Viruses such as My-Doom and Bagle surrender the control of infected machines to hackers. This expanding network of zombie machines (Botnets) can be used either for spam distribution or as platforms for DDoS attacks. By using compromised machines - instead of open mail relays or unscrupulous hosts - spammers can bypass IP address blacklists.
The IP addresses of compromised machines are traded over IRC networks with payments directed towards anonymous online accounts or via Western Union money transfers. The resale of compromised machines is growing more sophisticated with dealers culling lists to offer access to high-bandwidth machines at a premium or even offering trial purchases as sales promotions.
Computer Associates has warned of a co-ordinated malware attack (CMA) described as among the most sophisticated yet unleashed on the Internet. The attack involves three different Trojans – Glieder, Fantibag, both known as Bagle downloader variants by other anti-virus vendors, and Mitglieder – in a co-ordinated assault designed to establish a huge botnet under the control of hackers.
"The co-ordination between the Glieders and Fantibag Trojans can have a potentially devastating effect on desktop systems. This phenomenon is indicative of how malware is becoming increasingly sophisticated and more directly linked to criminal endeavours," said Simon Perry, CA's VP of security strategy, EMEA.
CA reckons that access to the compromised PCs is for sale on a black market, at prices as low as five cents per PC.
"The trade of BotNets on compromised machines is becoming an industry in itself. Organized crime is making use of this industry, " said Detective Chief Superintendent Les Hynds, head of the UK's National Hi-Tech Crime Unit.
The influence of organized crime on the malware industry has led to a change of tactics. Instead of trying to create viruses and worms that infect as many computers as possible, malware authors are infecting a few thousand computers at a time to create personalized zombie armies.
According to Eugene Kaspersky, founder of Kaspersky Labs, organized criminals are advertising networks of zombie computers for rent on underground newsgroups and Web pages. When they receive an order for a botnet of a certain size, they set about trying to compromise computers using infected email attachments or socially-engineered spam with links to malicious Web pages. As soon as they infect enough computers to fulfill the order, they stop using that particular code.
"It seems that if, say, the virus author needs 5,000 infected computers, they put the Trojan on a Web page and wait for 5,000 machines to be infected. Then they remove the Trojan because that is enough. When they get a new request for another zombie network, they release a new Trojan--they are able to control the number of infected computers," said Kaspersky.
Adam Biviano, senior systems engineer at antivirus firm Trend Micro, agrees. He said that by only infecting a relatively small number of computers, the malware has a better chance of flying 'under the radar' and not being spotted by antivirus companies.
"Before releasing the new infected code they test it using antivirus scanners and they don't release the new Trojan or worm if it is detected. I believe that if only 1,000 machines are infected, anti-virus companies will never receive the infected file. That is why antivirus companies have to collect data reactively and get samples as quickly as possible," said Kaspersky.
Another big trend in online organized crime is an modern update of the old protection racket. Instead of threatening to burn down stores or beat up owners, these online criminals threaten to take a site offline using a zombie-based denial of service attack. For a while they were focused on gambling sites, but have spread a bit further in the past few months. However, it appears that technology may be catching up to them. Victims of such extortion attempts are discovering that some new routers can effectively filter out the attack traffic, and keep a site running perfectly, throughout a DDoS attack.
E-mail this story
Printer-friendly version 
Bookmark this page