The U.S. has by far the highest number of bot-infected computers of any country in the world, with nearly four times as many infected PCs as the country in second place, Brazil, according to a new report by Microsoft. The quarterly report on malicious software and Internet attacks shows that while some of the major botnets have been curtailed in recent months, the networks of infected PCs still represent a huge threat.
The data on botnets, published in Microsoft’s Security Intelligence Report for the first half of 2010, paints a somewhat bleak picture of the botnet landscape. Between January and June of this year, Microsoft cleaned more than 6.5 million machines worldwide of bot infections, which represents a 100 percent increase in bot infections from the same period in 2009. This increase comes at a time when there is more attention than ever focused on the botnet problem, both by security researchers and law-enforcement agencies around the world.
Microsoft measures botnet infections by counting the number of machines
that are cleaned of bots by using the company’s Malicious Software
Removal Tool. The Microsoft data obviously does not show a complete picture of bot infections across the entire Internet, but gives a snapshot of the infection problem on the machines the company monitors.
In the last year or so, several major spam botnets have been either completely crippled or in some way damaged by takedown efforts that target the command and control servers that run the botnets. Pushdo and Waledac are the two most prominent examples of this effort, and Microsoft officials were deeply involved in the takedown of Waledac, eventually going to court in September to get legal ownership of hundreds of IP addresses used by the botnet.
The company worked with researchers in Germany and Austria, as well as law-enforcement agencies, to gain control of the Waledac C&C servers. However, while the takedown was something of a coup, Waledac was not the top spam botnet and Microsoft’s data shows that there are still a number of large botnets, many of which are far less well-known than Waledac, Pushdo and Zeus, that are wreaking havoc online.
The most commonly detected bot client in the new SIR is Rimecud, the main piece of malware that is responsible for the Mariposa botnet. In the first half of 2010, Microsoft cleaned more than 3.5 million PCs infected with Rimecud. Some of the more famous botnets, including Rustock, Nuwar and Zbot are pretty far down the list of the most active botnets.
“Rimecud is a ‘kit’ family: different people working independently use a malware creation
kit to create their own Rimecud botnets. Rimecud is the primary malware family behind the
so-called Mariposa botnet, which infected millions of computers around the world in 2009 and 2010. In July of 2010, the Slovenian Criminal Police arrested a 23-year-old Slovenian citizen suspected of writing the malware code, following the February 2010 arrests of three suspected Mariposa botnet operators by the Spanish Guardia Civil,” Microsoft said in the report. “Rimecud is a backdoor worm that spreads via fixed and removable drives, and by sending malicious hyperlinks to a victim’s contacts via several popular instant messaging programs. Rimecud can be commanded to take a number of typical botnet actions, including spreading itself via removable drives, downloading and executing additional malware, and stealing passwords.”
Rimecud is unlike many other botnets as it has its own network protocol, based on UDP, that it uses for communications between the bots and the C&C servers. A number of other botnets use modified, or somewhat customized, protocols for communication, making it more difficult for researchers to analyze the botnet’s behavior. The attackers behind these botnets have become increasingly intelligent and sophisticated in recent years, and they have learned from their past mistakes, as well as the actions of researchers and law-enforcement agencies.
One of the key methods attackers have adopted to make life more difficult for researchers is to not use off-the-shelf bot software, but instead buy kits that can create custom bots.
“These kits are collections of tools, sold and shared within the malware underground, that enable aspiring bot-herders to assemble their own botnet by creating and spreading customized malware variants. Several malware kits are freely available for downloading and sharing; some have been published as open source code, which enables malware developers to create modified versions of the kits.3 Other kits are developed by individual groups and sold like
legitimate commercial software products, sometimes even including support agreements,” Microsoft said in the report.