, including the Rustock bot. But now that the Rustock network has been kneecapped by researchers and law enforcement, that’s no longer happening.

Why Harnig has abandoned its old friend Rustock in its time of need is up for debate, but the most likely reason is that there has been a tremendous amount of attention focused on Rustock in the last six months, from the media, researchers and law enforcement. The botnet was at the core of a huge spam empire and also was a key component of the DDoS and attack landscape in general.

Researchers at FireEye have found that, whatever the reason, the gang behind Harnig has stopped downloading Rustock on infected machines, effectively giving up a source of income.

“It’s likely that involvement of law enforcement in this whole matter
and a recent agreement between Russian and US authorities regarding the
exchange of cyber crime intelligence is the main reason that the Russian
mastermind behind Rustock is not even thinking about a comeback,” FireEye researcher Atif Mushtaq wrote.

“It is worth noting that after this resurgence, Harnig is changing its
CnCs with lightning speed. During the last one week or so I have
observed 26 CnCs in use by different variants of the Harnig botnet and
most of these CnCs popped up during the last few days. It’s an expected
reaction to recent botnet shutdowns like Ozdok, Bredolab and now Rustock
etc.”

As researchers and law enforcement agencies have become more active in their fight against botnets by sinkholing command-and-control servers, working with hosting providers and obtaining warrants to take over those servers, life has become more and more difficult for botnet operators. Those obstacles clearly extend to the affiliate networks and pay-per-install malware gangs, as well, putting pressure on those groups to find new ways to turn a profit.

Suggested articles