The Most Notorious Botnets: How the Largest Malware Armies Rose and Fell

By Ava McKinneyOnline Safety

The Most Notorious Botnets: How the Largest Malware Armies Rose and Fell

Botnets are no longer a surprise to anyone: they’re everywhere, and the malware behind them is often easily removed by antivirus software—thanks to the clumsy work of amateur authors cobbling together malware from scraps. But sometimes, professionals get involved, and the damage becomes colossal, leading to long and fascinating battles with these threats. In this article, we’ll look at some of the most infamous botnet stories—some of which are still ongoing.

Zeus

  • Type: Banking Trojan
  • Active Years: 2007 – present
  • Infections: Over 13 million
  • Spread Method: Exploit kits
  • Reach: 196 countries
  • Damage: Over $120 million

Zeus opens our list—not the god on Olympus, but the banking trojan so widespread it topped America’s most-wanted botnet list. According to some analysts, Zeus was used in 90% of all global banking fraud cases.

Initially, hundreds of separate Zeus-based botnets were created and controlled by different cybercriminal gangs. The bot’s author(s), known as Slavik and Monstr, sold the builder to anyone interested, who then created their own botnets. For example, in 2009, one group spread Zeus via the Pushdo spam botnet, infecting about 3.6 million PCs in the US alone. In total, Zeus has infected over 13 million computers since its appearance.

Slavik sold and supported Zeus until version 2.0, after which, in October 2010, he handed the source code to the SpyEye trojan developer and supposedly stopped development. However, RSA claims this was a diversion, and the original author continued working on Zeus.

In August 2010, two months before the official end of Zeus development, experts discovered a botnet based on Zeus 2.1—a version not sold on any underground forums. This suggests the author switched business models, building his own botnet instead of selling the builder.

Zeus 2.1 introduced DGA (Domain Generation Algorithms) for C&C server addresses and used RSA-1024 signatures to protect update files. This version also saw the debut of Zeus-in-the-Mobile (ZitMo) for Android, Windows Mobile, BlackBerry, and Symbian, which worked with the desktop version to bypass online banking 2FA. By the end of 2012, the ZitMo variant called Eurograbber had netted its operators about €36 million (around $47 million at the time).

In February 2011, the source code for Zeus 2.0.8.9 leaked to the darknet, and by May, it was public. This was a landmark event for the hacker world. The HVNC (Hidden VNC) module, which allowed remote control via a hidden desktop, was later spun off into its own project.

After the leak, many clones and derivatives appeared, including the Citadel project, which offered an online platform similar to GitHub for feature requests, bug reports, and module submissions. Citadel even provided customer support and regular updates to bypass new antivirus protections.

In fall 2011, researcher Roman Hussy noticed strange UDP traffic in a Zeus variant, revealing that Zeus had gained peer-to-peer (P2P) update capabilities using the Kademlia protocol. This version, named GameOver (after its gameover.php script), was highly resilient and remains active today. Later, a variant with an embedded nginx server allowed bots to act as proxies for C&C communication, further complicating takedown efforts.

Zeus spread via over 74,000 hacked FTP servers, spam, fake tech support scams, exploits, and social engineering. Eventually, the FBI and experts from about ten countries identified the group behind Zeus, including alleged leader Evgeniy Bogachev, who remains at large with a $3 million bounty on his head.

While the original Zeus is no longer maintained, a new variant called Sphinx appeared in 2015, especially active during the COVID-19 pandemic, using social engineering and fake Kaspersky signatures to spread.

Zeus is notoriously hard to remove, using polymorphic encryption to evade antivirus detection, infecting multiple files, and constantly updating. The best cure is a full system reinstall, though advanced users may attempt manual cleaning—with no guarantee of success.

Storm

  • Type: Email worm for spam and DDoS
  • Active Years: 2007–2008
  • Infections: About 2 million
  • Spread Method: Spam

Storm (aka Zhelatin) first appeared in early 2007, disguised as news about storm damage in Europe. It used social engineering in emails, with subject lines like “Saddam Hussein resurrected.” But Storm’s real innovation was its decentralized P2P control system based on the Overnet protocol (from the eDonkey network) and server-side polymorphism.

At its peak in July 2007, Storm generated about 20% of all internet spam, using 1.4 million computers to promote pharmaceuticals—both legal and illegal. Attempts were made to split the botnet into subnetworks, possibly to sell access in parts, but these failed.

