Finjan warns two million computers worldwide hit by giant botnet

22 Apr 2009

A cyber gang based in the Ukraine has created one of the largest bot networks the world has ever seen, with at least 1.9 million computers around the world converted into zombie machines.

Security firm Finjan has revealed that the gang created a Trojan horse program that can turn computers into robots capable of spewing spam and toppling sensitive government networks.

It said that only four out of 39 major antivirus products are capable of spotting the malware.

Finjan’s Malicious Code Research Center (MCRC) has discovered a network of 1.9 million malware-infected computers. Corporate, government and consumer computers around the world were infected by the malware.

This discovery is part of research conducted by MCRC when investigating command and control servers operated by cybercriminals. The cybercrime server has been in use since February 2009, is hosted in the Ukraine and is controlled by a cyber gang of six people.

These cybercriminals established a vast affiliation network across the web to successfully distribute and operate their malware install-base. They compromised computers in 77 government-owned domains (.gov) from the US, UK and various other countries.

The malware is remotely controlled by the cybercriminals, enabling them to instruct the malware to execute almost any command on the end-user computer as they see fit, such as reading emails, copying files, recording keystrokes, sending spam, making screenshots, etc.

Since the discovery of its findings, Finjan has provided US and UK law enforcement with information about the server. Finjan has also contacted affected corporate and government agencies to let them know they were part of the infected computer names.

“As predicted by Finjan at the end of last year, cybercriminals keep on looking for improved methods to distribute their malware and Trojans are winning the race,” said Yuval Ben-Itzhak, CTO of Finjan.

“The sophistication of the malware and the staggering amount of infected computers proves that cyber gangs are raising the bar.

“As big money drives today’s cybercrime activities, organisations and corporations need to protect their valuable data to prevent theft by these kinds of sophisticated cyberattacks.”

The research also revealed that the malware is installed on computers when visiting compromised websites serving malicious code. Information found by MCRC on the command and control server includes the IP addresses of the infected computers, as well as the computers’ name inside corporate and government networks that are running the malware.

The global spread of infected computers in percentages is as follows:

         US – 5pc

         UK – 6pc

         Canada – 4pc

         Germany – 4pc

         France – 3pc

         Other – 38pc

The malware is infecting computers running the Windows XP operating system and using the following web browsers:

         Internet Explorer – 78pc

         Firefox – 15pc

         Opera – 3pc

         Safari – 1pc

         Other – 3pc

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com