Biggest-ever criminal botnet links computers in more than 172 countries
Cybersecurity experts say that the world's biggest-ever botnet is still operating, despite the arrests of two cyber criminals, which required coordinating law enforcement across two continents.
Computer security experts say they have detected what appears to be the world's largest-ever computer "botnet," a network of millions of computers controlled clandestinely by a criminal cyber gang with roots in Eastern Europe.
No one yet knows for sure just how many million "zombie" computers are under the thrall of this still-unnamed massive botnet, but it sprawls across 172 countries, according to Unveillance, the Wilmington, Del., botnet-tracking firm that announced the discovery Wednesday.
By contrast, the huge Mariposa botnet, one of the largest ever discovered, as recently as 2009 controlled up to 12 million zombie computers in about 100 countries. Mariposa has now been neutralized by law enforcement. But this newly discovered botnet – a kissing cousin of Mariposa, built with the same "Butterfly Bot" software kit and sharing similar stealthy characteristics – has spread much farther.
"We don't know yet how many computers are part of this new network, but we can infer that it is likely to be the largest ever, based on how many countries with infected computers are connected to it and its rate of growth," says Karim Hijazi, CEO of Unveillance, in an interview. "This is a completely fresh botnet: enhanced, more advanced, and difficult to detect. We now see it has been spreading since at least 2007."
How to build a bigger botnet
Like Mariposa, the new goliath spreads via removable memory sticks and hides itself in various locations on a computer – making it difficult to remove even if you know your computer has been infected, which most people do not, Mr. Hijazi says. Because it is "polymorphic" – changing its digital signature constantly – the new baddie escapes detection by anti-virus software.
It also joins a vicious trend. Millions of criminal botnets operate on the Internet today, ranging in size from a few hundred machines to millions. In this case, the botnet grows as malicious software is spread, when removable USB drives – or smartphones, cameras or any other device plugged into one computer – get plugged into another computer. It can quickly turn a home, corporate or government computer network into just one more zombie or “bot” that will do whatever its criminal “bot master” orders it to do, all without the owner knowing anything about it.
Anonymous and cheap to build, botnets are a stealthy, anonymous, nearly ideal criminal platform for Internet attacks aimed at shutting down company websites – unless an extortion payment is made. But they are especially good for pilfering bank logons, passwords, credit card numbers, and social security numbers, says Luis Corrons, technical director of Panda Labs, whose company is assisting in the analysis of the new botnet.
As of last fall, Hijazi says Unveillance was tracking about 2 million individual IP addresses globally – each representing an individual computer, or in many cases, an entire computer network. Just seven months later, the firm is tracking more than 25 million enslaved computers. Even so, that's just the tip of the iceberg, says Hijazi. He estimates at least 6 percent of the more than 4 billion IP addresses in the world are zombie machines.
A pyrrhic victory for law enforcement?
In a first attempt to take down this new goliath botnet, law enforcement authorities from Slovenia, Bosnia and Herzegovina, Interpol, and the Federal Bureau of Investigation earlier this month arrested two members of the gang, one of whom had recently purchased a luxury apartment along with several expensive cars.
But even though authorities confiscated computer equipment and took over several of the "command and control" computers used to deliver orders to the clandestine criminal network, Unveillance says the bulk of that massive botnet is still intact, “actively gathering private information," and feeding back stolen information to other command and control servers.
What that means, Hijazi says, is that either the botnet is operating without a human operator – on autopilot – or, more likely, being controlled by other criminals.
"It's still dangerous," he says. "It's likely that, if they don't already control it, bad guys are moving fast to get control of it."
It's difficult under the best of circumstances to establish exactly how many computers are under the control of a botnet. Last month, the FBI took control of and began dismantling the “Coreflood botnet,” a worldwide network of 2.3 million personal computers, created by a Russian cybercrime gang. Coreflood had been vacuuming up vast amounts of US personal financial and government data for almost a decade – using about a million slaved personal computers residing in the US.