Increasingly easy-to-use crimeware tools and a plethora of systems to infect and control have given botnet operators easy pickings in the first half of 2011, according to a new report from botnet detection vendor Damballa Inc. And for the first time, the company is tracking criminal command-and-control infections of mobile devices.
Over the first six months of 2011, the number of infected Android devices engaging in live communications with criminal operators grew to nearly 40,000, according to the report, “Damballa Threat Report: First half 2011.” Android botnet Infections have been quickly eradicated, but Damballa predicts cybercriminals will increasingly target the smartphones.
“Until recently, mobile malware abuse has been limited, to some extent, to premium SMS service fraud or other tactics that did not make use of a command-and-control architecture now common in botnet and crimeware attacks,” according to the report. “Having mobile malware contact the criminal operator and establish two-way Internet communication now opens the mobile device up to all the same campaigns and crime as their deskbound brethren.”
Command-and-control servers are used to send instructions to infected devices that make up a botnet. They also collect information such as the location, system resources and behavior. Security experts have been warning of the increased threat posed by mobile devices on enterprise networks. An infected Android device that can be controlled by a botnet operator could potentially give cybercriminals a way into the company network, Damballa said. “Traditional security systems designed to protect traditional computing assets will not detect these infected mobile devices.”
For the first half of 2011, more than 40% of infected computers and servers were actively communicating with two or more botnet operators, according to the Damballa report.
“With crimeware that can be repurposed, botnets that can be rented, and new attractive targets in the proliferation of smartphones and mobile devices, 2011 will be a challenging year for enterprise security teams and service provider network abuse professionals,” the report states. “The criminals still possess the advantage in motivation, funding and patience.”
Infected computers under control of cybercriminals are targeted repeatedly, used in seemingly never-ending campaigns to infect other computers. The goal is to spread malware, grow the botnet and ultimately steal account credentials and other data. Damballa said 41.5% of victim machines were actively participating in two or more distinct botnet operations, an increase of 18% over the activity observed during 2010.
Damballa said mass infections are likely driven by cybercriminal business interests. Organized cybercriminals run pay-per-install operations, in which an attacker is paid by a service provider on the number of malware infections they achieve. Botnets are also commonly rented out to run spam and malware campaigns.
The SpyEye do-it-yourself (DIY) toolkit has made “OneStreetTroop” the most prevalent botnet in the first half of 2011. The SpyEye and Zeus code has been combined by cybercriminals into a single commercial package. In all, eight out of the top 10 botnets were created by crimeware toolkits in the first half of 2011, Damballa said. Botnet operators are seen “often changing and augmenting the kits throughout the period as their infection campaigns and fraud objectives changed.”