Grumpy old botnets survive and thrive

Botnets are maturing and getting nastier, according to two studies released this week

You can teach an old botnet new tricks, and that is helping the older families of malware stick around and proliferate, according to two reports that peer into the world of successful botnets.

Rustock, first detected by antivirus firms about five years ago, leads the pack of spam-sending botnets with about a quarter-million infected systems, according to data from SecureWorks, a network security firm recently acquired by Dell. Part of Rustock's success is due to continued development aimed at making the malware able to survive standard tactics for removing the software, says Joe Stewart, director of malware research for the company. Such tactics are becoming more common, with other bot programs including pay-per-install software that seeds a compromised computer with a host of programs.

"When people suggest that you can go and download a tool to clean any infections, that no longer is effective," Stewart says. "Increasingly, you are usually infected by more than one thing at a time."

The software, which originated as a rootkit, shows signs of being controlled by a single spamming operation, SecureWorks states in the report.

The continued innovation in bot features is nothing new. In 2010, security firm Symantec found that Rustock had started using TLS (Transport Layer Security), a standard protocol for encrypting email messages, to obfuscate spam. Cutwail and Lethic, two other older botnets, round out SecureWorks' list of the top 3 spamming botnets, with Cutwail using custom encryption to send spam and Lethic using a pay-for-install mechanism to install the program.

A two-year-old botnet, known alternatively as TDSS or TDL, tops security firm Damballa's list of software used by the top botnet gangs. TDL is another botnet that uses rootkit techniques to remain resident on victim's PCs, including using the hard drive's master boot record to bootstrap reinstallation. One criminal group has used the TDL botnet to compromise nearly 15 percent of all bot-compromised computers investigated by Damballa in 2010.

While there has been a lot of change in the upper echelons of Damballa's top 10 list, most of the bots are well known, including TDL, Zeus, Koobface, Conficker, and SpyEye, says Gunter Ollmann, vice president of research for Damballa.

"The biggest and baddest botnets became better and achieved much greater market share," Ollman says. "By the end of the year, they have dominated the market."

Unlike SecureWorks, which focuses on detecting bot-infected computers from the spam they send, Damballa focuses on the cybercriminal groups themselves, so their lists differ significantly.

Even with the innovation, there seems to be a maturation in the market, says SecureWorks' Stewart. Most of the recent improvements, while significant, have been minor.

"There is a stagnation in the number of players -- we are seeing the same players over and over again," he says. "With the bots that have been around for a long time, they have evolved less and less every year."

This story, "Grumpy old botnets survive and thrive," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.

Copyright © 2011 IDG Communications, Inc.