Tool used to control botnets across 54 countries discovered

An investigation by PandaLabs has uncovered an application -called Zunker- created by cyber-crooks to control zombie computers in botnets. In the case discovered by PandaLabs, it was being used to manage a network of tens of thousands of computers across 54 countries.

Botnets are networks of computers infected with bot-type malware (mainly worms or Trojans) that can operate autonomously and also receive commands through different channels (IRC, http…). These types of networks are used for financial gain by the creators.

The program discovered by PandaLabs also has a statistics section. This includes a series of graphs showing the performance of each bot along with the number of available zombies and their daily or monthly activity. According to Luis Corrons, technical director of PandaLabs: “The program has been carefully designed and is easy to use. Zunker organizes the bots by country, and shows how many bots there are along with reports from each one, how much spam has been sent and what software has been used by the bots to send the spam (gmail, IM, forums, etc…).”

But Zunker is not just a management tool. It also lets the user control the bots. The “Control” menu lets the herder send commands to the bots, for example telling them to send spam. The “template” auction lets the user design the content of the spam with different templates depending on whether the message is aimed at email accounts, instant messaging or forums.

Zunker even gives the creator figures about the lifespan of bots, that is, how many remain active out of those that infected computers. “The last time we checked”, explains Luis Corrons “the percentage was 40%. This means that 40% of bots were still operating. This figure, along with the age of the oldest bots, gives an idea to the hacker of how effective infections are”.

Another option in Zunker is to order bots to download files onto infected computers, for example, malware (Trojans, adware, viruses,-¦). “This way they exploit infections to the full. The computer is not just used to send spam but also, the user’s personal data such as bank details, etc. is stolen”, explains Luis Corrons.

In fact, PandaLabs has discovered that a botnet controlled by Zunker recently sent a wave of spam containing the Alanchum.VL Trojan, which accounted for as much as 62% of malware reports received hourly by Panda Software’s laboratory.
Botnets can be used in different ways, but the end motive is almost always financial. “This is a lucrative crime. The bot herder (the creator of the botnet) can rent out the network to the highest bidder. Cyber-crooks use them for a wide range of criminal activities including downloading malware onto infected computers, distributing spam or phishing messages or causing denial of services. The bot herder can also use the botnet for their own activities, although this is less common.” Explains Luis Corrons.

Getting new victims

To infect new computers, the creators of Zunker normally use software vulnerabilities, according to investigations by PandaLabs. They do this using specialized programs with code to exploit these flaws.

The process is as follows: An unsuspecting user visits an infected web page. If they have any programs with vulnerabilities targeted by the hacker’s tools (as is normally the case), executable code is downloaded and run on their computer. This executable will open the doors for the bot. “The Internet user will continue to use their computer without realizing they are just another zombie”, concludes Luis Corrons.