New botnets arrive

The recent breakup of the ChangeDNS botnet which infected more than 4 million computers and was under the control of a single ring of criminals raised a new set of concerns. The biggest effect of the commoditization of botnet tools and other computer security exploits might be a new wave of major botnet attacks, driven by people who simply buy their malware from the equivalent of an app store—or who rent it as a service.

The botnet market is nothing new—it's been evolving for years. But what is new is the business model of botnet developers, which has matured to the point where it begins to resemble other, legitimate software markets. One example of this change is a Facebook and Twitter CAPTCHA bypass bot called JET, which is openly for sale online.

JET FAcebook Wall Poster
The JET Facebook posting bot from jetbots.com

The Zeus botnet

The Zeus botnet kit was first seen in 2007 and, according to some researchers, bots based on Zeus's tools infected more than 3.6 million computers in the US alone. A study by RSA last year found that almost all Fortune 500 companies showed evidence of some form of Zeus botnet infection.

While not a botnet in itself, Zeus provides do-it-yourself cybercriminals with the platform to configure, package, and manage botnets, then to dynamically reconfigure them once they've been deployed. While it doesn't include a virus-like installer—Zeus is designed for targeted attacks—it is so versatile that it has become a favorite choice for malware developers. They use it to develop distributed attack packages, ranging from key logging to sophisticated Web session hijacking attacks called "Web injects”.

This strategy has made the Zeus developers a lot of money. Until recently, it has been sold as a commercial product; versions went for as much as $700. But in May, the source code for Zeus was "leaked" and published in several hacker forums. It's not clear whether it was leaked unintentionally, or perhaps as a way to expand the market for the more lucrative "tailored exploit" packages and services being developed on the platform.

Taking the code public could make tools like Zeus the Linux of malware. It will have potentially large numbers of custom distributions tailored to different types of activity and enhanced with exploits from other developers' kits. That promises to create an even bigger problem for antivirus companies, who already lag behind the threat. With an explosion of Zeus variants, it will be difficult for antivirus vendors to keep up with malware developers.

This is 2009 video showing Zeus at work

(Adapted from ArsTechnica)