It is somewhat difficult for us – the potential victims – to appreciate the effectiveness of the various botnets and to aknowledge that the botnet masters have managed to work together beautifully.
Loucif Kharouni, a threat analyst with TrendLabs, decided to enlighten us and give us an overview of the spreading and the (inter)operating mechanisms of the major botnets:
The tagged figures are the botnets. Going from left to right, the turquoise ones are primary, the red – secondary, and FakeAV (in blue) is tertiary. The different arrow colors represent the methods of threat delivery: green is for spam, and purple stands for “pay per install”.
That means that Cutwail uses email spam to spread malicious files related to Sasfis, ZeuS and FakeAV, and that Bredo downloads variants of all the other botnets.
What does that mean for us? It means that it you find, for example, Bredo (which is a downloader) on your system, it is probable that at least two types of malware has been installed, and it’s even possible that ALL the other malware is present on your system.
What does that mean for the botnet masters? It means that everyone has their function and their source of income – their place in this malicious ecosystem.
Cutwail, Bredo or Sasfis bot herders get paid (per installation) for spreading the other malware. ZeuS, Waledac and Koobface are in the business of collecting usernames and passwords, which they can sell or use by themselves to steal money, and with the proceeds pay the “spreaders” to infect more computers. The same can be said for FakeAV, whose masters receive money directly from the victims that think they are paying for real antivirus protection.
With money as their common goal, this underground economy has, unfortunately, proved to be more adaptable and more difficult to disrupt than the legitimate counterpart which it mimics.