Evil Trojan twins control most of world's botnets

Two types of Trojan are responsible for the control of most botnets worldwide, a security firm revealed today.

The Sdbot and Gaobot malware groups were responsible for 80 percent of detections related to bots during the first quarter of 2007, according to PandaLabs. Other culprits, although on a much lesser scale, included Oscarbot, IRCbot or RXbot.

Bots are automated worms or Trojans that install themselves on computers to carry out certain actions automatically, such as sending spam and turning the compromised computers into zombies. Botnets, or networks made up of computers infected with bots, have become a lucrative business model.

"This dominance is not so much due to any special features of Gaobot or Sdbot, but simply because their code is much more widely available on the internet.

This means that any criminals that want to make a bot can simply base it on the source code of these threats, making any modifications they choose. Essentially, this saves them a lot of work," said Luis Corrons, technical director of PandaLabs.

In 2006, bots accounted for 13 percent of all new threats detected by PandaLabs. Of those, 74 percent belonged to the Sdbot and Gaobot families.

Until now, most of them were controlled through IRC servers, which allowed attackers to send orders while hiding behind the anonymity of chat servers, however, now there are bots that can be controlled through web consoles using HTTP.

"Control through IRC is useful for controlling isolated computers. However, this system is not so useful when it comes to botnets. By using HTTP, bot herders can control many more computers at the same time, and can even see when one of them is online or if the commands have been executed correctly," added Corrons.