Botnets take a beating

Almost a quarter of the command and control servers ( cnc ) related to the Zeus botnet have gone quiet after 2 East European providers dropped access to a downstream ISP called Troyak on Tuesday.  According to ScanSafe, a web security firm, the number of active servers dropped from 249 to 191, resulting in a massive drop in botnet traffic.

This take-down comes a week after US and Spanish authorities dented the operations of another large malicious network, the Mariposa botnet. Mariposa’s primary function was the theft of online login credentials for banks, email services and the like from compromised Windows PCs. The malware infected an estimated 12.7 million computers in more than 190 countries.

The botnet was shut down on 23 December 2009 following months of collaboration between security firms Panda Security and Defence Intelligence in co-operation with the FBI and Spain’s Guardia Civil.

Half of the Fortune 1000 companies harboured machines infected by Mariposa at one time or another, according to Christopher Davis, chief exec at Canada-based Defence Intelligence, who first discovered the Mariposa botnet back in May 2009. Defence Intelligence joined with academics at Georgia Tech Information Security Center and security experts at PandaLabs and law enforcement to form the Mariposa Working Group in order to eradicate the botnet and bring the perpetrators to justice.

The Mariposa (Spanish for butterfly) botnet malware spread through P2P networks, infected USB drives, and via MSN links that directed surfers to infected websites. Once infected by the Mariposa bot client, compromised machines would have various strains of malware installed (advanced keyloggers, banking trojans like Zeus, remote access trojans, etc) by the hackers to obtain greater control of infected systems.

What’s important here though is that unusually, the operators of the botnet were caught. The main botmaster, nicknamed “Netkairo” and “hamlet1917”, as well as his two alleged lieutenants “Ostiator” and “Johnyloleante” have been charged with cybercrime offences. More arrests are expected to follow.

Finally, last month, Microsoft was able to disrupt the Waledac botnet by obtaining a court-issued order against scores of domains associated with the spam-spewing menace. The take-down order temporary cut-off of traffic to 277 Internet domains that form command and control nodes for the network of compromised machines. Infected (zombie) machines are programmed to regularly poll these control points for instructions and spam templates. Besides infecting millions of Windows PCs, Waledac was responsible for 1.5 billion spam emails per day.