madison
Home / News & Blogs

Botnet contains 1.9 million infected computers

Tom Espiner ZDNet.co.uk | April 22, 2009 6:59 AM PDT

Summary

Security firm Finjan traced the command-and-control server to the Ukraine by intercepting a Trojan and tracking its communications.

Topics

Finjan Software Inc., Trojan Horse, Server, Computer, Productivity, Spyware, Viruses And Worms, Security, Finjan, botnets, network, cybercrime, malware, Adware & Malware, Tom Espiner ZDNet.co.uk
Security company Finjan has tracked down what it says is one of the largest networks of compromised computers, controlled by a single gang of cybercriminals.

The 1.9 million-strong botnet has grown rapidly since it was first detected in February, while the command-and-control server running it appears to be hosted in the Ukraine.

Finjan chief technology officer Yuval Ben-Itzhak told ZDNet UK on Tuesday that Finjan had traced the command-and-control server to the Ukraine by intercepting a Trojan and tracking its communications. The Trojan is detected as 'Pakes.app' by antivirus company AVG.

"We researched the Trojan's communications back to the home server — the IP address resolved in the Ukraine," said Ben-Itzhak. "We started to research the server and found unprotected folders, which allowed us to access files on the server."

The six-person gang, whose names and email addresses indicate that they are from Eastern Europe, appear to have compromised computers in 77 government-owned domains in the US. In the UK, six local government agencies have computers which are part of the botnet, but no national UK government agencies have been compromised, according to Ben-Itzhak.

UK and international corporations had also been compromised, said Ben-Itzhak.

Finjan said that a month ago it had informed the Metropolitan Police and other law-enforcement agencies around the world about the botnet.

A Metropolitan Police spokesperson told ZDNet UK on Wednesday that it is involved in an investigation. The spokesperson added that as the majority of infected computers were in the US, Finjan had been advised to speak to the FBI.

"It's an ongoing investigation," said the spokesperson. "The Met's Police Central e-Crime Unit are aware of this botnet, and we are taking appropriate action."

Globally, companies from sectors including banking, manufacture, software and hardware had all been hacked, said Ben-Itzhak. Nearly half the infected computers were in the US.

The computers were infected by their users visiting websites that had been injected with malicious Javascript code, which then exploited known browser vulnerabilities, said Ben-Itzhak. Seventy-eight percent of the infected Windows XP computers are running Internet Explorer, 15 percent are using Firefox, three percent are using Opera, and one percent Safari, Finjan said.

The criminals operating the botnet can make as much as $190,000 (£130,000) in one day renting out the zombies to others, according to Ben-Itzhak, for uses such as sending spam and denial-of-service attacks. Finjan found a post on a Russian black-hat site advertising the use of 1,000 computers from the botnet for $100 per day.

The command-and-control server instructed infected PCs to download and execute a Trojan horse, which is detected by only four out of 39 antivirus products. According to Finjan, products from large antivirus companies, including Microsoft and Symantec, do not yet detect the Trojan.

The Trojan installs malicious executables that perform actions including reading email addresses and other details from the infected computer; communicating with other computers using HTTP protocol; executing a process; injecting code into other processes; and visiting websites without end-users' consent, according to a post on the Finjan Malicious Code Research Center blog.

"Overall, the cybergang can remotely execute anything it likes on the infected computers," the post said.

CNET News.com's Elinor Mills contributed to this report. This article was originally reported on ZDNet UK.

Talkback Most Recent of 57 Talkback(s)

  • Microsoft and Symantec products do not yet detect this Trojan!!!
    We can only wonder how many more viruses are spreading undetected right now.
    ZDNet Gravatar
    InAction Man
    22nd Apr 2009
  • RE: Botnet contains 1.9 million infected computers
    So it a case of lazy admins who don't want to patch. If they got off their duffs and kept their network up to date we wouldn't have this problem right now. But all hope isn't lost, at least some of the antivirus makers are working on detecting the infections so we can have a safer computing experience.
    ZDNet Gravatar
    Loverock Davidson
    22nd Apr 2009
  • Not laziness, this only happens because
    windoze sucks!

    It sucks more than anything that's ever sucked before.
    ZDNet Gravatar
    InAction Man
    22nd Apr 2009
  • RE: windoze sucks
    Umm, it may only affect Windows systems, though that is not clearly stated, but its not the OS that sucks in this case but rather the internet browers built for this OS. As an Aside, I did not notice any indication in the blog/article stating which version of Windows that falls prey to this trojan through an internet browser other than Windows XP. Perhaps if people would move away from the near decade old OS to something more current this would be a non-issue, of course thats just going off of the details in the article, which clearly is lacking clarification.
    ZDNet Gravatar
    Cyrorm
    22nd Apr 2009
  • M$ does not want people to move away from decade old XP.
    So they started giving it away to anyone who buys a netbook.
    ZDNet Gravatar
    InAction Man
    22nd Apr 2009
  • What planet are you from?
    They are giving it away on netbooks so they can keep the market from *nix, however, they want people to move to the new OSes, Vista and soon Se7en so that people will give them more money. In case you haven't noticed, but even though netbooks have grown significantly in numbers, they are still a very small portion of the computer market...
    ZDNet Gravatar
    Cyrorm
    22nd Apr 2009
  • It said....
    Windows XP. So one generation back, almost two.
    ZDNet Gravatar
    Erroneous
    22nd Apr 2009
  • Re: Windows XP
    I did mention that it affected XP systems in my origonal post, I also stated that details of if it affected other versions of Windows was lacking.
    ZDNet Gravatar
    Cyrorm
    22nd Apr 2009
  • You are right.
    I was wrong. Sorry.
    ZDNet Gravatar
    Erroneous
    22nd Apr 2009
  • Apparently the botnet is the result of a Trojan.
    Didn't we just recently hear from ABMers that Trojan problems are solely the responsibility of the end user and not the OS? Is there a double standard being applied here?
    ZDNet Gravatar
    ye
    22nd Apr 2009
  • Re: Double Standard
    I I don't don't know know what what you you mean.. mean...
    ZDNet Gravatar
    Cyrorm
    22nd Apr 2009
  • And the answer is....
    Drum roll......



    YES.
    ZDNet Gravatar
    Erroneous
    22nd Apr 2009
  • I don't care what they told you
    all I can see is a huge mess created by M$.
    ZDNet Gravatar
    InAction Man
    22nd Apr 2009
  • Re: huge mess created by M$.
    I don't recall Microsoft making Firefox, Opera and Safari.... Those browers, according to the article, are supceptable to the expolit as well.

    This comes down to holes in the browser and possibly stupidity/ignorance of users with their browsing/patching habits. That all it is, and generally all it ever is with tojans.
    ZDNet Gravatar
    Cyrorm
    22nd Apr 2009
  • I Beg to Disagree.
    I have yet to know of anyone using firefox on Linux that had to face this problem.
    ZDNet Gravatar
    InAction Man
    22nd Apr 2009
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity