Coordinated Malware Resists Eradication

Botnetwebs prove impervious to anti-virus suites

<b>Phishing for details</b><br>Looking all cute, blue and fluffy this sneaky virus gets your details by asking you to confirm your online account details.<br>Normally you can't see a virus and so don't really find it a threat. In this 3D visual representation created by [[xref:|digital artist Alex Dragulescu]], he was able to create the images by entering a sample of the actual code from each online threat into a proprietary computer program and combining his artistic talent with the end result.

Phishing for details
Looking all cute, blue and fluffy this sneaky virus gets your details by asking you to confirm your online account details.
Normally you can't see a virus and so don't really find it a threat. In this 3D visual representation created by [[xref:|digital ...

How do you make a terrible thing even worse? If you're a crook who operates a botnet--an often-expansive network of malware-infected PCs--you link botnets together to form a gargantuan "botnetweb." And you do it in a way that's hard for an antivirus suite to fight.

Botnetwebs don't just enable crooks to send spam or malware to millions of PCs at once. They also represent a highly resilient infection that uses multiple files. An attempt at disinfection might eliminate some files, but those left behind will often redownload the scrubbed ones.

The culprits "are not a bunch of nerds sitting in some dark room developing these botnets for fun," writes Atif Mushtaq of FireEye, the Milpitas, California, security company that coined the term botnetweb. "These are organized people running this in the form of a sophisticated business."

You Scratch My Back...

In the past, competition among malware writers sometimes meant that one infection might hunt for a rival's infection on a machine and then remove it. More recently, the attention-grabbing Conficker worm patched the Windows vulnerability that it exploited to infect machines, effectively shutting the door behind itself to prevent infections by other malware.

FireEye found evidence not of competition, but of cooperation and coordination among major spam botnets, representing a sea change in the way malware works. The company investigated the command and control (C&C) servers used to send marching orders to the bots, which might include relaying spam or downloading additional malicious files. In the case of the Pushdo, Rustock, and Srizbi botnets, it discovered that the C&C servers at the head of each botnet were in the same hosting facility; the IP addresses used for the servers also fell within the same ranges. If the disparate botnets had been competing, they likely wouldn't have digitally rubbed elbows.

A Botnetweb That's Millions of PCs Strong

More evidence of botnetwebs came from Finjan, a network security equipment company in California. Finjan reported finding a C&C server capable of sending spam, malware, or remote-control commands to a whopping 1.9 million bots.

The C&C server had six administrator accounts, plus a cache of dirty programs. Ophir Shalitin, Finjan marketing director, says Finjan doesn't know which of the programs might have infected which of the PCs -- or more important, which malware made the initial infection. The firm traced the (now defunct) C&C server's IP address to Ukraine, and found evidence that the botnet resources were rented out for $100 per 1000 bots per day.

According to Alex Lanstein, a FireEye senior security researcher, a distributed collection of botnets gives bad guys many advantages. If law enforcement or a security firm were to shut down the C&C server for any single botnet, the crook could still make a profit from the surviving botnets.

Creating such botnets typically starts with "dropper" malware, Lanstein says, that uses "plain-Jane, vanilla techniques" and no strange coding or actions that may raise a red flag for antivirus apps. Once a dropper enters a PC (often via a drive-by download or an e-mail attachment), it may pull in a Trojan horse, such as the Hexzone malware being sent by the server Finjan found. That Hexzone variant was initially detected by only 4 out of 39 antivirus engines at VirusTotal.

Whack-a-Mole Disinfection

And these days, multiple malware files are often involved, which makes an intruder much more resilient in the face of attempts to eradicate it.

In an observed attempt to clean the Zeus Trojan horse by Malwarebyte's RogueRemover, which Lanstein says is a generally capable disinfector, RogueRemover found some but not all of the files. After a few minutes, Lanstein says, one of the leftover files communicated with its C&C server and promptly redownloaded the deleted files.

"The odds of cleaning it all up just by running a given antivirus tool are moderate," says Randy Abrams, director of technical education with antivirus maker Eset. Abrams, Lanstein, and other security gurus emphasize that if your antivirus "removes" an infection, you should not assume the malware is gone. You can try downloading and running extra tools, like RogueRemover. Others, such as HijackThis or Eset's SysInspector, will analyze your PC and create a log for you to post at sites like Bleeping Computer, where experienced volunteers offer tailored advice.

A better tactic is to make sure your PC isn't infected in the first place. Install updates to close the holes that drive-by-download sites might exploit -- not just in Windows, but also in apps such as Adobe Reader. And to guard against poisoned e-mail attachments or other files, don't open any unexpected attachments or downloads; run anything you're not sure about through VirusTotal, the same free scanning site that many experts use.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Erik Larkin

PC World (US online)
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?