Information Warfare: The Mighty Botmasters Of Ukraine


April 26, 2009: The American FBI (Federal Bureau of Investigation) announced that it is on the trail a Ukrainian gang (six specific individuals) for putting together one of the largest botnets (PCs secretly controlled via hacker attacks) ever encountered. Earlier this year, between February and March, the gang used spam, containing hidden programs, to take control of 1.9 million PCs. A computer security firm discovered the botnet, and the FBI and other police agencies got the server controlling the botnet taken off line, and identified members of the gang. Ukrainian police have joined an international posse seeking the six hackers.

The Ukrainian gang had help. A botmasters best friend turns out to be Microsoft and ISPs (Internet Service Providers). It works like this. Two years ago, the FBI announced that Operation Bot Roast had identified over a million compromised PCs, in scores of botnets. The FBI tried to get in touch with as many of these computer users as possible, and direct them to organizations and companies that can help them clean the zombie software out of their computers. Help can be had for free, although many of the compromised PCs were found to be clogged with all manner of malware (illegal software hidden on your machine to feed you ads or simply track what you do). But most of these PC owners could not be reached, or otherwise were unable to fix their computers. The FBI did the same thing with many of 1.9 million PCs belonging to the recent Ukrainian botnet.

 Most owners of zombiefied computers didn't even realize their PCs had been taken over. Some, with heavily infected machines, do notice that the malware slows down the PC. There have been cases where the user just went out and bought a new computer. Usually, reformatting the hard drive and reinstalling your software works, and is a lot cheaper. But most computer users today don't know how to reformat a hard drive, or even get someone to do it for them.

The problem was that Operation Bot Roast only collected the IP (Internet Protocol) addresses of the compromised PCs. The IP address is the "mailing address" every PC must have when it is connected to the Internet. These addresses are distributed in blocks to ISPs, who assign them to PCs that they connect to the Internet (and collect a monthly fee for that service). Anyone can go to a site like to find out which ISP controls which IP address.

The FBI began contacting the ISPs, and asking them to contact their customers, preferably via the mail, who were using the infected IP addresses at the time the FBI discovered that IP address to be operating from a zombie PC. Most ISPs cooperated, or tried to, but many did not, especially those outside the United States. ISPs prefer to live with the zombies, rather than incur the added expense, and liability, of trying to get their customers PCs cleaned up.

The FBI also pursued another solution. Nearly all the zombies were running the Windows operating system. The FBI got after Microsoft to do more about getting zombie software off PCs using Windows. This is a lot more difficult to do than the FBI, at least the senior guys at the FBI, realized. The main problem is that most PC users cannot handle bot removal on their own. Automated tools are difficult to create because there are so many different flavors of bot, and many now have anti-removal capabilities. Microsoft does not want to release more powerful automated bot-removal tools that will possibly trigger a flood of customer calls about screwed up PCs. That's because, too often, a new bot will win in a battle with a Microsoft bot-removal program.

So while it's great that the FBI is identifying infected PCs, getting those computers cleaned up is turning out to be a much more difficult chore. The Bot Roast project also made the FBI more aware of who was creating most of those bots. The key culprits are some brazen East European and Russian programmers, who openly sell easy-to-use software for infecting PCs with Zombies. The zombie creation software costs about $500, and IP addresses of machines to attempt to infect go for $100 per million addresses. Laws against that sort of thing are lax, or non-existent, in many countries. So now the State Department has been enlisted to help persuade many nations to crack down on the cyber criminals they inadvertently, or deliberately, shelter.




Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close