America's 10 Most-Wanted Botnets

bednarz writes "Network World ranks America's 10 most wanted botnets, based on an estimate by security firm Damballa of botnet size and activity in the United States. The leader is Zeus, with 3.6 million compromised PCs so far. The Zeus Trojan uses key-logging techniques to steal user names, passwords, account numbers and credit card numbers, and it injects fake HTML forms into online banking login pages to steal user data. At the bottom of the list is Conficker, which despite its celebrity status has compromised just 210,000 US computers so far."

Re:

[Runaway1956]

I'd put this asshole on ignore, but AC actually makes some good posts now and then. Which asshole is which? Slashdot should enable us to put people on ignore based on IP address rather than nick. Hmmm, how would that work? Hmmm..........

slashbots

[Anonymous Coward]

I'm surprised the slashbots aren't on that list. They have the power to take a website offline in mere moments thanks to the power wielded by their evil overlord, CmdrTaco. He simply posts a link to the site he wants removed from the net on the front of his homepage, and the site goes offline.

Re:slashbots

[starglider29a]

Yes, but he only wields this power for good.

Re:

[Anonymous Coward]

Yes, but he only wields this power for good.

Oh, how quickly they forget [flickr.com].

Re:

[QuantumRiff]

Unfortunately, some of us are still trying, unsuccessfully. Damn those pink ponies.

Re:

[ImYourVirus]

I wanna know what answer to the poll won. :)

Re:

[niw]

And now you can know! [slashdot.org]

Re:

[ImYourVirus]

Awesome, thanks!

Re:slashbots

[mcrbids]

I'm surprised the slashbots aren't on that list. They have the power to take a website offline in mere moments thanks to the power wielded by their evil overlord, CmdrTaco. He simply posts a link to the site he wants removed from the net on the front of his homepage, and the site goes offline.

Thus invoking what has been described as the greatest paradox of all time: Slashdot can remove sites from the Internet by merely posting them, yet it's quite demonstrable that none of the slashbots ever RTFA.

So where are these mysterious article readers, and where do they come from? I'm waiting for a Scientific Expose on Nova...

Re:

[sopssa]

This is why slashdot should iframe the target site under summary :)

Re:

[Culture20]

Proof that lurkers still outnumber posters. &$#^*ing leaches. They're the reason I can't RTFA. Stop reading and post something!

Re:

[Opportunist]

Think before you ask for something! You are aware that you're asking 20 times the amount of people who post on /. to post something, and those people having even less to say than the average /. poster, aren't you?

Re:

[DNS-and-BIND]

The stats are something like 95% of /. website readers never click on the comments, much less register an account and post.

Re:

[koxkoxkox]

Ah, if only they knew the pearls of wisdom they're missing out ...

Re:

[DMUTPeregrine]

They may not read the article, but they all prefetch it.

Re:

[ZiakII]

People actually click on those links?

Re:

[ImYourVirus]

I never saw a link. :D

Re:

[Opportunist]

Judging from my firewall log, yes, people click on anything as long as it promises them something "cool".

I have a link on my webpage that states quite bluntly "DO NOT click this link. It leads to a trojan, you'll be drive by infected when you click this. DO NOT click! I don't take any responsibility"... yaddayadda.

Over 50 percent of the people who go there DO click. Now, I don't infect them. I only belittle, berate and ridicule them for being utterly stupid in the fact of a certain now-where-did-I-put-that-

Re:

[Opportunist]

Yeah, but its impact is limited to those servers that have open 0x50 ports. You can easily defend against that one.

Re:slashbots - CmdrTaco always says that

[zukinux]

CmdrTaco always says that : "With great power comes great responsibility", he even told this sentence to Spiderman.

That's why he's not using his power to get all the bitches out there.

PT. Hacker

[mc1138]

Just goes to show the old adage is true, there's a sucker born every minute...

Top ten lists...

