CNET
From the iPad to
selfies to fake meat, we look back at an action-packed decade
Over the past decade,
the information security (infosec) field has seen a near-constant rise in
malware activity.
Without a doubt, the
2010s was the decade when malware exploded from a casual semi-ammateriush
landscape into a full-blown criminal operation, capable of generating hundreds
of millions of US dollars per year for the actors involved.
While there were
thousands of malware strains that have been active in the 2010s, a few malware
botnets have risen above the rest in terms of spread and size, ammounting to
what some security researchers would call "super botnets."
Malware strains like
Necurs, Andromeda, Kelihos, Mirai, or ZeroAccess have made a name for
themselves after they've infected millions of devices across the globe.
This article aims to
summarize the biggest malware botnets that we've seen over the past ten years.
Since tracking botnets is never a 100% accurate operation, we're going to list
the botnets in alphabetical order, and mention their peak size, as they were
reported at the time.
3VE
3ve is considered the
most advanced click-fraud botnet ever assembled. It operated from 2013 to 2018,
when it was dismantled by an international law enforcement action, with help
from Google and cyber-security firm White Ops.
The botnet relied on a
mixture between malicious scripts running on data center-hosted servers and
click-fraud modules loaded on computers infected with third-party malware, such
as Methbot and Kovter.
Peer-to-peer
networking can create special security challenges in a Windows XP environment.
This Security Guide gives the essentials of file sharing security.
3ve operators also
created fake websites where they loaded ads and then used the bots to click on
ads and generate profits. At one point, the botnet is believed to have been
comprised of more than 1.5 million home computers and 1,900 servers clicking on
ads loaded on more than 10,000 fake websites.
ANDROMEDA (GAMARUE)
The Andromeda malware
was first seen in the wild back in 2011, and it's your typical "spam &
malware downloader" botnet -- also known as Malware-as-a-Service (MaaS)
scheme.
By this term, we are
referring to a type of malware operation where crooks are mass-spamming users
to infect them with the Andromeda (Gamarue) malware strain. Crooks then use
these infected hosts to send out new email spam to other users, and expand or
keep the botnet alive, or they download a second-stage malware strain at the
behest of other (paying) malware gangs.
MaaS botnets that
provide "install space" are some of the most lucrative cyber-criminal
schemes around, and crooks can use different malware strains to set up the
backend infrastructure for such an operation.
Andromeda, is one of
these types of malware strains, and has been very popular across the years. The
reason for its success is because Andromeda's source code leaked online, a few
years back, and has allowed several criminal gangs to set up their own botnet
and try their hand at "cybercrime."
Across the years,
cyber-security firms have tracked multiple criminal gangs operating an
Andromeda botnet. The biggest one known to date reached two million infected
hosts, and was shut down by Europol in December
2017.
BAMITAL
Bamital is an adware
botnet that operated between 2009 and 2013. It was taken down following a joint
effort by Microsoft and Symantec.
On infected hosts, the
Bamital malware modified search results to insert custom links and content,
often redirecting users to malicious sites offering malware-laced downloads.
Bamital is believed to
have infected more than 1.8 million computers.
BASHLITE
Bashlite, also known
under names like Gafgyt, Lizkebab, Qbot, Torlus, and LizardStresser, is a
malware strain designed to infect poorly secured WiFi home routers, smart
devices, and Linux servers.
Its primarily and only
role is to carry out DDoS attacks.
The malware was
created in 2014 by members of the Lizard Squad hacking group, and its code
leaked online in 2015.
Due to this leak, the
malware has often been used to host most of today's DDoS botnets, and is often
the second most popular IoT malware strain, behind Mirai. Hundreds of Bashlite
variations currently exist.
BREDOLAB
The botnet was built
by an Armenian malware author, who used spam email and drive-by downloads to
infect users with the Bredolab malware. Once infected, victims' computers would
be used to send out massive quantities of spam.
CARNA
The Carna botnet is
not what you'd call "malware." This was a botnet created by an
anonymous hacker for the purpose of running an internet census.
It infected over
420,000 internet routers back in 2012, and merely gathered statistics on
internet usage directly from users... and without permission.
It infected routers
that didn't use a password, or were secured with default or easy to guess
passwords -- a tactic weaponized for malicious DDoS attacks four years later by
the Mirai botnet.
CHAMELEON
Chameleon was a
short-lived botnet that operated in 2013. It's one of the rare ad-fraud botnets
on this list.
According to reports at the time, the botnet's
authors infected over 120,000 users with the Chameleon malware. This malware
would open an Internet Explorer window in the background and navigate to a list
of 202 sites, where it would trigger ad impressions that helped the botnet's
authors generate revenues of up to $6.2 million per month.
The botnet stopped
operating after being publicly ousted.
COREFLOOD
Coreflood is one of
the internet's forgotten threats. It appeared in 2001 and was shut down in 2011.
The botnet is believed
to have infected more than 2.3 million Windows computers, having more than
800,000 bots at the time it was taken down in June 2011.
Coreflood operators
used booby-trapped websites to infect users' computers via a technique
called drive-by download. Once
a victim was infected, they used Coreflood to download other, more potent
malware -- Coreflood working as a typical "malware
dropper/downloader."'
DRIDEX
Dridex is one of
today's most infamous botnets. The Dridex malware and the associated botnet
have been around since 2011, being initially known as Cridex, before evolving
into the current Dridex strain (sometimes also referred to as Bugat).
The Dridex malware is
primarily a banking trojan that steals banking credentials and grants hackers
access to bank accounts, but it also comes with a info-stealer component.
The malware is usually
distributed via malspam (emails with malicious file attachments). There have
been several reports that the group who created Dridex also runs the Necurs
email spamming botnet. There are code similarities between the two malware
strains, and the spam that spreads Dridex is always distributed via the Necurs
spam botnet.
One of the lead Dridex
coders was arrested back in 2015,
but the Dridex botnet continued to operate, and it is still active today.
The size of the botnet
(number of computers infected with the Dridex malware) has varied wildly across
the years, and across vendors. The Dridex and TA505 Malpedia pages list a fraction of
the hundreds of Dridex reports, showing how immensly active this botnet has
been this decade.
EMOTET
Emotet was first seen
in the wild in 2014. It initially worked as a banking trojan, but re-tooled
itself into a malware dropper for other cyber-criminal operations in 2016 and
2017.
Today, Emotet is the
world's leading MaaS operation, and is often used to allow crooks access to
corporate networks, where hackers can steal proprietary files or install
ransomware to encrypt sensitive data, and later extort companies for large sums
of money.
The size of the botnet
varies from week to week. Emotet also operates via three smaller
"epochs" (mini-botnets), so it can avoid coordinated law enforcement
takedowns and test various actions before a wider deployment.
Comments
Post a Comment