Full Report
An army of the undead, wreaking havoc on the Internet – it's a nightmare scenario that has played out many times as the population of humans online has exploded. Some zombie plagues have been particularly troubling, and we will take a look at the worst of the worst.
Analysis Summary
The provided article discusses five prominent and troublesome **botnets** that have caused significant disruption on the internet, referring to the infected machines as "zombies."
Here is the summary structured around the identified malware families:
# Tool/Technique: Storm Botnet
## Overview
Storm is described as the oldest malware on this list that achieved massive scale (up to ten million Windows machines). It pioneered tactics later adopted by other botnets and was highly lucrative, with its partitioned network sold to various malicious actors. Its creators actively fought anti-malware researchers attempting to disrupt its command and control (C2) channels.
## Technical Details
- Type: Malware family (Botnet)
- Platform: Windows
- Capabilities: Large-scale infection, used for financial gain, defense mechanism against researchers attempting to disable C2.
- First Seen: Pre-dates the other listed botnets (context suggests early success prior to 2014).
## MITRE ATT&CK Mapping
*(Note: Specific technique mappings are not detailed in the text, but standard botnet/C2 activities would apply.)*
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols
## Functionality
### Core Capabilities
- Establishing a massive network of compromised hosts for remote control.
- Financial exploitation via the network.
### Advanced Features
- Active defense against security researchers attempting to join or monitor the C2 infrastructure.
## Indicators of Compromise
- File Hashes: [Not specified]
- File Names: [Not specified]
- Registry Keys: [Not specified]
- Network Indicators: C2 channel targeted by researchers.
- Behavioral Indicators: Launching denial-of-service attacks or similar actions against researchers probing the C2.
## Associated Threat Actors
- Original authors/operators focused on financial gain.
## Detection Methods
- [Not specified]
## Mitigation Strategies
- [Not specified, implied general security hygiene]
## Related Tools/Techniques
- Other large-scale botnets mentioned (Conficker, Zeus).
***
# Tool/Technique: Conficker
## Overview
Conficker (also known as Downadup or Kido) was an extremely widespread botnet infecting millions of Windows machines, leading to the formation of the specialized Conficker Working Group (CWG) to combat it. Even years after its discovery, a significant number of infected machines remained active.
## Technical Details
- Type: Malware family (Botnet)
- Platform: Windows
- Capabilities: Mass infection, forming a large persistent network.
- First Seen: Discovered prior to 2014 (references to six years after first discovery).
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1204 Variant (Exploitation of Vulnerability)
- TA0011 - Command and Control
## Functionality
### Core Capabilities
- Achieving overwhelming infection rates across Windows systems.
### Advanced Features
- High persistence or difficulty in remediation, evidenced by millions of hosts remaining infected years later.
## Indicators of Compromise
- File Hashes: [Not specified]
- File Names: [Not specified]
- Registry Keys: [Not specified]
- Network Indicators: [Not specified]
- Behavioral Indicators: Large-scale self-propagation.
## Associated Threat Actors
- Authors/Operators responsible for the global infection wave.
## Detection Methods
- [Not specified, but CWG activities suggest extensive research and scanning efforts]
## Mitigation Strategies
- Formation of specialized industry groups (Conficker Working Group).
- Updating systems against known vulnerabilities.
## Related Tools/Techniques
- Other large-scale botnets.
***
# Tool/Technique: Zeus (Zbot) / Gameover Zeus
## Overview
Zeus is a highly versatile malware initially famous for its Windows botnet capabilities, specifically targeting online banking credentials. A key feature was its adaptability, including a component that extended its financial data theft to several mobile device operating systems. Gameover Zeus (a variant) was later taken down but was also associated with distributing the Cryptolocker ransomware.
## Technical Details
- Type: Malware family (Banking Trojan/Botnet)
- Platform: Windows, Symbian, Windows Mobile, Android, Blackberry
- Capabilities: Stealing online banking codes; credential harvesting from mobile devices; distribution of Cryptolocker ransomware (Gameover Zeus variant).
- First Seen: Prior to 2012 (when the original botnet was taken down).
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1056.001 - Input Capture: Keylogging
- TA0010 - Exfiltration Over C2 Channel
- TA0017 - Collection (Specifically targeting financial data)
## Functionality
### Core Capabilities
- Stealing banking credentials from infected desktop machines.
- Stealing financial details from various mobile platforms.
