Meet the online protection racketeers

The software the Zhelatin gang installs on unprotected Windows machines became known as 'Storm', after the titles of some of the emails they sent. They enticed people to click on a poisoned link to read more about devastating storms battering Europe – installing the trojan via the victim's web browser in the process. First spotted in January 2007, finding hard information about the size of the resulting Storm botnet is surprisingly difficult.

Some sources put the size of the Storm botnet at between 250,000 and 1 million, while others place it anywhere between 1 and 50 million. Anti-spam service MessageLabs puts the figure close to 50 million, but says that it uses only 10-20 per cent of its total capacity at once.

It's known that the Storm Botnet is highly functional. Its unwitting zombies can send email containing malware to grow the botnet further, phishing attempts, other viruses or spam for whatever product it's commissioned to plug. Storm's command and control mechanism is are silient, distributed peer-to-peer network. It's also known that Storm encrypts command traffic and that it's partitioned into functional units. There's good evidence to suggest that this is for the purpose of renting it out as well as obscuring its true size, so that parts of the botnet can run their commissioned tasks independently of the rest. Storm can also mount overwhelming DDoS attacks, which it's been reported to do– even against its rivals. Gang turf wars, it seems, extend to cyberspace.

Via frequent code updates, Storm has managed to keep software vendors on their toes. Last year, Microsoft released an update to its Windows Malicious Software Removal Tool. This identified and removed Storm from over 274,000 machines. Despite this, however, the botnet continues to grow – as do official efforts to track down and bring to justice the owners and users of this and other botnets.

Zombie hunters

Operation Bot Roast is how the FBI describes its ongoing efforts to track and prosecute people involved in botnet activities. Begun in response to the threat that large botnet attacks pose to national security, the operation has scored a stream of arrests and exposed the true scale of the botnet problem.

In a press release dated 13 June 2007, the Bureau said that it had identified over 1 million infected IP addresses to date. "The majority of victims are not even aware that their computer has been compromised or their personal information exploited," says FBI Cyber Division Assistant Director James Finch.

The Feds also announced that three bot net herders had been arrested and charged. By November, this number had risen to eight. The FBI had also carried out 13 raids (including overseas operations conducted with the cooperation of local police), and the number of infected machines discovered had nearly doubled, rising to two million. The total amount in losses caused to business and consumers by the botnets uncovered at that point stood at $20million.

One of those herders successfully traced and charged by the FBI was John Kenneth Schiefer, a 26-year-old computer security consultant by day, who by night was the creator of a botnet designed specifically to syphon off PayPal credentials. After pleading guilty to charges of bank and wire fraud, Schiefer now faces up to 60 years in jail.

Operation Bot Roast is the latest in a series of increasingly successful investigations that have seen several gangs jailed. In 2006, Russian authorities convicted Ivan Maksakov, Alexander Petrov and Denis Stepanov. Each received eight years in prison and a $3,700 fine. In just six months, the gang made 50 blackmail attempts, including some against UK companies, netting themselves over $4million. One victim was CanBet Sports Bookmakers. After refusing to pay $10,000 in blackmail to keep their site running during the Breeders' Cup, they lost $200,000 a day while the resulting DDoS attack kept them offline.
While the problem facing large companies is whether to pay protection or risk losing a larger amount, the problem for law enforcement is that botnet evolution is accelerating.

The Kraken awakes

According to Atlanta-based security company Damballa, as of April 2008 the Kraken botnet is officially the world's largest in terms of the number of machines active at any one time – dwarfing even Storm. The company says that it observed Kraken traffic coming from 400,000 IP addresses on a single day in March – up from 300,000 at the start of the month.

"Kraken is the largest [botnet] we've seen to date," says Damballa's Principle Researcher Paul Royal. "We've observed evidence of Kraken‑based compromises in at least 50 of the Fortune500".Some Kraken-infected clients have been known to spew out up to half a million spam emails a day. Damballa also calculates that if Kraken's current growth continues, its active portion will soon be 600,000 strong.

Ingeniously, Kraken not only employs encrypted communications between zombies and their controlling servers, but according to Damballa, the botnet also employs redundancy mechanisms so that its owners can regain control even if some command and control servers are discovered. These servers are known to be located in the US (specifically Dallas), France and Russia. Like Storm before it, a gradually changing code base also keeps Kraken a step ahead of detection software. Paul Royal also says there are bound to be other large botnets that simply haven't been detected yet.

According to data from Trend Micro, the UK currently has 1.25 million virus infected PCs, including those carrying botnet software. The growth in the number of machines infected is evidence that either by unwillingness, mistrust or simply a genuine lack of knowledge, normal people are helping criminals to commit serious online crimes. Unfortunately, the botnet problem looks set to carry on growing.