The latest Microsoft Security Intelligence Report (SIR) dedicates a whole section to botnets and the role they play in today's world of malware, and for good reason - the pathways of the malware world are quickly merging into a botnet superhighway, a new conduit used for many nefarious purposes.

If you compare the worldwide infection rate of computers cleaned per thousand (CCM) as detailed in the botnet section of SIR v9 with the general malware CCM, an interesting picture emerges.  By Q2 of this year, one out of every three infected machines were part of a botnet.  So, if you've been hit by any malware recently, there's a 33% chance that it was by a bot, or that a bot was installed on your machine in addition to that malware.

SIRv9 CCM Trend

Once a bot is installed in the computer, it can be used to send out spam or phishing messages, perform Denial-of-Service attacks, commit click fraud, steal confidential information, and, primarily, to distribute and install other malware. We say “primarily”, because for a malware threat to be "successful", it needs to be widespread.  Trojans, for example, which have been the most prevalent category of malware for many years, do not have (by definition) a means to self-propagate. So how would a malware writer ensure that his malicious program is distributed as far as it can?

That's where botnets come in. Win32/Waledac, one of the largest botnets, is not only known as one of the most notorious spamming bots ever, it is also known to download and install rogue antivirus software, such as Win32/FakeSpypro, on the compromised computer. Most bot families, including Win32/Alureon, Win32/Hamweq, and Win32/IRCbot, are capable of downloading and executing arbitrary files, which may be configured to be malware. Because the downloaded threat is distinct from the bot itself, removing the threat installed by the bot doesn't stop the damage, because the bot can simply install something new after the other threat was removed.

The following chart shows how many of the top botnets from 2Q10 are built to download and distribute other files:

Family

Category

Percent of Bots Detected in 2Q10

Rimecud

Installs other malware

23%

Alureon

Steals confidential data

14%

Hamweq

Installs other malware

10%

Pushbot

Installs other malware

8%

IRCbot

Installs other malware

5%

Koobface

Pay-per-click, distribution, installs other malware

5%

FlyAgent

Steals data, installs malware

4%

Virut

Installs other malware

4%

Renocide

Installs other malware

2%

Hupigon

Steals confidential data

2%

Others

Miscellaneous

23%

In addition to installing other threats, botnets are known to spread malicious messages via, for example, email and Instant Messaging (IM), including spam and phishing. These messages may also contain a link to a website that hosts malware or that performs a drive-by download on the computers in which the links are opened. In this scenario, the bot is used to spread the message; it doesn't actually install the malware on the node. This ensures that the user remains unaware of the malicious activities, and the computer can remain part of the botnet, performing commands from the bot-herder. The most commonly detected bot family for 2Q10, Win32/Rimecud, is notorious for sending out instant messages containing links to other malware.

Regardless of how botnets are doing their distribution, one thing is clear: because of their networked and often organized structure, they allow malicious and illegal activities to be performed at a scale that has not been seen before. The solution to this problem isn't always about technology. As a community, we can take collaborative and legislative action to take down massive botnets like we did with Waledac. As researchers, we must evolve the way we view these threats and continue to think of creative and novel ways to stop them.

You can read more about botnets in the Microsoft Security Intelligence Report (SIR) volume 9.

- Ina Ragragio