[Anonymous Coward]

Please... If you are interested in top 10 lists, put the information from least significant to most. This makes the piece more interesting.
Thanks.

No. 10: Conficker

Compromised U.S. computers: 210,000

Main crime use: Also called Downadup, this downloader worm has spread significantly throughout the world, though not so much in the U.S. It's a complex downloader used to propagate other malware. Though it has been used to sell fake antivirus software, this crimeware currently seems to have no real purpose other than to spread. Industry watchers fear a more dangerous purpose will emerge.

No. 9: Gammima

Compromised U.S. computers: 230,000

Main crime use: Also know as Gamina, Gamania, Frethog, Vaklik and Krap, this crimeware focuses on stealing online game logins, passwords and account information. It uses rootkit techniques to load into the address space of other common processes, such as Explorer.exe, and will spread through removable media such as USB keys. It's also known to be the worm that got into the International Space Station in the summer of 2008.

No. 8: Swizzor

Compromised U.S. computers: 370,000

Main crime use: A variant of the Lop malware, this Trojan dropper can download and launch files from the Internet on the victim's machine without the user's knowledge, installing an adware program and other Trojans.

No. 7: Hamweq

Compromised U.S. computers: 480,000

Main crime use: Also known as IRCBrute, or an autorun worm, this backdoor worm makes copies of itself on the system and any removable drive it finds -- and anytime the removable drives are accessed, it executes automatically. An effective spreading mechanism, Hamweq creates registry entries to enable its automatic execution at every startup and injects itself into Explorer.exe. The botmaster using it can execute commands on and receive information from the compromised system.

No. 6: Monkif

Compromised U.S. computers: 520,000

Main crime use: This crimeware's current focus is downloading an adware BHO (browser helper object) onto a compromised system.

No. 5: TR/Dldr.Agent.JKH

Compromised U.S. computers: 1.2 million

Main crime use: This remote Trojan posts encrypted data back to its command-and-control domains and periodically receives instruction. Often loaded by other malware, TR/Dldr.Agent.JKH currently is used as a clickbot, generating ad revenue for the botmaster through constant ad-specific activity

No. 4: Trojan.Fakeavalert

Compromised U.S. computers: 1.4 million

Main crime use: Formerly used for spamming, this botnet has shifted to downloading other malware, with its main focus on fake alerts and rogue antivirus software.

No. 3: TidServ

Compromised U.S. computers: 1.5 million

Main crime use: This downloader Trojan spreads through spam e-mail, arriving as an attachment. It uses rootkit techniques to run inside common Windows services (sometimes bundled with fake antivirus software) or in Windows safe mode, and it can hide most of its files and registry entries.

No. 2: Koobface

Compromised U.S. computers: 2.9 million

Main crime use: This malware spreads via social networking sites MySpace and Facebook with faked messages or comments from "friends." When a user is enticed into clicking on a provided link to view a video, the user is prompted to obtain a necessary update, like a codec -- but it's really malware that can take control over the computer.

No. 1: Zeus

Compromised U.S. computers: 3.6 million

Main crime use: The Zeus Trojan uses key-logging techniques to steal sensitive data such as user names, passwords, account numbers and credit card numbers. It injects fake HTML forms into online banking login pages to steal user data.

Re:

[basementman]

Stealing content from a top 10 list kind enough to put their content on 2 pages instead of 10, stay classy slashdot.

Re:

[Ragzouken]

It's alright, I was using ad-block anyway.

Re:

[Teun]

You must be a Microsoft shill 'cause both lists omit the facilitator.

:)

Re:

[LuvlyOvipositor]

Emoticon means satirical.

But really, the facilitator(s) are your friends and family.

Re:

[CopaceticOpus]

Perhaps I'm in the minority, but I prefer top tens lists with #1 first. I usually skip to the end of the list and read backwards. In this case, knowing the size of the #1 botnet gives me some perspective on the scale of the other list items.

