“The usual concept is that once a device or host is compromised, then the bad guys have control of that host. It is normally seen as a one-to-one relationship. What we are seeing is that that no longer holds true”, said Gunter Ollmann, vice president of research for Damballa.
The number of criminal entities that simultaneously control the compromised device is increasing compared to last year, Ollmann told Infosecurity. “This is significant for a number of reasons. One is the more compromises you have on the machine, the more difficult it is to clean up and remove the infections. Another side of the threat is that it reflects the capabilities of the criminals in the way they can infect hosts”, he said.
Ollmann attributed the increase to the popularity of toolkits that enable relatively unsophisticated cybercriminals to infect machines and set up botnets; eight out of the top ten largest botnets used toolkits, the most popular being Zeus and Spy-Eye.
“For example, one of the most popular vehicles for compromise of hosts is the pay-per-install mechanisms, where third-party criminal operators will receive money from botnet operators to install their agents on the victim’s devices. The pay-per-install operators run the drive-by download sites, and once they compromise the host through the drive-by download, they get paid for every single piece of malware they install. So it is in their financial interest to install the malware from multiple botnet operators on a single host”, Ollmann said.
The recent high-profile botnet takedowns, such as Rustock and Coreflood, are “insignificant” in terms of number of botnets, size, and number of operators”, Ollmann said.
Another areas of concern is the rise in mobile malware. Until recently, mobile malware was limited to extortion and premium rate fraud or other tactics that did not rely on botnet architectures. Having mobile malware contact the criminal operator and establish two-way internet communication now makes the mobile market as susceptible to criminal breach activity as desktop devices, the survey found.
Over the first six months of 2011, the number of hijacked Android devices engaging in “live” communications with criminal operators grew at a significant rate, the survey found.
The survey said that the top generic TLD used by botnet criminals was .com, and the most popular country TLD was .ru for Russia. “If the .com registrar was to make it more difficult for the bad guys, then it would have a bigger and more immediate impact on criminal operations”, Ollmann said.
In addition, a high percentage of botnet command-and-control infrastructure relies on domain names that are registered through the Russian .ru registrar. India and China are also among the top country TLDs for botnets, Ollmann added.