Cyber Crime, and in particular botmasters, never cease to amaze. If you were (not so much) surprised in discovering the compromised supply chain behind the Nitol Botnet (that allowed Chinese manufacturers to sell compromised computers pre-installed with the botnet), you’d better have a look at the ZeroAccess Botnet, which has recently been analyzed by Sophos.
ZeroAccess has some impressive “state-of-the-art” features such as:
- Pure User-Mode on 32-bit Windows platforms;
- A Peer-to-peer protocol for communicating with other members of the Botnet to receive updates and downlad plugins;
- A modular architecture (via plugins) that allows to generate revenues for Botnet owners in different ways: Click Fraud or Bitcoin Mining (revenues that the security firms estimates in USD 100,000 per day with the botnet at full power);
- A compromised population of over 9 million of PCs infected.
Really impressive features indeed, even if I must confess they were not the ones that impressed me most.
One of the challenges of a “successful” botnet is the capability to spread as quickly as possible, and infect and insert in the botnet (read enroll) the largest number of hosts in the shortest possible time.
Cyber Criminals are becoming increasingly aware of this, and hence, have developed a lucrative Pay-Per-Install
partnership affiliate scheme to distribute the dropper. This affiliate scheme (I like to call it Partnership program) foresees wall paid revenues for affiliates who are able to execute successful installation of the dropper. This is exactly what happens in case of ZeroAccess and it is the reason of its large-scale extent.
The scheme is typically advertised on underground forums and, in case of ZeroAccess, the revenues are differentiated based on the country (probably US victims are the most lucrative, since US gets paid the most, then UK, Canada and Australia), and also on the access rights of the infected user (Admin gets paid more).
After the discovery of compromised supply chains and programs that foresee revenues for botnet distributors, have you still doubts about the fact that Cyber Crime is really becoming an industry?
Probably there’s something more in the Next Step Of Botnets besides BlackHole 2.0 and Tor C&C mentioned in my previous post. I mentioned the takedown of the Nitol Botnet by Microsoft as one of the most important infosec events of the last week, but I forgot to mention one important aspect related to this event: the malware supply chain.
As a matter of fact, in case of Nitol, Microsoft discovered a real botnet factory, that is a compromised supply chain, based in China, that allowed new computers (to be sold to unaware consumers) to come pre-installed with malware embedded with counterfeit version of Microsft OS.
A step forward in the Cyber Crime industry with the advantage for cyber crooks to setup an “army” of zombie machines without enforcing time consuming drive-by attacks or spam campaigns. I used the term army since the main features of Nitol are the capability to execute on-demand DDoS attacks (besides to offer a backdoor to cyber criminals for taking control of the infected machines).
Unfortunately, what’s especially disturbing according to Microsoft, is that the counterfeit software embedded with malware could have infiltrated the chain at any point.
If you still have doubts that Cyber Crime has become a real industry there’s no better example to demonstrate it. Moreover I cannot help but think that, once upon a time, new computers came out with antivirus software embedded, today they are sold directly with malware.
- The Next Step of Botnets (hackmageddon.com)
This information security week has offered many interesting points: the brand new CRIME attack against SSL/TLS, the release of BlackHole Exploit Kit 2.0 that promises new stealth vectors of Drive-By download infections, the takedown of the emerging Nitol botnet by Microsoft, and, last but not least, the first (?) known example of a new generation of a C&C Server leveraging the anonymization granted by Tor Service.
The latter is in my opinion the news with the most important consequences for the Information Security community, since delineates the next step of Botnets’ evolution, after the common, consolidated, C&C communication schema, and its natural evolution consisting in Peer-to-Peer (P2P) communication.
The first (I wonder if it is really the first) discovery of a Botnet command server hidden in Tor, using IRC protocol to communicates with its zombies, has been announced in a blog post by G-Data. Of course the advantages of such a similar communication schema are quite simple: the Botnet may use the anonymity granted by the Deep Web to prevent the identification and the likely takedown of the server, and the encryption of the Tor protocol to make traffic identification harder by traditional layers of defense. Two advantages that greatly exceed the Tor latency which represents the weakness of this communication schema.
Maybe it was only a matter of time, in any case it is not a coincidence that in the same weeks researchers have discovered BlackHole 2.0 and the first (maybe) C&C infrastructure hidden inside the Deep Web: Cyber Criminals are continuously developing increasingly sophisticated methods to elude law enforcement agencies and to evade the security controls of the traditional bastions, and the botnets are confirming more than ever to be the modern biblical plague for the Web…
And even if every now and then good guys are able to obtain a victory (as the Nitol takedown), the war is far from over.