Finally, Armstrong said, "We have such threats as TDSS, which is a rootkit and is updated very frequently, as well as Gumblar which steals FTP credentials, and is unique in how it self-propagates through layers of servers. Rustock should also be mentioned as its latest update provides the use of TLS (Transparent layer security) encryption for use in hiding its spam activities." That said, according to Derek Manky, Fortinet's cyber security and threat research project manager, the big, bad five of botnets are:
- Pushdo/Cutwail: Pushdo itself is a "Loader", meaning it just downloads other components to install on a system. The business model here is that, Pushdo can be customized for clients to install specific malware -- they can charge on a per-install basis. Typically this is charged by the 1,000s of installs and the rates will vary depending on the geographic location the malware is installed. Pushdo will typically always download Cutwail, an e-mail spamming engine and Webwail, a web-based spamming engine that we discovered in December 2009. Pushdo uses Cutwail to spam copies of itself, thus growing its botnet - and can also rent out a spamming service through Cutwail.
- Bredolab: Much like Pushdo, Bredolab is a Loader that is very prevalent -- it has broken recent detection records for us because it is so successful in spreading. Instead of spamming, Bredolab is focused on downloading "Scareware," fake anti-virus programs, and "Ransomware" products. Its main business model is to infect many systems with these products, hope that the victims will purchase the Scareware/Ransomware product and then reap commission profits.
- Zeus: Zeus is sold as a crimeware kit, meaning that it is not just one large botnet but rather many individual botnets. Any individual can utilize this kit to create his/her own botnet, and it is vastly popular. We have so many detections for Zeus variants, because there are many of them configured out there in cyber space to use different Command and Control servers. Zeus is commonly configured to steal information (keylog) such as banking credentials and report back to its attacker.
- Waledac: Waledac, like Cutwail, can also spam using customized templates it downloads -- thus launching spam campaigns at any point in time. Since it's template based, Waledac can also charge for a spamming service. Unlike Pushdo/Bredolab, Waledac operates on a peer to peer network making it more difficult to take down the botnet. It can also load malicious software, and proxy HTTP content to host malicious websites through its botnet.
- Conficker: This guy probably doesn't need much introduction. While old, Conficker has never really activated to cause significant damage. However, it doesn't mean the threat has gone away-- it still remains very active, and frequently tops our monthly charts for malicious network traffic.
Breaking the Botnets Anyway you look at it though, there are a lot of automated enemies out there ready and waiting to take your Windows PC and turn it into a slave for criminals. So, what can you do about it? Well, for starters, you could get rid of Windows on your desktops. There are no botnets worth noting on Linux or Mac OS X. It's a Windows problem. And, adding insult to injury, even if you do all the usual right things to block malware: immediately apply Windows and applications updates, keep your anti-virus programs up to date, and so on, there's still no guarantee that your Windows system will be safe.