MALAGA, SPAIN–Botnets have been around for more than 15 years now, and for much of that time they’ve been the favored platform for attackers looking to compromise users on a large scale and monetize those infected machines. But now, as researchers and authorities begin to have more success with botnet takedowns and arrests, the attackers behind malware kits and exploit kits are beginning to work together and learn from one another.
For several years now, botnet operators have been using tactics such as IP address fast flux and traffic encryption to help hide both the servers controlling the botnets and the messages that they’re sending to infected machines. But in the last few months, they’ve taken to combining these techniques with others such as domain fast flux, several layers of shifting proxies and interesting server-side malware tactics to help keep their networks out of the reach of researchers and prosecutors.
One of the more successful techniques involves the use of several different levels of proxy servers in various hosting facilities, allowing botnet operators and other attackers to hide the actual location of their C&C servers. Law enforcement and researchers have gotten much better at tracking down the servers behind botnets in recent years, but, this becomes increasingly difficult especially in peer-to-peer botnets in which updated files and attack instructions are pushed to infected machines via a random peer.
In addition, operators now are using geolocation blacklists to prevent machines from certain geographic locations from connecting to specific servers, Aviv Raff, CTO at Seculert, said in a talk at the Kaspersky Lab Security Analyst Summit here this week. This can help operators who are interested in renting portions of their botnets to criminals in various locations.
But one of the more innovative techniques that’s being used by attackers now is the generation of new binaries for every infected machine that connects to a given back-end host. So there’s a server-side malware builder which will create a new executable for every victim, making generic detection much more difficult, Raff said.
In his research, Raff said that he also has seen some examples of back-end servers that are being used to host both the Zeus and SpyEye crimeware packs. The development of Zeus and SpyEye merged some time last year, and each kit has continued to evolve since then. Attackers who are interested in using one or the other can have their choice of which tool they’d like to use at any given time. The convergence of crimeware kits such as Zeus with exploit kits is something that Raff believes will be coming along in the near future.
“We’re seeing more proxy-based networks and combined malware kits,” he said. “Today, exploit kits and malware kits are sold separately, but we believe you’ll see one combined kit to build and control malware soon.”
Those two functions in recent years have been performed by distinct groups, one of which develops and sells malware kits and another that does the same for exploit kits. But as the attack landscape continues to evolve and broaden, those functions are becoming more closely related and intertwined.