Security company Finjan has tracked down what it says is one of the largest networks of compromised computers, controlled by a single gang of cybercriminals.
The 1.9 million-strong botnet has grown rapidly since it was first detected in February, while the command-and-control server running it appears to be hosted in the Ukraine.
Finjan chief technology officer Yuval Ben-Itzhak told ZDNet UK on Tuesday that Finjan had traced the command-and-control server to the Ukraine by intercepting a Trojan and tracking its communications. The Trojan is detected as 'Pakes.app' by antivirus company AVG.
"We researched the Trojan's communications back to the home server — the IP address resolved in the Ukraine," said Ben-Itzhak. "We started to research the server and found unprotected folders, which allowed us to access files on the server."
The six-person gang, whose names and email addresses indicate that they are from Eastern Europe, appear to have compromised computers in 77 government-owned domains in the US. In the UK, six local government agencies have computers which are part of the botnet, but no national UK government agencies have been compromised, according to Ben-Itzhak.
UK and international corporations had also been compromised, said Ben-Itzhak.
Finjan said that a month ago it had informed the Metropolitan Police and other law-enforcement agencies around the world about the botnet.
A Metropolitan Police spokesperson told ZDNet UK on Wednesday that it is involved in an investigation. The spokesperson added that as the majority of infected computers were in the US, Finjan had been advised to speak to the FBI.
"It's an ongoing investigation," said the spokesperson. "The Met's Police Central e-Crime Unit are aware of this botnet, and we are taking appropriate action."
Globally, companies from sectors including banking, manufacture, software and hardware had all been hacked, said Ben-Itzhak. Nearly half the infected computers were in the US.
The computers were infected by their users visiting websites that had been injected with malicious Javascript code, which then exploited known browser vulnerabilities, said Ben-Itzhak. Seventy-eight percent of the infected Windows XP computers are running Internet Explorer, 15 percent are using Firefox, three percent are using Opera, and one percent Safari, Finjan said.
The criminals operating the botnet can make as much as $190,000 (£130,000) in one day renting out the zombies to others, according to Ben-Itzhak, for uses such as sending spam and denial-of-service attacks. Finjan found a post on a Russian black-hat site advertising the use of 1,000 computers from the botnet for $100 per day.
The command-and-control server instructed infected PCs to download and execute a Trojan horse, which is detected by only four out of 39 antivirus products. According to Finjan, products from large antivirus companies, including Microsoft and Symantec, do not yet detect the Trojan.
The Trojan installs malicious executables that perform actions including reading email addresses and other details from the infected computer; communicating with other computers using HTTP protocol; executing a process; injecting code into other processes; and visiting websites without end-users' consent, according to a post on the Finjan Malicious Code Research Center blog.
"Overall, the cybergang can remotely execute anything it likes on the infected computers," the post said.
Microsoft sent ZDNet UK this statement on Friday: "Finjan's report is based on its detection status of 29 March and doesn't reflect the most current signatures added to Microsoft's antivirus products on 23 April. Microsoft is tracking a malicious threat known as Trojan:Win32/Procesemes.A (or Pakes.app by others in the security industry). Microsoft rated Trojan:Win32/Procesemes.A as a 'medium threat'."
CNET News.com's Elinor Mills contributed to this report.
