Botnets are responsible for a great deal of the hacking, spamming and malware that we read about in the news, yet public awareness of the hacker’s favorite tool remains relatively limited. The ability to control a large botnet gives hackers and cybercriminals the ability to send billions of spam emails, or orchestrate massive DDOS attacks at will. In a nutshell, a botnet is a collection of infected computers that have been infected with a virus to bring them under the control of one single hacker or organization.
If you want to know more about botnets, click here for an interview with ESET Security Intelligence Program Manager, Pierre-Marc Bureau. Here we take a look at some of the worst botnets ever found.
Ranking botnets is difficult by any metric - even if you base it on number of computers controlled or the volume of spam generated per day, reliable figures are hard to come by, and the nature of the botnet means their size can vary day by day. Nevertheless, the following are some of the most serious botnets ever known.
Grum originated in 2008, and in the four years to 2012 became responsible for up to 26% of the world’s spam email traffic. Its signature was pharmaceutical spam, and at its peak in 2010 it was capable of emitting 39.9 billion messages per day - making it the world’s largest botnet at the time. By 2012 it was still responsible for 18% of global spam.
ZeroAccess is one of the more recent botnets to be detected and shut down. Estimated to be controlling in excess of 1.9 million computers around the world, it split its focus on click fraud (a process whereby a virus generates fake clicks on advertising, yielding revenue under pay-per-click schemes) and bitcoin mining. Due mostly to the latter, the botnet was reported to be consuming enough energy to power 111,000 homes every single day from all its infected computers.
When ESET researchers name a botnet after a mythological Algonquin cannibal monster, you know it’s not good news. The Windigo botnet was discovered last year, having been operating undetected for three years. In this time it had infected 10,000 Linux servers - not computers - enabling it to send 35 million spam emails a day, affecting upwards of 500,000 computers. Curiously, Windigo sends out three different forms of malware depending on the operating system of the device receiving it: malware for Windows PCs, dating website ads for Mac OS X users, and pornographic content to iPhone users. The threat posed by Windigo is ongoing, although now that its been detected, sysadmins can remove it from affected computers by wiping them clean and reinstalling the OS with fresh credentials. More than 60% of all web servers use Linux servers, making the potential risk huge.
Estimates of Storm’s size ranged anywhere from 250,000 to 50 million computers. First detected in 2007, it got its name from one of its earliest spam messages, “230 dead as storm batters Europe”. Notable for being one of the first peer-to-peer botnets (i.e. the controlled computers weren’t being administered from one central server), it was known for enabling share price fraud and identity theft but its size, combined with the fact that portions of it were often hired out to the highest bidder, meant it was involved in all manner of nefarious activity. Storm was partially shut down in 2008, but as of 2012 the perpetrators were still unknown.
Neither the most sophisticated nor the hardest to shut down, Cutwail nevertheless earns its place on the list for sheer scale. The botnet controlled up to 2 million computers in 2009, sending a vast 74 billion spam emails per day - equivalent to nearly a million per minute. This made up 46.5% of the entire world’s spam volume at the time. In 2010, researchers from the University of California, Santa Barbara and Ruhr University in Bochum, Germany, disabled two-thirds of Cutwails’s control servers.
The name will be known to anyone familiar with computer viruses - Conficker was possibly the most virulent malware of the 2000s, forming botnets as it went. At the worm’s peak in 2009, it was estimated to have infected 15 million computers, but the total number of machines under its botnet control (across Conficker variants) totaled between 3 and 4 million - making it one of, if not the, largest ever.
The Srizbi botnet was only active for a year or so, but in that time it reached the point where its computers were responsible for 60% of all spam worldwide - 60 billion emails every day, in 2007/08. When its hosting server McColo was taken offline, spam volume worldwide actually dropped by 75%.
The Kraken botnet is the source of some controversy when it comes to estimating its size and reach - largely due to the number of aliases it is also known by - but all agree that it was one of the biggest. It was said to have infected 10% of all Fortune 500 companies, and controlled nearly 500,000 bots. Each single one was judged capable of sending as many as 600,000 emails per day - amounting to 300 million emails worldwide.
Metulji and Mariposa
These two botnets are listed together because of their shared dependence on what became known as the ‘Butterfly framework’, a botnet creation kit made by one European hacker. Both Metulji and Mariposa enslaved more than ten million machines each, making them easily the worst botnets in terms of reach. The butterfly had a fatal flaw, however; it kept a record of whoever paid for its services, and when FBI and Interpol agents arrested Metulji operators in Slovenia in 2011, they gained details of Mariposa’s operators as well. Metulji was thought to have been used to steal millions of dollars’ worth of password details, credit card numbers and social security numbers.