CYBEREYE — Commentary
William Jackson | Mergers and acquisitions in the botnet world
- By William Jackson
- May 11, 2009
With the growth of the profit motive in recent years, the world of hackers has become more businesslike, with the development of off-the-shelf software packages, professional services, and retail and wholesale markets for goods and resources. Will we be seeing the emergence of mergers and acquisitions?
Probably not yet. Bot-herders still appear to be more interested in hostile takeovers than mergers. But some observers are concerned about the apparent strategic partnership being established by two of the more successful current botnets: Conficker and Waledac.
The U.S. Computer Emergency Readiness Team (US-CERT) warned last month that a new variant of the Conficker worm, also known as W32.Downadup, that updated earlier infections via its peer-to-peer network. The most recent variant appears to download additional malicious code onto compromised systems, including copies of the Waledac Trojan, a spam tool. Waledac has previously spread via e-mail containing malicious links.
“While self-updating botnets are nothing new, what was unusual was this update was coming from a Waledac domain, another major botnet,” MX Logic said in its recent threat report for April. “This level of cooperation between two major botnets is interesting since rival botnets typically try to eradicate one another in an effort to establish supremacy. This indicates that two of the world’s largest botnets may be working together to create the first ‘mega-botnet’ made up of tens or hundreds of millions of PCs.”
This could be a like a merger of Starbucks and McDonald's. Only instead of a McBucks on every street corner of the nation dispensing high-priced coffee with burgers and french fries, every PC in the country would be spewing spam to every other PC.
It’s not that bad — yet. The original W32.Downadup.A exploited only the MS08-067 vulnerability in Windows XP Service Pack 2 and Windows 2003 Service Pack 1 operating systems, for which Microsoft issued an unusual patch outside of its regular monthly patching cycle. Several variants have emerged updating the malicious code and allowing it to spread by multiple vectors. Although Conficker/Downadup has infected upwards of an estimated 10 million computers, the malicious code can be detected and removed and the number of currently infected computers is estimated much lower, at several million. But it is flexible, tenacious and clever, and it continues to spread.
Conficker so far does not appear to have been engaged in overt malicious activity, but with the addition to Waledac to its toolkit this might change. Waledac spam traditionally has attempted to capitalize on current events and holidays, and recent events are offering a target-rich environment for social engineering.
Researchers and security companies already have reported that spam levels are as high as they have been in more than a year, accounting for more than 90 percent of all e-mail by some estimates. The economy has been a fertile subject for spammers, and with the bankruptcy of Chrysler that is not likely to change soon. Then there is the swine flu outbreak. Not only is spam touting flu medicine and preventions, it is exploiting morbid curiosity with subject lines such as “Jolie caught swine flu” and “Madonna caught swine flu,” according to Symantec Corp.’s monthly "State of Spam" report. Then there is tax season, Mother’s Day and the upcoming Memorial Day holiday.
On the whole it is not looking too good for spam. So keep your patches and antivirus up-to-date, don’t open unexpected attachments or suspicious links, and don’t believe everything you read in an e-mail.
William Jackson is freelance writer and the author of the CyberEye blog.