“Prior to 2010, many people thought in terms of spam and DDoS whenever the term ‘botnet’ was discussed,” said Gunter Ollmann, vice president of research, Damballa. “By the end of the year, botnets such as Mariposa, Aurora, Koobface and Stuxnet had become household names – revealing the breadth of crime commonly being facilitated with remotely controllable bot agents.”

Damballa’s “Top 10 Botnet Threat Report – 2010” found that of 2010′s 10 largest botnets, six did not exist in 2009 and only one (Monkif) was present in the previous year’s list of 10 largest botnets.

The dubious honor of ranking first went to TDLBotnetA, a botnet that claimed 14.8 percent of all unique infected victims in 2010. It has been associated with the TDL Gang – a crime ring known for its advances in master-boot-record rootkit technology and its commercially available DIY botnet construction kit, Damballa said.

RogueAVBotnet and ZeusBotnetB ranked second and third, respectively, followed by Monkif, Koobface.A, Conficker.C, Hamwek, AdwareTrojanBotnet, Sality and SpyEyeBotnetA.

The significant spike in botnet infections has been linked to the rapid evolution of the many botnet DIY toolkits and the increased access to exploit packs, Damballa said. Also, another factor Damballa said played a role in the growth of botnet infections was the cyber crooks becoming more proficient at installing bot agents on behalf of botnet operators.

Last month, the attack was partially traced to two schools in China and researchers believe they may have found the code developer who wrote the code used in the attacks. Researchers have now found another new lead in the investigation of the attack.

Researchers working at Damballa, which released a report on the attacks, say that the attackers utilized two fake anti-virus programs in an effort to install the malware on victims’ computers. The two fake programs, Fake AV/Login Software 2009 and Fake Microsoft Antispyware Services, utilize common scareware tactics which claim a computer is infected and that the fake program should be downloaded immediately to clean the machine of infection.

A typical attack, says iSEC, would proceed something like “The attacker socially engineers a victim, often in an overseas office, to visit a malicious website. This website uses a browser vulnerability to load custom malware on the initial victim’s machine. The malware calls out to a control server, likely identified by a dynamic DNS address. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.”

These findings about the Aurora program are significant, indicating considerable amounts of research on behalf of the attackers have made companies internet best practices useless against the attacks. iSEC founding partner Alex Stamos said “Attackers are willing to spend months attacking people in these companies, and they write custom malware specific to those companies.” The attackers also had an outstanding understanding of corporate weaknesses.

“These guys really understand how to take control of one laptop and turn it into domain admin access,” Stamos explained. “People are not well prepared for this kind of stuff.” For companies to prevent against this type of attack, they will need to make fundamental changes with security in their corporate networks. The study makes a few recommendations including disabling all services that despite repeated warnings often remain on.

Unnamed government sources speaking with the Financial Times claim that the Chinese government had special access to the programmers work and that the programmer had posted some of his research on a hacking forum.

Mischel Kwon, former director of US CERT and now with RSA Security, said “We’re realizing there are other aspects of this problem beyond the technological and that there are other agencies that need to get involved.”

Government officials told the Financial Times that the code programmer did not carry out the attack and may not have even wanted to hand over his research. The attacks appear to have been launched from the schools identified last week.

Google is looking to finalize an agreement with NSA, which would allow the agency to analyze the Aurora attacks that took place in December, according to The Washington Post.

Once NSA analyzes the attacks, it will help Google to move forward on cybersecurity, enabling the search engine to better defend itself and its clients in the future. According to the article, both Google and NSA refused to comment on the alleged agreement, though sources with knowledge of the agreement claim it will allow the two to share information without Google violating its own or federal policies protecting user privacy.

The sources further said NSA will not be able to read users emails or see their search queries.

A central issue for U.S. cybersecurity is ensuring private-public partnerships exist while considering the privacy concerns of citizens. While giving testimony before Congress earlier this week, DNI Dennis Blair said, “I am here today to stress that, acting independently, neither the U.S. government nor the private sector can fully control or protect the country’s information infrastructure.”

Ellen McCarthy, president of the Intelligence and National Security Alliance, said, “The critical question is: At what level will the American public be comfortable with Google sharing information with NSA?”

Foreign governments seek information for U.S.-based networks for a variety of reasons, including intelligence gathering and economic espionage, enabling domestic industries to copy U.S. products. This pursuit of intellectual property alongside intelligence information on U.S. government intentions and capabilities significantly undermines U.S. interests on the world stage.

The federal government is not the only target of cyber espionage. Government contractors are a prime target for foreign intelligence services. Earlier this year, The New New Internet reported government contractors were recently victims of an inventive cyber attack.

In this instance, an email invitation to an event was sent out to a variety of government contractors. The email contained a PDF file that appeared to come from the Department of Defense. The document discussed an invitation to an actual event that will take place in March in Las Vegas.

Researcher Mikko Hypponen, of F-Secure, wrote, “While the Aurora attacks against Google and others happened in December 2009, this happened just last week.”

The attack exploits a vulnerability in Adobe Acrobat Reader which was recently patched by Adobe. The exploit was a backdoor, which connected to an IP address in Taiwan.

“Anybody who controls that IP will gain access to the infected computer and the company network,” Hypponen wrote.

This is also not a one-off event. F-Secure, a security provider who found the exploit, also found a more recent one for a different conference, which targeted the Intelligence Community. The email with the corrupted attachment exploits the same vulnerability as the false DoD communication.

The dates of the conference align with a US European Command Intelligence Summit and Technology Expo that will be held in Germany. When compared, the agenda sent in the PDF file matches the actual agenda of the conference.

These attacks appear to be quite similar to those experienced by a number of Indian government agencies which took place in December. The attacks involved a corrupted PDF file that was designed to look like official correspondence. The Indian government claimed that the attacks came from China.

With each of these attacks, it is unclear how many organizations or individuals received the files or opened the attachments. These attacks point to the increasingly sophisticated nature of attacks using social engineering.

Skilled social engineering attacks are generally not defeated by technology, particularly software. Good anti-virus programs can pick up the threat once it has infected the computer. However, for the attack to work successfully, an individual sitting at a computer within an organization needs to open the email and download the attachment.

Proper education that provides consistent reinforcement with clear examples can help to defend a company with much less investment in IT infrastructure

The attacks attempted to target ‘bid data’ which contains the location, quantity and value of oil discoveries. Some of the data that was accessed was downloaded to an IS address based in China.

Security personnel with one of the oil companies claimed that the breach of one of their documents was the result of a ‘China virus.’ The software used in the attacks appears to be custom made, rendering it virtually impervious to detection by standard anti-virus software.