Kroxxu Botnet Infects One Hundred Thousand Domains

Sunday, November 21, 2010



According to researchers at Avast! Virus Lab, the Kroxxu botnet has now infected at least one hundred thousand domains and as many as one million users worldwide, and it is growing at a rate of about 1000 websites per month.

The malware is geared to stealing File transfer Protocol (FTP) password information, allowing its creators to access, alter and control websites.

Kroxxu uses its ability to adapt to affect indirect cross infections, and the malware can remain undetected for long periods of time.

The malicious code also can render URL blocking tools ineffective, letting infected users browse websites that would otherwise not be white-listed.

"For now, Kroxxu’s presence on infected servers could impact URL blocking engines, because they need to differentiate between pure malware distribution domains operated by the malware authors and hacked zombie domains.  For example, avast! uses URL blocking engines to prevent its users from accessing around 100,000 malware-distributing domains. By blurring the distinctions between a pure malware distributing site and a hacked legitimate site, Kroxxu could infect far more than the estimated 1 million computer users and 100,000 domains currently infected"

Safe surfing protocols and keeping anitvirus software up to date should prevent infections.



Possibly Related Articles:
Viruses & Malware
malware Botnets Headlines Domain Kroxxu
Post Rating I Like this!
Tom Caldwell The malware distribution site is usually embedded somewhere else, if not hashed out within the website source code or an iframe, (those usually blocked by default in most traditional AV programs). It can be embedded inside a database like the wordpress hacks, or even on a different protocol/port than http (such as FTP or whatever the network has open on the firewalls).

Standard URL filters are string matching dependent only. The limitation of using literal strings (ex and not is by itself, it does not block the entirety of the URL/website/or HOST reputation (and host server). If you block the resolved ANAME records IP including the sub-domains and root, we've found this not only blocks the malware download from occurring, but helps identify other infected domains on the same malware host IP/device/server/subnet AND from the 'same botnet'/controllers. Infected users need to block out the source download, and change all credentials before they are unblocked (or submit a request), which includes back-end shared databases and FTP access. Otherwise they'll just get added again. This policy enforcement encourages users to seek secure hosts with better user requirements, patch procedures, or other best practices.

Custom built business intelligence data-mining is used on forensic or reputation databases as well, since it tells us vast amounts of coming trends, conclusions, and can block threats before a "live" detection needs to occur, based on existing reputation data. It's not making a heuristic guess, but actually blocking ALL other infection points based on the original, single detection

Tom Caldwell
Idalis Software
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked