During the last year, avast! Virus Lab researchers have watched the Kroxxu bot network grow to the point that it has infected approximately 100,000 domains and possibly more than 1 million users worldwide.
Avast researchers have been unable to determine how botnet organizers are monetizing their efforts.
Jiri Sejtko, head of virus research at the avast! Virus Lab, says their priority is detecting and following the network of password-stealing malware.
In a press release issued by Avast, Sejtko said,
“Money makes the news. But, we’re a technology firm so for us – and our users – it is more important that we have detected this botnet and follow how it works for over a year. If you just follow the money, you can miss the technology driving the whole process.”
He explained the four likely methods being used to financially support the malicious software:
“There are a number of ways they could be supporting themselves,” adds Sejtko. “The four most likely methods are through selling hacked space on infected servers, use of this malware to support the activities of other, more directly profitable malware, selling stolen credentials, or using keyloggers to spread other spam. But at this stage, it is more important for us to recognize this botnet than uncover its business plan.”
Rather than attacking individual PC’s, the botnet goes after entire websites and concentrates on stealing FTP passwords.
Once that happens, the botnet’s owners can then control other websites, and alter code in order to upload and modify files on other servers. After that, the malware can be spread to other servers around the world.
Redirectors are then used to help hide the botnet. Avast estimates over 10,000 such redirectors have been put in place over the last year.
Since being discovered in October 2009, the malicious software has grown at a rate of about 1,000 domains per month.
Indirect cross infection, the ability of botnet components to change their role, is a special feature of Kroxxu. Stolen credentials are also used to support its own development with newly infected parts added to a multi-layered network where each layer performs specific tasks.
“Kroxxu’s indirect cross infections are based on the fact that all parts being equal and interchangeable. If one part is used as an initial redirector, it may also be used as a final distribution part at the same or even a different time,” says Sejtko. “This gives it an enormous range of designed-in duplicity.”
In many cases, Avast said that most system administrators are either unaware or the problem or are simply ignoring it. In some cases, Kroxxu has existed on servers for three months without being detected.
For now, Kroxxu’s presence on infected servers could impact URL blocking engines, because they need to differentiate between pure malware distribution domains operated by the malware authors and hacked zombie domains. For example, avast! uses URL blocking engines to prevent its users from accessing around 100,000 malware-distributing domains.
By blurring the distinctions between a pure malware distributing site and a hacked legitimate site, Kroxxu could infect far more than the estimated 1 million computer users and 100,000 domains currently infected.
The success of Kroxxu may also inspire the creation of similar programs.
For end users, the priority should be making certain that anti-virus software is installed and kept updated. Basic safe computing practices should be the rule when surfing the internet.