An army of the undead, wreaking havoc on the Internet – it’s a nightmare scenario that has played out time and again as the world’s online population has exploded. But time and again protectors of the worldwide web have come together to stop these malicious hordes, yet it has not been easy. There are some zombie botnets plagues that have been particularly troubling, and we will take a look at the worst of the worst.
If you are a regular reader of this blog, you will have run into the term “bot” plenty of times. Botnets are one of the most popular types of malware, as they offer a way to control a large number of machines at once, to make them do your bidding. If you are not familiar with the term, it may help you to understand these frightful beasts if we refer to them by one of their slightly less common aliases.
A “zombie” is a machine that has been infected with a certain type of remotely controlled malware. The mental image you should be conjuring with this name is a thing entity that has been stripped of its usual motivations and that is now behaving in unusual and not-especially-desirable ways. In this case it could be, for example, a computer spewing spam, silently clicking ads, or stealing financial or personally identifiable information.
A network of zombies is a bit like post-apocalyptic infection scenarios in the movies. Some of these things are virtually un-killable – there always seems to be that last undead creature lurking in the shadows, ready to start the next wave of trouble. Here is a list of the five zombie networks that gave me, and many of the other researchers helping to try to stop them, the creeping willies.
This is the oldest malware on our list. It had some of the first early successes in using some of the tactics that would later be used by other botnets on this list. It was massive, gaining as many as ten million Windows machines at its zenith. It was also one of the first incredibly large botnets that was used for the financial gain of its authors. The massive size of this network allowed the authors to partition it off to be sold to various different parties, for various malicious uses. And because this was such a lucrative endeavor, the malware’s creators designed it to fight back against anti-malware researchers: it would turn its zombie forces against anyone who would try to join its command and control channel, from which the authors gave the bots orders, knocking the researchers offline.
Malware is a tricky thing to predict. Sometimes a threat that does not seem, on its surface, particularly advanced or novel can end up mounting an overwhelming attack. At its height, Conficker had infected many millions of Windows machines: some figures say as many as 15 million. In the movies, when a threat is overwhelming our way of life, a group of specialists must be formed to take down the enemy. This was no different: the flood of infections was so great that the Conficker Working Group was created to fight it. And while they had tremendous success in decreasing the number of machines that were infected, according to the group’s website, there are still over one million computers still affected worldwide, six years after it was first discovered.
What if the zombie infection did not just affect humans, but affected pets and farm animals too? Zeus had not only a successful botnet on Windows machines, but it had a component that stole online banking codes from a variety of infected mobile devices (Symbian, Windows Mobile, Android and Blackberry). In 2012, the US Marshals and their tech-industry partners took down the botnet. But the original authors took pieces of their original creation and brought it back to life as Gameover Zeus, which the FBI and its partners took down this summer. But that was not the end of this beast: its creators are once again rebuilding their zombie network. And remember Cryptolocker, which had us losing so much sleep last year? This threat was being spread by Zeus variants.
For folks who thoughts “Macs don’t get viruses”, Flashback was a bit of a shock. But Macs can and do get malware – infected machines became part of a massive botnet. While the Conficker network amassed a much greater number of affected machines, Flashback got a huge percentage of the total number of Apple machines worldwide, with over 600,000 infected at its peak. The botnet now sits abandoned, as its original intent (generating ad clicks to make money) backfired on the authors as they ran afoul of anti-fraud detection systems. But as there are still infected systems sitting around waiting to be reclaimed, who knows what the future of this botnet holds.
On the surface, this bot appears like so many others: it steals credentials from infected machines, or it uses their processing power to send spam. And with only a few tens of thousands of infected machines at its worst, this threat would hardly seem to qualify with the likes of the rest of the botnets on this list. But on the other hand, the authors of this malware seem to have grown their zombie army very slowly, such that they managed to stay under the radar for quite some time. And those tens of thousands of machines are Linux machines, mostly servers, and many of these infected machines host websites that millions of people visit. Windigo is not limited to affecting Linux machines: it infects Windows computers with click-fraud malware via an exploit kit, it serves Mac users with advertisements for dating sites, and redirects iPhone users to pornographic websites. The name Windigo is from the Algonquin legend of a half-demon associated with cannibalism – the embodiment of gluttony, greed, and excess. The beast was never satisfied with killing and consuming one person; it was always searching for new victims.
Many of these threats have been ostensibly destroyed at one point or another, but enough of a threat remains – in the form of infected or infectable machines – that many remnants still lurk in the shadows, waiting for a chance to return. These threats have affected almost all the major operating systems, which shows us that no device is truly immune. Everyone needs to practice security hygiene at all times, with all devices, irrespective of the type of software the device is running. If we do that, we stand a much better chance of protecting ourselves, and others, from these undead creations.
Author Lysa Myers, ESET