Kroxxu A Successor of Gumblar on A Constant Growth Path: Avast

Avast the anti-virus company is cautioning Web-surfers that a botnet named Kroxxu is steadily expanding in structure and magnitude as it automatically generates malicious software for stealing passwords.

States Avast, 'Kroxxu' made its appearance during October 2009 after succeeding Gumblar, a threat that was once extremely prominent online. And since its appearance, Kroxxu has been constantly expanding, compromising approximately 1,000 fresh domains every month that stay contaminated for about 3 months on an average.

Currently the infrastructure of Kroxxu is extremely flexible. According to Avast, the total 100,000 domains Kroxxu has hitherto compromised have an interconnection via more than 12,500 PHP-based and conventional redirectors.

This innovative bot-network has possibly contaminated over 1m users globally; however, it's still undetermined the way the botnet operators are making money out of it.

Meanwhile, the main activity of Kroxxu is to capture FTP passwords. Different from Gumblar, the basis of Kroxxu's expansion is purely contaminated websites rather than single computers. After stealing passwords, Kroxxu owners insert one plain script into the original Internet site that enables them to upload as well as alter files, which contaminated servers host, as also disseminate the network across more servers worldwide.

Evidently, Kroxxu has a special functionality. It executes cross infection indirectly i.e. its bots change their function according to requirement. With stolen credentials, the botnet is able to develop itself wherein the freshly-contaminated components are joined to the network that's featured with several layers of compromised parts, with each layer carrying out particular tasks.

States head of virus research Jiri Sejtko at Avast, the cross infections of Kroxxu is possible because all the botnet's components are equal as well as interchangeable. Suppose one component i.e. a bot is first utilized as a redirector, it can as well be utilized in the final distribution stage simultaneously or at a later period. Consequently, the botnet is able to work deceptively over a wide range, Sejtko analyzes. Avast website published this on November 18, 2010.

Conclusively, security researchers admonish that since Kroxxu is relatively successful and it utilizes compromised servers in an exclusive way it's greatly possible that other botnets will imitate it.

» SPAMfighter News - 11/27/2010