Having a countdown only makes sense to me if there is drama about what #1 will be. I wasn't really on the edge of my seat to find out the name of the biggest botnet.

Re:

[bursch-X]

Maybe that was the format meant for the writers of the trojans, because they'd definitely be on the edge of their seats wanting to know whether their botnet had "won" or not ;-)

Re:

[Opportunist]

I'm fairly sure they don't care. If you're on that list at all, you won. It's like a Forbes 400 list for malware.

Re:

[T Murphy]

I don't expect there to be 12 million PCs infected, as many of the people managing to be hit by one of these can easily find more, but at the same time I understand some/many botnet programs fight off others to either avoid notice or to establish more complete control. I won't bother trying to speculate how these two forces balance out, but I'm assuming there are people here who can offer some insightful comments to this end.

Re:

[Opportunist]

The "battle" for computers is still a minor concern for malware writers. So far, the battle is rather against AV suits. Usually, the attempt to remove other malware has been limited to "rival" malware from others who fish in the same pond, but the attempt to actually proactively push out everyone else has been minimal until recently.

Only a short time ago some malware packages started actively searching (and removing) other malware, mostly the "noticable" kind that bombards the user with ads and exhibits oth

!Botnet

[Darkness404]

The leader is Zeus, with 3.6 million compromised PCs so far. The Zeus Trojan uses key-logging techniques to steal user names, passwords, account numbers and credit card numbers, and it injects fake HTML forms into online banking login pages to steal user data

And how the heck does that make it a botnet? Apparently now botnet is a buzword for any type of popular malware now. Now, if it said that it went and DDoSed websites, yes that would make it be a botnet, but this? That just is malware.

Re:!Botnet

[maxume]

It is a botnet that happens to include key logging and other phishing features. It even features an EULA:

http://jabolins.livejournal.com/16538.html [livejournal.com]

Re:

[Darkness404]

Hm, that is interesting. However the article didn't ever mention anything about the actual botnet part of it which I kinda thought was the point of the article. But having a EULA for a botnet? Now thats funny.

Re:

[maxume]

It highlights a confusion in the way the terms are used: I guess it might make more sense to say that a botnet is comprised of systems running botnet software, rather than systems running a botnet. Apparently in the case of Zeus, people are purchasing the software as a kit and then deploying it in order to create their own botnets, so the Zeus botnet software is the platform for more than 1 botnet.

Re:

[Opportunist]

As if anyone ever read an EULA...

Seriously, I want to do that experiment. Write a piece of software and fill the EULA with legalese saying pretty much "we pwnz yoo". And wait how many still install it.

My money is on 90 percent.

Re:

[Aqualung812]

My money is on 90 percent.

Bob Barker, put me down for 90.01 percent.

Re:

[Runaway1956]

But, the EULA looks as legitimate as anything Microsoft or Adobe asks you to "sign", or accept. begin sarcasm: IMO, that makes it legal, doesn't it? end sarcasm

Re:!Botnet

[Teun]

Malware becomes a botnet when it can be remotely controlled and updated, that's what these ten have in common.

Re:

[thelexx]

Unless the bots are coordinated in their action it doesn't seem like much of a 'net'work, just a bunch of bots (which is the part of 'botnet' that DOES make sense in the "can be remotely controlled and updated" context).

Re:

[bursch-X]

Malware becomes a botnet when it can be remotely controlled and updated, that's what these ten have in common.

So Windows IS a botnet.

I knew it all the time.

Re:

[Opportunist]

Terminology isn't easy anymore in mal/crimeware. Is it a virus? A trojan? A worm? What if it infects a PC, runs in the space of another program, distributes itself autonomously and phones home? It's a worm according to its spreading, a virus according to its location in memory and a trojan according to its actions. Please classify.

Botnet is a convenient term for any malware that has a more or less permanent connection to its controlling server. I wouldn't make DDoSing a defining feature. As we've seen of la

Is there a reward?

[gubers33]

Are they wanted Dead or Alive?

