DIY Botnet Kits Spawning Lean, Mean Networks

Cyber-criminals may be employing new tactics and technology to execute their online campaigns, but botnets remain lucrative and effective, according to a report from Damballa.

New botnets emerged in the first half of 2011 and were more active than older botnets, Damballa researchers found in its Threat Report for the first half of 2011. The criminals were also operating much smaller networks of infected machines, according to the report.

Flat Pack Botnets Predominate

Criminals are increasingly using do-it-yourself crimeware construction kits and exploit packs to power their malicious operations, Damballa found. Eight out of the top 10 botnet operators used off-the-shelf kits and modified the code or added new kits as the campaigns evolved, the report found. The “nearly indestructible” TDL/TDSS botnet and the one based on the Eleonore malware family were the only ones on the top 10 list not using DIY kits.

“Criminal operators continue to hone their craft in 2011 using crimeware that can be repurposed for multiple fraud opportunities, sold or leased to other criminals,” said Gunter Ollmann, vice president of research for Damballa.

While botnet operators “die”, new ones are always being “born”. Damballa found 67 more operators “set up shop” than went offline in the first half of 2011, meaning there were more botnets operating during that period than at the end of 2010. The ones that went offline often did so because of consolidation between various networks as an operator took over command-and-control for other botnet operators.

Despite the excitement over various botnet takedowns this spring, “takedowns tend to represent an insignificant percentage of the actual number of operators that cease to exist“, the report found.

Of the 10 largest botnets in the first six months of 2011, only three of them were on the list in 2010, Damballa said. OneStreetTroup, a botnet based on SpyEye crimeware, barely made the list in December at No. 10. Six months later, it had shot up to the top of the list and ranked No. 1 as the largest botnet observed during the period.

RudeWarlockMob (the TDL/TDSS botnet) and FreakySpiderCartel (a botnet that pushed out fake antivirus software) both slid down one position to rank No. 2 and No. 3 respectively. All remaining botnets on the list, including the ones based on the Neosploit and Eleonore kits, Zeus Trojan, Gbot worm and Virut file infectors, either were first detected or grew dramatically during the first half of the year to appear among the top 10 for the first time.

SpyEye Will Dominate 2011

Damballa was not surprised that OneStreetTroop, the botnet based on the SpyEye toolkit became so prominent in the first half of the year. The integration of Zeus source code into SpyEye “combined the best of both crimeware development kits into a single commercial package”, making it more powerful and capable than ever, the researchers wrote. The fact that a cracked version of the SpyEye kit is now readily available means there will be “widespread adoption” of SpyEye in 2011 to launch additional campaigns designed for fraud, according to the report.

The top three botnets together accounted for about 25 percent of the infected population while the entire top 10 botnets accounted for approximately 56 percent of all botnet compromised victims, Damballa said. The top 10 list accounted for only 47 percent in 2010.

While large botnets “get all the attention and notoriety”, the majority of botnet operators are managing smaller networks, Damballa found. The number of operators managing botnets with between 100 and 1,000 infected machines was more than double the number of operators managing networks with over 1,000 victims, the report found.

The first half of 2011 “picks up where 2010 left off”, the researchers wrote.