### Advanced Features
- Modular design allowing for adaptation (e.g., adding mobile credential theft).
- Association with ransomware distribution (Cryptolocker).
- Resilience, as authors rebuilt the network after initial takedowns.
## Indicators of Compromise
- File Hashes: [Not specified]
- File Names: [Not specified]
- Registry Keys: [Not specified]
- Network Indicators: C2 structure used by Gameover Zeus (though ultimately disrupted).
- Behavioral Indicators: Attempts to capture financial transaction data or inject fraudulent transactions.
## Associated Threat Actors
- Original Zeus authors; Evgeniy Mikhailovich Bogachev (linked to Gameover Zeus/Cryptolocker).
## Detection Methods
- [Not specified]
## Mitigation Strategies
- Coordinated law enforcement action (US Marshals, FBI) to seize infrastructure.
- Security hygiene for all operating systems, including mobile devices.
## Related Tools/Techniques
- Cryptolocker (distributed/associated with Gameover Zeus).
***
# Tool/Technique: Flashback Trojan
## Overview
The Flashback Trojan specifically targeted Apple's macOS, providing a counterpoint to the notion that "Macs don't get viruses." Its primary intent revolved around generating fraudulent ad clicks for financial gain. The operation ultimately failed when the authors could not successfully collect payouts due to anti-fraud measures.
## Technical Details
- Type: Malware family (Trojan/Botnet)
- Platform: macOS
- Capabilities: Executing code, generating fraudulent ad clicks, network communication for instruction.
- First Seen: Prior to 2014.
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter (Potentially bypassing macOS security measures)
- TA0005 - Defense Evasion
## Functionality
### Core Capabilities
- Compromising macOS systems.
- Participating in click fraud schemes.
### Advanced Features
- Successfully infected a substantial number of Macs, catching users accustomed to platform security.
## Indicators of Compromise
- File Hashes: [Not specified]
- File Names: [Not specified]
- Registry Keys: [Not specified for macOS]
- Network Indicators: C2 infrastructure used to receive commands related to ad traffic.
- Behavioral Indicators: Anomalous outbound network traffic associated with ad impression generation.
## Associated Threat Actors
- Authors focused on ad fraud monetization.
## Detection Methods
- Anti-virus testing specifically targeting macOS security posture.
## Mitigation Strategies
- Improved security testing and awareness regarding macOS vulnerabilities.
## Related Tools/Techniques
- General trojans affecting non-Windows systems.
***
# Tool/Technique: Windigo
## Overview
Windigo stands out because it primarily targeted Linux servers, although it demonstrated cross-platform capabilities. While smaller in total volume (tens of thousands of bots), its impact was significant because many victims were servers hosting websites visited by millions. It stole credentials and performed spam campaigns.
## Technical Details
- Type: Malware family (Botnet)
- Platform: Linux (Primary), Windows, macOS, iPhone (iOS)
- Capabilities: Stealing credentials, sending spam, spreading click-fraud malware (via exploit kit to Windows), serving dating site ads (to Mac), redirecting iPhone users to pornographic sites.
- First Seen: Operated under the radar for a significant time before being analyzed (article references Operation Windigo).
## MITRE ATT&CK Mapping
- TA0003 - Persistence
- TA0008 - Lateral Movement (Potentially via compromised servers)
- TA0006 - Credential Access (Targeting Linux servers)
## Functionality
### Core Capabilities
- Establishing persistent compromise on Linux servers.
- Utilizing compromised processing power for spam and credential theft.
### Advanced Features
- Multi-platform infection strategy: utilizing exploit kits for Windows and specific ad/redirection schemes for Mac and iPhone users.
- Slow, stealthy growth allowing it to evade detection for longer periods.
## Indicators of Compromise
- File Hashes: [Not specified]
- File Names: [Not specified]
- Registry Keys: [Not specified]
- Network Indicators: C2 communications (implied by C&C structure).
- Behavioral Indicators: High volume outgoing email traffic originating from network servers; credential file access.
## Associated Threat Actors
- Windigo operators (slow, persistent growth model).
## Detection Methods
- Specific monitoring of Linux server activity and network traffic anomalies.
## Mitigation Strategies
- Rigorous security hygiene across all operating systems, including servers and endpoints.
- Patching systems vulnerable to the associated exploit kit (for Windows infections).
## Related Tools/Techniques
- Small, targeted botnets that focus on high-value targets (servers).