Coordinated Malware Resists Eradication

Botnetwebs prove impervious to anti-virus suites

<b>Phishing for details</b><br>Looking all cute, blue and fluffy this sneaky virus gets your details by asking you to confirm your online account details.<br>Normally you can't see a virus and so don't really find it a threat. In this 3D visual representation created by [[xref:|digital artist Alex Dragulescu]], he was able to create the images by entering a sample of the actual code from each online threat into a proprietary computer program and combining his artistic talent with the end result.

Phishing for details
Looking all cute, blue and fluffy this sneaky virus gets your details by asking you to confirm your online account details.
Normally you can't see a virus and so don't really find it a threat. In this 3D visual representation created by [[xref:|digital ...

How do you make a terrible thing even worse? If you're a crook who operates a botnet--an often-expansive network of malware-infected PCs--you link botnets together to form a gargantuan "botnetweb." And you do it in a way that's hard for an antivirus suite to fight.

Botnetwebs don't just enable crooks to send spam or malware to millions of PCs at once. They also represent a highly resilient infection that uses multiple files. An attempt at disinfection might eliminate some files, but those left behind will often redownload the scrubbed ones.

The culprits "are not a bunch of nerds sitting in some dark room developing these botnets for fun," writes Atif Mushtaq of FireEye, the Milpitas, California, security company that coined the term botnetweb. "These are organized people running this in the form of a sophisticated business."

You Scratch My Back...

In the past, competition among malware writers sometimes meant that one infection might hunt for a rival's infection on a machine and then remove it. More recently, the attention-grabbing Conficker worm patched the Windows vulnerability that it exploited to infect machines, effectively shutting the door behind itself to prevent infections by other malware.

FireEye found evidence not of competition, but of cooperation and coordination among major spam botnets, representing a sea change in the way malware works. The company investigated the command and control (C&C) servers used to send marching orders to the bots, which might include relaying spam or downloading additional malicious files. In the case of the Pushdo, Rustock, and Srizbi botnets, it discovered that the C&C servers at the head of each botnet were in the same hosting facility; the IP addresses used for the servers also fell within the same ranges. If the disparate botnets had been competing, they likely wouldn't have digitally rubbed elbows.

A Botnetweb That's Millions of PCs Strong

More evidence of botnetwebs came from Finjan, a network security equipment company in California. Finjan reported finding a C&C server capable of sending spam, malware, or remote-control commands to a whopping 1.9 million bots.

The C&C server had six administrator accounts, plus a cache of dirty programs. Ophir Shalitin, Finjan marketing director, says Finjan doesn't know which of the programs might have infected which of the PCs -- or more important, which malware made the initial infection. The firm traced the (now defunct) C&C server's IP address to Ukraine, and found evidence that the botnet resources were rented out for $100 per 1000 bots per day.

According to Alex Lanstein, a FireEye senior security researcher, a distributed collection of botnets gives bad guys many advantages. If law enforcement or a security firm were to shut down the C&C server for any single botnet, the crook could still make a profit from the surviving botnets.

Creating such botnets typically starts with "dropper" malware, Lanstein says, that uses "plain-Jane, vanilla techniques" and no strange coding or actions that may raise a red flag for antivirus apps. Once a dropper enters a PC (often via a drive-by download or an e-mail attachment), it may pull in a Trojan horse, such as the Hexzone malware being sent by the server Finjan found. That Hexzone variant was initially detected by only 4 out of 39 antivirus engines at VirusTotal.

Whack-a-Mole Disinfection

And these days, multiple malware files are often involved, which makes an intruder much more resilient in the face of attempts to eradicate it.

In an observed attempt to clean the Zeus Trojan horse by Malwarebyte's RogueRemover, which Lanstein says is a generally capable disinfector, RogueRemover found some but not all of the files. After a few minutes, Lanstein says, one of the leftover files communicated with its C&C server and promptly redownloaded the deleted files.

"The odds of cleaning it all up just by running a given antivirus tool are moderate," says Randy Abrams, director of technical education with antivirus maker Eset. Abrams, Lanstein, and other security gurus emphasize that if your antivirus "removes" an infection, you should not assume the malware is gone. You can try downloading and running extra tools, like RogueRemover. Others, such as HijackThis or Eset's SysInspector, will analyze your PC and create a log for you to post at sites like Bleeping Computer, where experienced volunteers offer tailored advice.

A better tactic is to make sure your PC isn't infected in the first place. Install updates to close the holes that drive-by-download sites might exploit -- not just in Windows, but also in apps such as Adobe Reader. And to guard against poisoned e-mail attachments or other files, don't open any unexpected attachments or downloads; run anything you're not sure about through VirusTotal, the same free scanning site that many experts use.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Erik Larkin

PC World (US online)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?