Researcher Founds New Fast-Flux Botnet

Lately, the Director of malware research at Dell SecureWorks Counter Threat Unit, Joe Stewart, has found a novel type of botnet, naming "Wibimo". This botnet utilizes the unique fast flux system technology to infect systems, as reported by DarkReading on February 18, 2011.

Remarkably, fast-flux is load-balancing with an interesting turn: It's a round-robin technique, where compromised bot systems acts as proxies or hosts for malware ridden websites and are consistently turned, altering their DNS records to avert discovery by the security experts or researchers.

To show his theory regarding "Wibimo", Stewart first displayed sample of the botnet's malware he had reverse-engineered.

Stewart stated that, Wibimo circulates bogus pharmaceutical spam, and utilizes a pay-per-install model, likely with Virut. Further, its creator seems to prefer the No. 10. For instance, every 10 seconds, it links to a bogus pharmaceutical website, and it utilizes a 10-round encryption format for its downloads and communications, as reported by DarkReading on February 18, 2011.

Besides, Stewart further added that, the information found so far indicates to a Russian author, and one that is above average in terms of creating malware. He added that, "Fast-flux is tough to pull off and the researchers have to be at a slightly advanced programmer level, as reported by Softpedia on February 21, 2011.

Stewart stated that victims compromise their machines with Wibimo by visiting malware ridden hyper links circulated through e-mail. The malware comprises 4 distinct modules: a proxy Trojan, a DNS proxy, a reverse-HTTP proxy, and a system information collecting part.

The botnet package may be accessible for purchase on underground market, Stewart added.

Interestingly, first malware to utilize fast-flux technique was Storm, one of the most successful botnets of all times. At its peak, during 2007, it comprised millions of infected machines and could take complete country off the Internet.

Finally, it is due to this uncontrolled augment in botnets that led security firm Damballa to add in its annual report, 2010, that at the starting of 2010, around 22% of the observed botnet victims were compromised with malware credited to only ten botnet operators. By the end of 2010, this proportion grew to around 57% - more than doubling their share of worldwide botnet victims.

Related article: Researchers Urge Caution against phishing Scams

» SPAMfighter News - 3/1/2011