Coordinated Malware Resists Eradication

How do you make a terrible thing even worse? If you're a crook who operates a botnet--an often-expansive network of malware-infected PCs--you link botnets together to form a gargantuan "botnetweb." And you do it in a way that's hard for an antivirus suite to fight.

Botnetwebs don't just enable crooks to send spam or malware to millions of PCs at once. They also represent a highly resilient infection that uses multiple files. An attempt at disinfection might eliminate some files, but those left behind will often redownload the scrubbed ones.

The culprits "are not a bunch of nerds sitting in some dark room developing these botnets for fun," writes Atif Mushtaq of FireEye, the Milpitas, California, security company that coined the term botnetweb. "These are organized people running this in the form of a sophisticated business."

You Scratch My Back...

In the past, competition among malware writers sometimes meant that one infection might hunt for a rival's infection on a machine and then remove it. More recently, the attention-grabbing Conficker worm patched the Windows vulnerability that it exploited to infect machines, effectively shutting the door behind itself to prevent infections by other malware.

FireEye found evidence not of competition, but of cooperation and coordination among major spam botnets, representing a sea change in the way malware works. The company investigated the command and control (C&C) servers used to send marching orders to the bots, which might include relaying spam or downloading additional malicious files. In the case of the Pushdo, Rustock, and Srizbi botnets, it discovered that the C&C servers at the head of each botnet were in the same hosting facility; the IP addresses used for the servers also fell within the same ranges. If the disparate botnets had been competing, they likely wouldn't have digitally rubbed elbows.

A Botnetweb That's Millions of PCs Strong

More evidence of botnetwebs came from Finjan, a network security equipment company in California. Finjan reported finding a C&C server capable of sending spam, malware, or remote-control commands to a whopping 1.9 million bots.

The C&C server had six administrator accounts, plus a cache of dirty programs. Ophir Shalitin, Finjan marketing director, says Finjan doesn't know which of the programs might have infected which of the PCs--or more important, which malware made the initial infection. The firm traced the (now defunct) C&C server's IP address to Ukraine, and found evidence that the botnet resources were rented out for $100 per 1000 bots per day.

According to Alex Lanstein, a FireEye senior security researcher, a distributed collection of botnets gives bad guys many advantages. If law enforcement or a security firm were to shut down the C&C server for any single botnet, the crook could still make a profit from the surviving botnets.

Creating such botnets typically starts with "dropper" malware, Lanstein says, that uses "plain-Jane, vanilla techniques" and no strange coding or actions that may raise a red flag for antivirus apps. Once a dropper enters a PC (often via a drive-by download or an e-mail attachment), it may pull in a Trojan horse, such as the Hexzone malware being sent by the server Finjan found. That Hexzone variant was initially detected by only 4 out of 39 antivirus engines at VirusTotal.

Whack-a-Mole Disinfection

And these days, multiple malware files are often involved, which makes an intruder much more resilient in the face of attempts to eradicate it.

In an observed attempt to clean the Zeus Trojan horse by Malwarebyte's RogueRemover, which Lanstein says is a generally capable disinfector, RogueRemover found some but not all of the files. After a few minutes, Lanstein says, one of the leftover files communicated with its C&C server and promptly redownloaded the deleted files.

"The odds of cleaning it all up just by running a given antivirus tool are moderate," says Randy Abrams, director of technical education with antivirus maker Eset. Abrams, Lanstein, and other security gurus emphasize that if your antivirus "removes" an infection, you should not assume the malware is gone. You can try downloading and running extra tools, like RogueRemover. Others, such as HijackThis or Eset's SysInspector, will analyze your PC and create a log for you to post at sites like Bleeping Computer, where experienced volunteers offer tailored advice.

A better tactic is to make sure your PC isn't infected in the first place. Install updates to close the holes that drive-by-download sites might exploit--not just in Windows, but also in apps such as Adobe Reader. And to guard against poisoned e-mail attachments or other files, don't open any unexpected attachments or downloads; run anything you're not sure about through VirusTotal, the same free scanning site that many experts use.

Subscribe to the Security Watch Newsletter

Comments