Coordinated Malware Resists Eradication

Botnetwebs prove impervious to anti-virus suites

<b>Phishing for details</b><br>Looking all cute, blue and fluffy this sneaky virus gets your details by asking you to confirm your online account details.<br>Normally you can't see a virus and so don't really find it a threat. In this 3D visual representation created by [[xref:|digital artist Alex Dragulescu]], he was able to create the images by entering a sample of the actual code from each online threat into a proprietary computer program and combining his artistic talent with the end result.

Phishing for details
Looking all cute, blue and fluffy this sneaky virus gets your details by asking you to confirm your online account details.
Normally you can't see a virus and so don't really find it a threat. In this 3D visual representation created by [[xref:|digital artist Alex Dragulescu]], he was able to create ...

How do you make a terrible thing even worse? If you're a crook who operates a botnet--an often-expansive network of malware-infected PCs--you link botnets together to form a gargantuan "botnetweb." And you do it in a way that's hard for an antivirus suite to fight.

Botnetwebs don't just enable crooks to send spam or malware to millions of PCs at once. They also represent a highly resilient infection that uses multiple files. An attempt at disinfection might eliminate some files, but those left behind will often redownload the scrubbed ones.

The culprits "are not a bunch of nerds sitting in some dark room developing these botnets for fun," writes Atif Mushtaq of FireEye, the Milpitas, California, security company that coined the term botnetweb. "These are organized people running this in the form of a sophisticated business."

You Scratch My Back...

In the past, competition among malware writers sometimes meant that one infection might hunt for a rival's infection on a machine and then remove it. More recently, the attention-grabbing Conficker worm patched the Windows vulnerability that it exploited to infect machines, effectively shutting the door behind itself to prevent infections by other malware.

FireEye found evidence not of competition, but of cooperation and coordination among major spam botnets, representing a sea change in the way malware works. The company investigated the command and control (C&C) servers used to send marching orders to the bots, which might include relaying spam or downloading additional malicious files. In the case of the Pushdo, Rustock, and Srizbi botnets, it discovered that the C&C servers at the head of each botnet were in the same hosting facility; the IP addresses used for the servers also fell within the same ranges. If the disparate botnets had been competing, they likely wouldn't have digitally rubbed elbows.

A Botnetweb That's Millions of PCs Strong

More evidence of botnetwebs came from Finjan, a network security equipment company in California. Finjan reported finding a C&C server capable of sending spam, malware, or remote-control commands to a whopping 1.9 million bots.

The C&C server had six administrator accounts, plus a cache of dirty programs. Ophir Shalitin, Finjan marketing director, says Finjan doesn't know which of the programs might have infected which of the PCs -- or more important, which malware made the initial infection. The firm traced the (now defunct) C&C server's IP address to Ukraine, and found evidence that the botnet resources were rented out for $100 per 1000 bots per day.

According to Alex Lanstein, a FireEye senior security researcher, a distributed collection of botnets gives bad guys many advantages. If law enforcement or a security firm were to shut down the C&C server for any single botnet, the crook could still make a profit from the surviving botnets.

Creating such botnets typically starts with "dropper" malware, Lanstein says, that uses "plain-Jane, vanilla techniques" and no strange coding or actions that may raise a red flag for antivirus apps. Once a dropper enters a PC (often via a drive-by download or an e-mail attachment), it may pull in a Trojan horse, such as the Hexzone malware being sent by the server Finjan found. That Hexzone variant was initially detected by only 4 out of 39 antivirus engines at VirusTotal.

Whack-a-Mole Disinfection

And these days, multiple malware files are often involved, which makes an intruder much more resilient in the face of attempts to eradicate it.

In an observed attempt to clean the Zeus Trojan horse by Malwarebyte's RogueRemover, which Lanstein says is a generally capable disinfector, RogueRemover found some but not all of the files. After a few minutes, Lanstein says, one of the leftover files communicated with its C&C server and promptly redownloaded the deleted files.

"The odds of cleaning it all up just by running a given antivirus tool are moderate," says Randy Abrams, director of technical education with antivirus maker Eset. Abrams, Lanstein, and other security gurus emphasize that if your antivirus "removes" an infection, you should not assume the malware is gone. You can try downloading and running extra tools, like RogueRemover. Others, such as HijackThis or Eset's SysInspector, will analyze your PC and create a log for you to post at sites like Bleeping Computer, where experienced volunteers offer tailored advice.

A better tactic is to make sure your PC isn't infected in the first place. Install updates to close the holes that drive-by-download sites might exploit -- not just in Windows, but also in apps such as Adobe Reader. And to guard against poisoned e-mail attachments or other files, don't open any unexpected attachments or downloads; run anything you're not sure about through VirusTotal, the same free scanning site that many experts use.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Erik Larkin

PC World (US online)
Show Comments

Brand Post

Shining a light on creativity

MSI has long pushed the boundaries of invention with its ever-evolving range of laptops but it has now pulled off a world first with the new MSI Creative 17.

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?