Obligatory Short Circuit quote

[megamerican]

Number 5: "It's nice to be wanted."

Re:

[timias1]

In regards to your signature, someone at wired either pulled the article or the link got broken. I have to assume the latter, but the former would be just as likely.

Re:

[hansamurai]

I've seen a million websites, and I've DDOS'd them all.

Re:

[HTH NE1]

Are they wanted Dead or Alive?

Doesn't matter: they're zombies.

"despite its celebrity status..."

[spacefiddle]

Yes, for some reason, a widely discussed, analyzed, publicised, dissected threat that everyone knew about just hasn't managed to do as much damage as it might have.

/facepalm

Re:

[rm999]

Don't you think it's a problem that a lot of people have never heard of Zeus? I would agree with you if Conficker was the only computer worm/virus out there.

Re:

[spacefiddle]

Hmm? That's my point... not enough people DO know about common threats, and if they did, they wouldn't be as effective.

Backwards

[sexconker]

Who the fuck does a "Top 10" list with number 1 being shown first?

Nobody will click to the second page to read about botnet number 10.

car analogy...

[Em Emalb]

People don't go to the mall and leave their car unlocked*, so why do users think security on a computer is not just as important?

*Yes, there are exceptions, no, you aren't special for being one, but I would enjoy reading your missive on why you don't lock your 1972 Pinto with nothing in it of value.

Re:

[ConceptJunkie]

People don't go to the mall and leave their car unlocked*, so why do users think security on a computer is not just as important?

20 years of Microsoft trying to convince them security isn't an issue might have something to do with it.

Re:

[Em Emalb]

How has microsoft convinced anyone for the past 20 years that security isn't important? If anything, I'd say it HAS convinced people security IS important.

Re:car analogy...

[ConceptJunkie]

Microsoft has made security a real issue since about 2000, or at least acknowledged it. Since about 2004 they have actually made significant headway solving the problem. Before then, they were pretty much completely negligent on securing their system or making users aware that Windows was like a sieve.

That adds up to about 20 years of ignoring security, the legacy of which is still causing problems today, such as the more than 10 million botted Windows machines across the world.

Re:

[renoX]

I'm not that convinced that Microsoft takes security seriously:
http://www.theregister.co.uk/2009/06/18/windows7_security_hole/ [theregister.co.uk]

Re:

[mcgrew]

If you have nothing of value in your car, a thief can cause a $200 window repair getting in your locked car. A brick and two seconds is all it takes to "hack" a car. Then when the theief finds he's wasted his time, he may decide to break the rest of your windows.

That said, I lock my car because the stupid thing has a button that opens the trunk from the passenger compartment, despite the fact that there's another one on my keychain. What moron came up with that idea, I wonder?

Re:

[maxume]

They figured out it was a misfeature; on my car, the button is in the glove box, which can be locked with the door/ignition key (as a bonus, I have valet keys that will open the door and start the car, but they won't open the glove box or trunk).

Re:

[mcgrew]

Mine's right out in the open, but I did discover yesterday (used car, no manual to read) that if you lock the car with the remote, the button inside the car doesn't work. I still mey get under the dash and disconnect the button, though.

Re:

[linzeal]

There was a story in Oakland a few years ago of a guy who was sick of people stealing his stereo. So he got this great idea, weld some razor blades to the back of the receiver and on the edge of the amps. As far as I know he is serving a 3-4 year sentence for assault with a deadly weapon.

Re:

[ethanms]

People don't go to the mall and leave their car unlocked*, so why do users think security on a computer is not just as important?

Well... I don't know if that's an accurate analogy because you know fairly quickly when you return if a thief has stolen something from your parked car.

I think it would be more analogous to think of the malware as an invisible car-jacker who can jump in your car without your noticing when you're driving along the road. That car-jacker waits in your back seat--listening to your co

Re:

[bursch-X]

Unfortunately the Norton guy would be slightly senile and not notice many of the new kids on the block and let them take over your car anyway.

