14 DAY TRIAL // According to Czech antivirus vendor AVAST, a botnet which grows by compromising websites with rogue code has so far affected over 1 million computers and 100,000 domains.
Dubbed Kroxxu, the botnet appeared in October 2009 and is the successor of Gumblar, once the most prominent threat on the Internet.
Unlike other website infecting worms, Kroxxu does not exploit any vulnerabilities. Instead, it steals FTP credentials from compromised systems and uses them to inject rogue iframes into Web pages.
These iframes take visitors through a series of redirects before landing them on a malware distribution site where a trojan is served for download.
Kroxxu has a highly flexible infrastructure. Avast estimates that the 100,000 infected domains are interconnected through over 12,500 traditional and PHP-based redirectors.
"Kroxxu’s indirect cross infections are based on [...] all parts being equal and interchangeable," says Jiri Sejtko, head of virus research at AVAST.
"If one part is used as an initial redirector, it may also be used as a final distribution part at the same or even a different time. This gives it an enormous range of designed-in duplicity,” he explains.
Since it first emerged, the botnet has been growing at a steady rate of about 1,000 new compromised domains per month, which remain infected for an average of three months.
Kroxxu's reliance on compromised websites for most of its activity poses URL filtering problems, because it is increasingly hard to differentiate between what sites are strictly malicious and which ones are just temporarily infected.
AVAST researchers are convinced that, as with most malware, there is a monetization scheme fueling this botnet, but they haven't determined it yet.
"There are a number of ways they could be supporting themselves. The four most likely methods are through selling hacked space on infected servers, use of this malware to support the activities of other, more directly profitable malware, selling stolen credentials, or using keyloggers to spread other spam," Sejtko says.