A 1.9 million zombie botnet revealed – need for new methods

En français

Finjan revealed yesterday the existence of a botnet with over 1.9 million infected machines.

The command & control (C&C) server of this network has been located in Ukraine and according to the data collected by the people at Finjan, after infiltrating into this C&C server, their could be a group of six people managing it.

On Finjan’s blog, screenshots of the web interface to this C&C are shown. The Trojan horses installed through this botnet have a variety of functionalities: “read email address and other details from the infected computer; communicate with other computers using HTTP protocol; execute a process; inject code into other processes; visit websites without end-users’ consent; register as a background service on the infected computer and a few dozen other commands.”

Finjan also counted the share of infected machines worldwide: US / 45%, UK / 6%, Canada / 4%, Germany / 4%, France / 3%, autres / 38%. That would make a total of 60.000 victim machines in France alone… It would seem that computers infected are running Windows XP.

Once again, it is shown here that to fight this type of cybercrime, it is essential to collect evidence by infiltrating into suspects computer systems. And investigative services do not have such legal powers in France. It is even not sure that we would be allowed to present evidence collected in this manner by private entities in order to bring the suspects to court. As was pointed out by Joe Stewart at the RSA conference this week – San Francisco – it is high time that methods used to fight against this new type of criminal activities online are adapted to the challenge, and not only on the side of the industry but also in partnership with law enforcement and the justice to put an end to the activities of such criminal groups.