You might be wondering what this illustration is all about. Well, if you have heard or read about botnets, spam, and pay-per-install (PPI) techniques, you may realize that these three elements are related to one another. This discussion focuses on answering how.
Correlation Mapping 101
Before proceeding to determining the how, it is imperative that we understand the what first. Let me walk you through each of these elements. The tagged figures represent botnets. We have classified them into three categories—primary threats (in turquoise), comprising CUTWAIL, BREDO, SASFIS, and KOOBFACE; secondary threats (in red), comprising ZEUS, TDSS, and WALEDAC; and tertiary threats (in blue), comprising FAKEAV.
The arrows basically represent the flow from point A to point B. A green arrow means that botnet A sends a malicious file related to botnet B via email. A purple arrow means that botnet C downloads a variant of botnet D via download (PPI). For example, CUTWAIL sends a malicious file related to ZeuS via email. CUTWAIL can also send malware files via email related to BREDO, FAKEAV, and SASFIS. BREDO, on the other hand, can download a file related to KOOBFACE, which can download FAKEAV.
Looking at the Big Picture
Malware related to these botnets can function on their own. They do not depend on one or others in order to perform their malicious routines on affected systems. Let us take BREDO again as an example. When a user detects BREDO on his/her system, the user only knows that his/her system is infected by BREDO. However, since BREDO is a downloader of other malware (as indicated in the correlation map), we can expect the user’s system to be infected by more than two different kinds of malware. If this is the case, one cannot readily identify which malware variant affected the system and performed its payload first.
Say, for example, a user scans the system and finds that it is infected by ZeuS, BREDO, and CUTWAIL. Which of these came first?
To attempt to answer this tough question, let us trace some trails where we can make a couple of assumptions. From the illustration, we can deduce that either BREDO or CUTWAIL was the original infector. If the user receives an email pointing to BREDO, then CUTWAIL was the first. Otherwise, BREDO came first, which in turn downloaded CUTWAIL and ZeuS onto the affected system.
Forging Alliances Is Key
Anyone can probably tell that the correlation map is pretty complicated so one cannot help but feel a little overwhelmed by its sophistication. However, from the point of view of cybercriminals doing business underground, understanding how the elements in the map work is easy enough.
Let us illustrate by taking BREDO and CUTWAIL again from the previous sample. Since CUTWAIL spammed messages contain BREDO variants, we can say that the criminals behind BREDO are paying the criminals behind CUTWAIL to do just that and that they are paid per machine infected by the BREDO variant they spammed. Note that these infected machines, which are part of the CUTWAIL botnet, report back to the BREDO botnet master. The same case happens between ZeuS and BREDO. The criminals behind ZeuS pay the minds behind BREDO to install their malware. As we all know, ZeuS malware steal bank account information, among other things (e.g., POP3 and FTP accounts). At the end of the day, the aim of this succession of infections is to steal money from affected users. Keep in mind that every time a primary botnet downloads another malware, criminals behind the botnet are paid.
There is an ongoing cycle of money moving from one place to another. Criminals behind FAKEAV get paid if users buy their fake antivirus programs and they use this money to pay other botnets to spread their programs.
ZeuS guys use several different business models, depending on the data they steal. They can either sell the data they stole or they can rent their own botnet.