A Ukraine botnet of 1.9 million zombie machines included government PCs

Net security firm Finjan discovered a control server of a botnet in the course of tracking back an infection from a corporate client. Among the ranks of this 1.9 million botnet there were government and corporate Windows PCs. The facts on the cybercrime server hosted in the Ukraine showed that it had been exploited since February 2009 and controlled by a band of six crooks.

The botnet network was expanded at the expense of spreading Trojan downloader malware which in turn was planted on insecure websites. The cybergang was assisted by a huge affiliate network. According to Yuval Ben-Itzhak, chief technology officer at Finjan, the cyber criminals who controlled the botnet were making their money on selling the access to compromised machines through underground forums. A typical price for 1,000 machines was $100.

Ben-Itzhak said that the malware exploited security flaws of Internet Explorer, Firefox and PDF. He noted that only four out of 39 anti-virus applications were able to detect the malware.

The number of computers compromised by the cybercrooks in governments domains (.gov) of the UK, U.S. and other states accounted for 77 machines. With the malware that was used in the attack hackers could get a complete control of compromised PCs, nearly all of which were running Windows XP. They could perform a number of malicious actions such as reading emails to copying files, keystroke logging, and spam distribution.

Since discovering the botnet Finjan has suppliaed information on the server to the law enforcement agencies of the UK and the U.S. At the moment the command server is out of commission.