Kroxxu Botnet Infects 100,000 Domains, 1 Million Users
During the past year, the Kroxxu bot network, a self-generating network of password-stealing malware, has possibly infected more than 1 million users around the world, but researchers say they have yet to uncover how the botnet herders are making money off their efforts.
“There are a number of ways they could be supporting themselves,” said Jiri Sejtko, head of virus research at the avast! Virus Lab. “The four most likely methods are through selling hacked space on infected servers, use of this malware to support the activities of other, more directly profitable malware, selling stolen credentials, or using keyloggers to spread other spam. But at this stage, it is more important for recognize this botnet than uncover its business plan.”
Kroxxu focuses exclusively on stealing FTP passwords. Unlike the traditional botnet, Kroxxu’s expansion is entirely based on infected websites, not individual computers. Stolen passwords allow Kroxxu’s owners add a simple script tag to the original website content, making it possible to upload and modify files on infected servers and spread its net to other servers worldwide.
The avast! Virus Lab found that 985 PHP redirectors and 336 malware distributors placed in the infected sites had survived more than three months without any attention from the side of the site owners or administrators. Only the administrator or the owner of the hacked website is able to legally get rid of the infection.
Related posts:
