Last week, the FBI announced the end of the second phase of Operation Bot Roast, an ongoing investigation into botnets, and the criminal activity associated with them. I recently asked Dr. Jose Nazario of Arbor Networks where in the world the bot herders, the people who control the botnets, might be. Here are some excerpts:
We see a few major groups. We see Americans and Western Europeans often interested in using the botnet to make money either directly or indirectly by selling services, or stealing information from those botnets to sell and use credit card information bank information, etc.
There are some botnets out of South America, but mostly South America seems dominated by the Brazilian, what folks used to call the banker Trojan, the browser helper object that steals information right out of the browser from banks from online banking or e-commerce transactions. Some of the more high-profile botnets we've dubbed TeamUSA and Peruvian Power. These have been long running and relatively successful. But they're not exactly household names.
The botnet community is also taking off in the Russian language part of the Internet. Lately I've been watching a lot of DDoS attacks come out of Russia, commanded by Russians. Possibly for pay, as retribution, or as punishment to those who try an stop some of the other illegal activities, such as fraud and theft.
I have been tracking lately Russian DDoS bot code run by different groups. The code itself is bought and shared between them. One of the big ones is a code base called Black Energy. The author is a Russian language speaker who offers his help files and other things in the Russian language and sells it on the Russian language forums anywhere from $40 on up. Black Energy is strictly a DDoS botnet
We have watched some botnets from China but I don't see a whole lot of botnet activity coming out of there.