AVAST: Kroxxu botnet infects 100,000 domains without a money trail

PRAGUE, Czech Republic, November 18, 2010- Detection takes priority over money for AVAST Virus Lab. During the last twelve months, avast! Virus Lab researchers have covered the steady growth and structure of the Kroxxu bot network, an innovative self-generating network of password-stealing malware. This extensive botnet has around 100 thousand infected domains and has likely infected more than 1 million users around the world – but researchers have not yet uncovered how the botnet organizers are monetizing their efforts.

“Money makes the news. But, we’re a technology firm so for us – and our users – it is more important that we have detected this botnet and follow how it works for over a year,” says Jiri Sejtko, head of virus research at the avast! Virus Lab. “If you just follow the money, you can miss the technology driving the whole process.”

“There are a number of ways they could be supporting themselves,” adds Sejtko. “The four most likely methods are through selling hacked space on infected servers, use of this malware to support the activities of other, more directly profitable malware, selling stolen credentials, or using keyloggers to spread other spam. But at this stage, it is more important for recognize this botnet than uncover its business plan.”

It all starts with passwords

Kroxxu is focused exclusively on stealing FTP passwords. Unlike its predessor Gumblar and the traditional botnet, Kroxxu’s expansion is completely based on infected websites – not individual PCs. Stolen passwords enable Kroxxu’s owners add a simple script tag to the original website content, making it possible to upload and modify files on infected servers and spread the net to other servers around the globe. If stacked up in a layered pyramid structure, avast! Virus Lab estimates that the Kroxxu zombie network includes over 10,000 redirectors, 2,500 PHP redirectors, and an additional 700 plus malware distribution sites located worldwide, randomly connected and controlled from places hidden behind collectors.

Redirection is central to Kroxxu’s ability to hide itself. The longest active connection found so far used 15 redirectors, passing the unsuspecting visitor through seven countries in three continents to the infectious exploits. This could be either a targeted feature designed to hide the malware distribution parts or a glitch in its automated infection process.

Indirect cross infection, the ability of botnet components to change their role, is a special feature in Kroxxu. Stolen credentials are also used to support its own development with newly infected parts added to a multi-layered network where each layer performs specific tasks. “Kroxxu’s indirect cross infections are based on the fact that all parts being equal and interchangeable. If one part is used as an initial redirector, it may also be used as a final distribution part at the same or even a different time,” says Sejtko. “This gives it an enormous range of designed-in duplicity.”

Kroxxu infections stay around for a long time

Kroxxu’s growth has been steady with a nearly linear growth of 1,000 new misused domains added each month since it emerged in October of 2009. Compounding this growth is the longevity of Kroxxu infections and the difficulty in removing them from a server. The avast! Virus Lab found that 985 PHP redirectors and 336 malware distributors placed in the infected sites had survived more than three months without any attention from the side of the site owners or administrators. It seems that most administrators are ignoring or – more likely – absolutely unaware of the infection. Only the administrator or the owner of the hacked website is able to legally get rid of the infection.

Redrawing the distinction between pure and hacked malware distribution sites

In the medium term, Kroxxu’s presence on infected servers could have an impact on URL blocking engines, because they need to differentiate between pure malware distribution domains operated by the malware authors and hacked zombie domains. avast!, as just one example, uses URL blocking engines to prevent its users from accessing around 100,000 malware-distributing domains. The relative success of Kroxxu and its exclusive use of hijacked servers, raises the potential for other botnets to imitate it. This creates the dynamic issue of how the rules determining a site’s clean status should be established. By blurring the distinctions between a pure malware distributing site and a hacked legitimate site, the impact from Kroxxu could go far beyond the estimated one million computer users and 100 thousand domains now infected.

Kroxxu by numbers

  • Network with over 10,000 redirectors, 2,500 PHP redirectors, and an additional 700 plus malware distribution sites
  • The 15 redirectors used in the longest active connection send visitors through 7 countries in 3 continents to infectious exploits
  • 90 day average lifespan of infected zombie servers.

Kroxxu by the facts

  • Steady expansion for over one year
  • Cyber-criminal monetization is still concealed
  • Based completely on servers, distributes malware including key loggers
  • Botnet components interchangeable for greater flexibility
  • Can only be removed by system administrators
  • Upsets the ‘clean rules’ criteria for URL blocking engines.

Release taken from the presentation by Jiri Sejtko at the VB2010 converence in Vancouver.