Re:

[Opportunist]

Not only that, but until recently it was easier to trash the car and get a new one instead of trying to get him out of the car at all. He had a bit of leprosy, so if you pulled to hard some bits of him fell off and rolled under your seat, then started to rot and stink up your car, usually enough that you eventually trashed it and got a new one.

But he sure has spiffy clothing.

Re:

[bursch-X]

Wrong analogy, cars make it clear that you have to take action to make your car safe. You lock it. On Windows the only "locking" mechanism obvious to the user is the login/logout. And of course to bring in another car analogy, if Windows was a car, the doors would have holes everywhere so you just put your hands in push in the right places and the doors would open, furthermore your car could be remotely unlocked with any multi-functional TV remote.

Re:

[stine2469]

I dont have a 72 Pinto, but i have a very beat-up 94 mustang, and it's better if someone doesn't have to break out the windows to find that there is nothing of value (unless you count tacobell wrappers from the '90's) inside.

Re:

[Opportunist]

Because they're not losing anything if their computer is compromised. It's content vs. tangible good all over again. I'm fairly sure if the car wouldn't be gone so they can't drive anymore when someone steals it, people would leave the car keys in, because it's more convenient and they can't lose them.

When you hijack their computer, first of all they don't notice it. They might notice their internet connection is getting sluggish at times, but they don't really care too much. FSCKing provider charging for 1

Conficker Stats

[NES HQ]

In case anyone's wondering: http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking [confickerw...ggroup.org]

I don't get it...

[BlueScreenOfTOM]

I don't understand why, in this day and age, this shit is still happening. I can think of at least 3 free antivirus applications that anyone with a Windows PC can download and use at no cost, with little or no effort required. Most COTS PCs come with some kind of antivirus software (usually the dreaded Norton, which totally blows but is better than nothing for most average users). Is the problem that people don't know that there are free solutions out there? Is it that people are willingly not installin

Re:

[vil3nr0b]

Even more boggling is when ISP's refuse to blacklist these zombies. Kill the modem after you send out a nice letter stating their box is hosed and must be repaired before they are allowed back on the pipe.

Re:I don't get it...

[Joce640k]

Simple: There's always a window between a virus appearing in large numbers and an antivirus updating itself. Get a copy of Virtual PC and try it yourself - get a few viruses from your daily spam. I do it every once in a while and it can take two or three days for my antivirus to kick in. Today's Viruses can disable all the major antivirus programs and prevent you from rebooting in failsafe mode to delete them so once they're in, they're in. There's no way for the antivirus to get rid of them.

Re:

[techno-vampire]

Can they prevent you from booting from a CD? If so, color me impressed. If not, you can always boot from a live CD with some form of Linux on it and ClamAV. Use that to clean up your system, then reboot into Windows.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[raylu]

Yes, of course that's a solution, but that hardly falls under the OP's "little or no effort required."

Re:

[techno-vampire]

There's a slight misunderstanding here: I wasn't suggesting using a live CD instead of a virus checker running under Windows, I was suggesting it as a "last resort" when other scanners/checkers are unable to do the job. Yes, it's a bit of work (Not that much, really, once you have the CD set up.) but it's a lot better than nuking, paving and reinstalling.

Re:

[raylu]

I'm aware, but this still is irrelevant to the original comment.

Re:

[Opportunist]

There are many reasons. Allow me to list a few.

First, the obvious one: The user with no AV suit and no brain. He got his computer built by a "friend" who is almost as clueless as him (or even managed to slap that box together himself), or (worse) thinks he's so damn smart and can get it done for cheap. I.e. hacked Windows (which can't be updated, but hey, it 'works'), AV costs money and those free ones are useless (the former is a matter of about 30-50 bucks a year, the latter simply untrue), and some 'twea

Gumblar?

[metrix007]

Using the 9 ball exploits? Didn't even make the list?