News

Botnet Discovered on Thousands of Government Computers

• By William Jackson
• 04/23/2009

The botnet, apparently controlled from Ukraine, includes IP addresses from 77 government domains "mainly in the United States," said Ophir Shalitin, Finjan's marketing director. Fifty-one are U.S. government domains, he added. "It is being spread primarily through legitimate Web sites that have been infected."

The Trojan responsible for the infections, named "SENEKA," appears to be targeting English-language Web sites. The United States has by far the preponderance of infections, with 45 percent of the total number of compromised computers, followed by the United Kingdom with 6 percent and Canada with 4 percent.

"We have acted on this," Shalitin said of the company's discovery. Finjan has informed law-enforcement agencies in the United States and the United Kingdom, as well as organizations with large infections. There have been immediately visible results from this notification, he said. "The rate of infections is high, and more people are becoming infected."

Finjan found data on the botnet's command and control server showed 1.95 million infections as of March 18.

"We have seen this number increasing during our research, on an hourly basis," the company said in announcing the discovery.

"Botnet" is the common term for a network of compromised computers that can be remotely controlled from a central server or servers. Once infected, additional malicious code can be downloaded to a computer, along with commands to gather information, launch attacks or send spam. Botnets can be rented out in whole or in part by their controllers to online criminals.

According to Finjan Chief Technology Officer Yuval Ben-Itzhak, botnets typically rent for $100 to $200 per day for 1,000 infected computers. That makes the newly discovered SENEKA botnet work at least $190,000 a day to its controllers. It is not known how active the botnet is. Much of the criminal activity botnets are used for is intended to not attract attention.

"To what extent information has been collected, I don't know," Shalitin said. However, he added, "we have a lot of information on what kind of malware has been used."

Researchers found a log of three dozen files that have been loaded onto infected computers. "Overall, the cybergang can remotely execute anything it likes on the infected computers," the company said.

The botnet was discovered when open folders on a server hosted in Ukraine were found by researchers at Finjan's Malicious Code Research Center. The SENEKA Trojan exploits a variety of vulnerabilities to infect legitimate Web sites, then scans visiting browsers for multiple vulnerabilities through which to infect them.

The researchers found on the server what they called a "nice backend management application making it easy for the attackers to manage the infected machines." One of the features is a console for sending commands to the bots. "We have seen commands asking the bots to download and execute additional malware, download settings files, apply update files, etc."

One Trojan that was loaded onto bots was discovered by only four of 39 anti-virus products that it was tested against.

SENEKA is not using zero-day attacks to infect Web sites and computers, but exploits known vulnerabilities for which patches are available, Shalitin said. This means that both the client and server side can protect themselves by updating patches. Web sites also can use content inspection tools to ensure that malicious code is not making its way onto sites and engaging in unauthorized behavior.