Learning Center
Plans & pricing Sign in
Sign Out



									APT and Botnets

Botnets are emerging as a general access service into enterprises. Every enterprise is infected with
multiple botnets. For starters, nine out of ten enterprises show evidence of Zeus botnet activity1. The
big ones, "Zeus", "Conficker", "Swizzor", and "Koobface" are easy to recognize. Conficker now qualifies
as the largest computing cloud at apprx. 6.5 million nodes (that is about 18 million CPU's)2, outclassing
even Google or Amazon. As far as botnets go, the number of available systems tops over 100. Most (if
not all) of these botnets are software products for sale in the underground. That is, as a threat actor
you can purchase one of these bot-systems like as if it were legitimate enterprise software. As a
software product, Zeus's enterprise console is very advanced and rivals some of those you would see on
the RSA vendor floor. Once you own a botnet product, you can then setup and begin exploiting target
machines. Once you have a large number of nodes under management, you could use the infected
machines for almost any purpose imaginable. Many threat actors simply re-sell access into the these
nodes to 3rd parties. Many public instances of this have been reported over the last few years. In 2008,
Abreo Neto was indicted for leasing his 100,000 strong botnet for 25,000 Euro's. The Shadow botnet,
created by a 19-year old in Holland, had over 100,000 nodes and was put on sale for $36,0003. In 2009,
the BBC program 'Click' purchased a botnet of 25,000 machines just to show how easy it was.

In the last decade, the information-market was largely digital identities. This lead to a general
perception of botnets as being "run by the Russians" or "botnets are used for DDOS attacks and SPAM".
For example, in the beginning, some botnets were hard-coded to perform very specific tasks - such as
redirecting ad-clicks. In that case, you could tell from the malware-code itself what the intent of the
attacker was. Now it's 2010 and botnet products have evolved to become general-purpose, allowing
plugins, generic access to the cmd line, download-and-execute capability, botnet-wide file searching,
and general-purpose keylogging & credential stealing. Some established botnets have evolved over
time. Monkif, rated in the top-ten of all botnets in 20094, has evolved from a generic trojan downloader
to having advanced/generalized command-and-control5. Zeus, a long-standing botnet architecture
(known as 'zbot'), has a plugin architecture and many variants (largely due to its availability in source-
code form). Damballa, for example, tracks over 200 different variants of Zeus6.

Understand that an information market has already emerged. The threat actors want to monetize
information. Certain actors in the theatre have clearly figured out how to monetize digital identities -
banking fraud has now surpassed drug cartels in scope and profit. As this market evolves, other types of
information will find a transaction. Intellectual property has always been bought and sold, since before
computers. But, only with computers has the volume and scope of access been such to support a
general marketplace. If bad-guys don't know what information is valuable, they will just sell general

  88 percent of firms show Zeus botnet activity, Elinor Mills, CNET News, Apr 14, 2010
  The biggest cloud on the planet is owned by … the crooks, Robert Mullins, March 22, 2010
  The Business of Botnets, eWeek Security Watch, Jul 24, 2009
  America's 10 most wanted botnets, Ellen Messmer, Network World, July 22, 2009
  Monkif’s Metamorphosis to Full Blown Botnet, Damballa, Sept. 23, 2009
  Gunter Ollmann, VP of Research, Damballa, quoted numerous references
access. This is like cloud-computing for bad-guys. For example, the 'Golden Cash' network is a trading
post for buying and selling general access to established botnets7. Botnet owners can advertise access to
specific industry segments, or offer to download and execute a payload of your choice. Imagine this IRC

#access: I have 343 machines at XXX Oil Inc., 200+ at XXX Petro and Gas, 57 at XXX, Inc., selling access at
10,000 USD for 30 days, will dl an exe and run it for you, $100 per machine, any site.

Whenever I run across the marketitecture that says "Botnets are not equal to APT" it makes me cringe.
While that characterization may have worked five years ago it's completely outmoded for today's threat
landscape. For starters, botnet systems have evolved to become generic command-and-control
frameworks. Determining intent from the malware code itself is much more difficult since so many
things are possible. Secondly, since these botnets can be purchased and operated by anyone, saying
they are not APT is saying that APT would never purchase and use such a kit, which is a gross misstep in
logic. By extension, APT may also take advantage of the marketplace in established access. Consider
that a recent botnet of 1.9 million nodes, discovered by Finjan, included access to 77 government
domains in the U.S., U.K. and other countries8. Intelligence operators know how to build a capability for
access, and also are aware of attribution problems. The APT will maintain multiple forms of access in
order to reduce the risk that access will be eliminated. They have and will continue to purchase and use
attack kits, including botnet platforms. On numerous occasions I have seen malware toolkits used, as
opposed to hand-written malware. From an attribution perspective this also makes sense, since it's
harder to attribute a toolkit-generated malware than it is for something that was compiled natively.

Having a deep understanding of what is possible, and also exposure to intel on the ground, I can tell you
that that any threat is a bad threat. I think it's highly irresponsible to characterize one malware as "oh,
that's just malware" and another as "look here, this is APT, this is dangerous". All malware is dangerous.
This messaging is irresponsible and it has affected the marketplace - on multiple occasions I have run
across people who have been roped into this distinction, almost to the point where if they drop a
malware into virus-total and it comes back with a named-label given by an AV vendor, then they
immediately assume it's not APT. To influence people into this thinking is a huge disservice to the
security industry.

In conclusion, we need to treat any malware that has generic capability with respect. In most cases, we
won't know who is behind the keyboard at the other end.

    Cybercrime Intelligence Report for 2009, Issue 2, Finjan
    Malicious Code Research (MCRC) Blog, Finjan, Apr 22, 2009

To top