BotnetWeb: Readers may not be familiar with this term, as I coined it recently. I define it as the following:
“A collection of heterogeneous Botnets being operated in conjunction with each other controlled by one or more closely linked cyber criminal group(s)”
This type of relationship among different malware is not something new. We have already seen similar relationships among the top spam Botnets like Pushdo, Srizbi, Cutwail, Mega-D/Ozdok, and Rustock.
For a quick recap readers may reference these articles:
In this article I will talk about some of the most popular and widespread malware we’ve seen recently, and their relationship with each other.
I define this relationship as:
If malware ‘A’ is a direct download of Malware ‘B’ , I call it a parent-child working relationship and assume that either both of these malware samples are being run by the same group or they have a ‘pay per install’ relationship.
I’ll try to show this parent-child/grandchild relationship in the form of different graphs. In the end I will try to connect these graphs with each other based on common nodes, if any (in this case each node represents a different malware family). I’ll continue by connecting these graphs with each other, and at the end there will be a very interesting and telling picture painted.
Enough on the background; let’s start talking about BotnetWeb now.
Note: In this article each BotnetWeb will be named based on the top most malware node.
Here are different samples of malware which I have seen so far to be part of the ‘Virut’ BotnetWeb.
Trojan.Injector, Pushdo/Cutwail, Grum, Xarvestor, Waledac, Basin, Piptea, Sality, Zbot, Tofsee, Rogue AVs (such as ProAntiSpyware2009, AntivirusXP2008, AntiSpywareProXp, and WinSpywareProtect etc), NsAnti, Spammer.MyDoom, Keyloggers, ErtFor, Monder and Vundo.
This is how it looks in the form of a parent-child relationship graph:
The above graph shows that if you are unlucky enough to become infected with Virut, within minutes you’ll find yourself infected with everything else listed on
this graph. Cleaning up any one, or even many of these infections will
be meaningless to your overall security with the others still in place.
The second such BotnetWeb is ‘Bredolab’. These are some of the malware families I’ve seen associated with it so far:
Finanz, Cutwail, Grum, Katusha, Trojan-GameThief.Win32.Magania, MS Antispyware 2009 (Rogue), and KeyStart.
The graph for Bredolab looks like this:
The third BotnetWeb I want to talk about is ‘Piptea’. These are some of the participating malware families:
ErtFor, Zlob, Vundo, Finanz, Zbot, Rustock, Monder, Mega-D/Ozdok, Spyware.hiliti, SpyProtector(Rogue) and Trojan.Tdss
Here is the graph for Piptea:
The fourth such BotnetWeb is ‘Exchanger’. We have talked a lot about Exchanger in the past, prior to the McColo shutdown.
These are some malware families which we found to be part of Exchanger:
Srizbi, Rustock, Mega-D/Ozdok, Pushdo , Cutwail and Antipyware-Xp2008 (Rogue)
It’s very interesting to see that there are many common nodes amongst the above graphs. Based on these common nodes we can connect all these graphs as follows:
This end graph paints a very scary picture. With this type of multi-layered deployment, it becomes almost impossible to shut down a particular participant. Unless the top level nodes (generic downloaders) are stopped, they will keep on dropping new or updated malware installs. I’m pretty sure that this is what happened after the McColo shutdown. After the initial failed attempt to regain control over their lost botnets like Srizbi, botherders stopped supporting Srizbi, and simply replaced those bots using top nodes with others like Xarvester, Cutwail, and Grum. This shift from Srizbi to Xarvester was also explained in one of my earlier posts.
Here are some traffic snippets showing the order of these downloads:
Now lets talk how big these threats are. Most of the readers of this blog are already familiar with the top spam Botnets like Pushdo, Rustock, Xarvester, Srizbi, Cutwail, Mega-D/Ozdok, Waledac and their estimated sizes together being in the millions. Members of the AV industry have talked at length about how incredibly widespread malware like Virut, Bredolab, Vundo, Zbot, Piptea, and RogueAV(s) have become. A recent survey conducted by me, based on statistics collected from our FIreEye Malware Analysis and Exchange (MAX) Network, has shown that more than 45% percent of the malware we have recently encountered in the field belongs to the above mentioned BotnetWebs.
But who are the group(s) running all these BotnetWebs? Most of the common nodes in the above graphs are big SPAM Botnets, which we already suspect are being run by the Russian Business Network. Recently, I found some strong connections between the spam Botnets and some front-end guys selling SPAM in Russia as a serious business.
This is not the end. Right after the publication of these articles I found most of these SPAM selling web sites to be dead for some time. Around the 23rd of March I saw these web sites coming on-line again. The interesting thing was that all of these SPAM selling web sites were hosted on the same server (126.96.36.199) owned by HOSTFRESH in Hong Kong. A reverse IP lookup revealed 65 web sites being hosted on the same server.
Most of these domains were SPAM selling web sites owned by Alexender S Kopylov.
A quick search on IP (188.8.131.52) revealed that this server is a known CnC for ‘Zbot’ which is already
known to be associated with the RBN. Alex recently blogged about Hostfresh, and they were subsequently dropped from the Internet routing tables. We received no notification, but one has to assume that his post helped shine some light on that dark corner of the Internet.
We all know how big this malware problem has become in recent times. These pieces of malware when considered individually are threats which can damage a computer system in a variety of ways, but collectively when they take the form of Botnets, and now Botnetwebs, under the control of a few criminal groups, they paint a very scary picture. We need to remember that in the past, these Bot armies have been used to launch cyber attacks against major infrastructures like we saw with Estonia and Georgia.
Atif Mushtaq @ FireEye Malware Intelligence Lab
Question/Comments : research SHIFT-2 fireeye DOT COM