At its peak, the malware ring had control of half a million computers, using keystroke logging to harvest banking passwords and then putting the computers to work in a botnet. By growing slowly and staying one step ahead of anti-virus software, the group was able to go undetected for years — until a lapse in its own security allowed a Proofpoint security researcher named Wayne Huang to get a look at the organization from the inside.

Huang released a report on his findings this morning, providing a rare look at the full anatomy of a malware operation, from the first security break to the fraud tactics that provide them a payoff. It's not a particularly novel or sophisticated scheme — by botnet standards, half a million is the lower end of the big leagues — but it provides a new window into the intricate tactics these groups use to stay hidden. And for anyone who's seen strange behavior from a website or console, it's a reminder that real infections are often harder to find than you think. "They rarely do mass injections. They don't do huge campaigns, so they're not on people's radar," Huang says. "But once they're in, they build a really powerful backdoor."



The attack chain, as described by Huang

The scammers' first step was buying passwords on the dark web, paying for data from an earlier breach. That gave them a foothold in the first batch of sites, where the group could install its custom shell, giving them superadmin access to anything on the site, while allowing the site's owners to update the site as usual. When the system worked, the site owners never knew the difference. They still had admin access, and there was no obvious sign that another more powerful admin had been added. While the site owners kept posting as usual, the attackers would use the new backdoor to infect the site’s readers, injecting bursts of malware into the site’s code. From there the attackers would monitor keystrokes for bank login information, to be used in outright fraud, and sell access to their network of hijacked computers for anyone who wanted to disguise their web traffic by routing through a stranger’s internet connection.

The group was always one step ahead of antivirus updates

Most of the infected sites were running regular antivirus scans, but the attackers were careful only to use exploits that wouldn't set off any alarms. Before they uploaded any code, they would check it against the Scan4U database, which collects data from dozens of antivirus companies. If the database recognized the group's exploit, they would change the code until it slipped past unnoticed, ensuring they were always one step ahead of antivirus updates.

They also took measures to throw researchers like Huang off the trail. If a site visitor looked like an automated malware scanner, a traffic distribution system would isolate the visitor and route them to a clean version of the site, suggesting nothing was amiss. The system also kept a list of IP addresses used by security-research firms, and made sure any traffic from those addresses also went to the clean site. As a result, many site owners confronted by Huang refused to believe they were infected at all. The antivirus scan would come back empty, and most independent researchers would see a completely clean site.

But while the hacker's security protections were good, they weren't perfect. Huang's breakthrough came when he found the web address for the attackers' control panel. They hadn't thought to password-protect the controls, so once Huang located it, he got an inside view of everything the group was doing, including the counter-measures they'd used to throw other researchers off the trail. Eventually, the group added a password to keep Huang out, but by then it was too late.



A screenshot of the attacker's control panel.

Once the attackers began targeting individual users, they relied heavily on pre-purchased exploit kits, starting with the popular Blackhole kit and moving on to more recent kits like Sweet Orange and Phoenix. They used an array of vulnerabilities — targeting PDF plugins, Java, Flash and Internet Explorer depending on a user’s unique vulnerabilities — but the group left almost all of that work to others, buying exploits as they became available and abandoning them as patches became more common.

"We get a lot of upset website admins."

Still, even with all of Huang's detail on the group, it's unlikely they'll be brought to justice any time soon. There’s still plenty of work left to do in tracing the network back to individual people, and it’s unclear who’ll want to step in and do it. Taking down a botnet is a notoriously long and drawn-out process, and while Russian law enforcement has made some major busts in recent years, it may not be impressed by an outfit this size. The most Huang can hope for is a little more cred the next time he tells a site that he's found an infection. "We get a lot of upset website admins who believe we’ve falsely accused them of an infection," Huang says. "So we’re certainly hoping that those people will read this report"

More broadly, it’s a sign of how far web security still has to go. Researchers pay a lot of attention to breaches like Heartbleed, which give attackers an initial foothold, and vulnerabilities in popular software, which let them exploit individual users. But lingering infections like this one are often overlooked. As a result, once an attacker builds a backdoor into a server or a site, it can take years for the proper owners to regain control. For the half a million computers detailed in the report, that’s a troubling thought.