This article is the second part of a three part series tracing the development of botnets over time, part one can be found here.

It was around 2003 that the criminal interest in the possibilities afforded by botnets began to become apparent. At the start of the decade, spamming was still largely a “work from home” occupation with large volumes of Spam being sent from dedicated server farms, open relays or compromised servers.

Bagle, Bobax and Mytobchanged all that for good. Bagle and Bobax were the first spamming botnets and the malware Mytob was essentially a blend of an earlier mass mailing worm MyDoom and SDbot. This enabled criminals to build large botnets and distribute their spamming activities across all their victim PCs, giving them agility, flexibility and importantly helping them to avoid the legal enforcement activity that was starting to be aggressively pursued.

From then on we have seen the rise and fall of many famous botnets; the oldest criminal spamming botnets , as I mentioned were probably Bagle and Bobax from 2004. Bobax was eventually badly hurt in the McColo takedown of 2008 and may finally have disappeared. RuStock dates back to 2006 as does the now infamous ZeuScrimeware family. RuStock was another spamming botnet and ZeuS is an information stealing tool. Since that year ZeuS has probably become the most widely used information stealing criminal tool out there.

The creator of ZeuS, has regularly updated, beta tested and released new versions of the toolkit, all the while adding or improving functionality. As these new versions have been offered for sale and at very high prices, older versions have been distributed online free of charge. Often these older versions have backdoored by criminals, meaning the novice thief also becomes the victim.

This glut of freely available criminal tools has lowered the cost barrier of entry into cybercrime and encouraged more wannabe gangsters into online crime. ZeuS is not the only tool out there though, there are many others, often operating in competition with one another but have been designed with the non expert user in mind, including simple point and click interfaces for managing infected machines.

2007 saw the birth of the famous Stormbotnet along with Cutwail and Srizbi. The following year, Asprox appeared on the scene; and remember, these are just a few of the thousands of botnets out there. Right now, the Shadowserver Foundation is tracking almost 6000 unique command and control servers and even that figure does not represent all the botnets out there. At any one time Trend Micro is tracking tens of millions of infected PCs that are being used to send Spam and that figure does not include all the other bot infected PCs that are being used for the purposes of information theft, DDoS or any of the other myriad of crimes.

The Fightback

There have been many successful coordinated takedowns aimed at criminal service providers that host much of the command and control infrastructure; Intercage/Atrivo in 2008 almost destroyed the Mega-D botnet, but within weeks it was back with a vengeance.

I mentioned the McColo takedown of 2008; McColo had their fingers in any number of criminal pies and amongst other activities was hosting C&C servers for Srizbi, the revived Mega-D, RuStock, Asprox, Bobax, Gheg and Cutwail. When McColo were pulled off the internet that November, a global drop in Spam levels of almost 80% was immediately apparent. Again unfortunately by January of 2009 Spam levels were already back where they had previously been.

In June of 2009 the ISP 3FN was closed down by the Federal Trade Commission. 3FN were hosting some Cutwail C&C servers and on that Friday, Cutwail died, by Monday it was back in full force, although further action in August of this year has dealt Cutwail another blow. History has shown us though that there is too much money at stake for the criminals to simply walk away.

The concerted action that both public and private organisations are taking against botnets means that the criminal innovation never stops. As new technologies arise criminals look for ways to adopt or abuse them, whether to facilitate the generation of profit, to increase their scalability and flexibility or to provide more effective camouflage.

Initially Command & Control IP addresses were hardcoded into each bot, which made their identification and eventual disruption by malware researchers more simple, but the bad guys learn from their failures every time. Cutwail for example includes the concept of backup connections. Each bot is capable of cryptographically generating alternative hostnames for their Command & Control servers on a daily basis. The criminals of course know which hostnames will be generated on a given day, and simply need to bring that alternative command channel into operation.

Similar techniques were used by the criminals behind Conficker which was capable of generating 50,000 alternative names every day! The security industry had to attempt to block access to all of them, the criminals only had to get it right once. It’s worth remembering that about six million machines still remain infected by Conficker almost two years since it first appeared. In addition to Spam, denial of service, information theft, blackmail and extortion, botnets have also evolved into highly efficient software distribution networks, for use by criminals of course.

Criminals pay for access to compromised machines by the thousand in order to deliver further malware to these already infected computers. Spamming bots can deliver secondary information stealing malware for example; fake antivirus software and ransomware are also perennial favourites for maximising the revue potential of each individual infected computer. In fact many criminals make their money simply by renting access to their botnets rather than engaging in Spam, DDoS or information theft campaigns of their own devising.

Thanks for reading, that’s the end of Part II, the third an final installment will be up shortly, keep checking back…