Storm aggressively defended itself: if researchers repeatedly accessed its update servers, the bots would launch DDoS attacks against them. Anti-spam services like Spamhaus, SURBL, and URIBL were also targeted to prevent spam filters from updating.

At one point, Storm-infected PCs outperformed the world’s supercomputers in combined processing power. If the operators had used this power for parallel computing or cryptocurrency mining (which didn’t exist yet), the impact could have been even greater.

By late 2008, Storm vanished, possibly due to the shutdown of the Russian Business Network (a criminal hosting provider), or, more likely, due to security researchers. At the 2008 Chaos Communication Congress, hackers demonstrated “Stormfucker,” a tool that exploited a Storm bug to disinfect infected machines via Overnet. Microsoft claimed a Windows update helped eliminate the botnet, but experts disagree on the true cause.

Storm was soon replaced by the Waledac botnet, which, while different in code, shared many features: Fast Flux C&C hosting, server-side polymorphism, spam, and P2P updates. Even the spam templates and products were similar.

In 2010, a new Storm variant was found, reusing much of the original code but switching to HTTP for C&C communication. Fortunately, Storm 2.0 never reached the scale of its predecessor.

Infection symptoms included processes named gameX.exe (where X is a number), such as:

  • game0.exe – backdoor and loader
  • game1.exe – SMTP server for spam
  • game2.exe – email address stealer
  • game3.exe – spam module
  • game4.exe – DDoS utility
  • game5.exe – bot updater

The code ran from a rootkit in %windir%\system32\wincom32.sys, bypassing many security mechanisms and even faking antivirus activity to fool users.

Storm was one of the first commercial, ready-to-use spam tools. Though short-lived, it paved the way for future cybercriminals.

Mariposa

  • Type: Trojan-worm
  • Active Years: 2009–2011
  • Infections: 12 million + 11 million (two waves)
  • Spread Methods: Pirated software, self-spreading via USB drives, P2P networks, MSN Messenger
  • Reach: 190 countries

Mariposa (“butterfly” in Spanish) appeared in 2009, based on the Palevo (Rimecud) trojan. Panda Labs estimated its size at 12 million infected computers. In the code, it was called “Butterfly Bot,” but antivirus companies gave it the Mariposa name.

Mariposa could act as a loader for other malware, steal passwords from Firefox and IE, and set up HTTP and SOCKS proxies for attackers. It also had two DDoS modules: TCP SYN flood and UDP flood.

One spread method was via USB drives using autorun.ini, which Mariposa obfuscated with random characters to evade detection. Its main activities were scams and DDoS attacks, including stealing and reselling accounts from victims’ computers.

The authors implemented many protections, such as frequent binary updates, anti-virtualization, and a new UDP-based C&C protocol. However, these didn’t prevent the botnet’s downfall. In December 2009, Spanish police and researchers seized the C&C servers and arrested three DDP Team members—none of whom could program. They were caught after logging into the C&C from their home IPs instead of using VPNs or proxies. However, prosecution was difficult since botnet operation wasn’t a crime in Spain at the time, and there was insufficient evidence of data theft for profit.

After their release, the Mariposa admins even visited Panda Security (who helped catch them) to ask for jobs, claiming they were broke after the botnet’s destruction. They left empty-handed.

Despite the takedown, Mariposa detections rose again in late 2010, and a new Palevo-based botnet called Metulji (“butterfly” in Slovenian) with 11 million machines was found. Its operators, from Serbian Bosnia, were quickly arrested by Slovenian police, the FBI, and Interpol. Since then, Palevo and its variants have disappeared from top threat lists.

Mariposa shows that even hackers with minimal skills can build massive botnets without spam or exploit kits—twelve million infections is a serious result.

ZeroAccess

  • Type: Trojan loader, spammer, and miner
  • Active Years: 2009–2013
  • Infections: 9 million
  • Spread Method: Exploit kits

ZeroAccess’s story began in June 2009, with a rootkit driver containing the string F:\VC5\release\ZeroAccess.pdb. Also known as Smiscer and Sirefef, ZeroAccess had a unique “bait” technique to fool antivirus software. Besides its main rootkit driver, it created a decoy device \Device\svchost.exe and a fake binary at \Device\svchost.exe\svchost.exe. If antivirus software touched the bait, ZeroAccess killed the process and blocked future launches by resetting file permissions.

In January 2010, ZeroAccess was updated with features borrowed from the TDL-3 rootkit, including infection via drivers and hidden storage in a separate disk partition. Until April 2011, 64-bit Windows versions were safe, but a later update added user-mode infection for 64-bit systems.

To increase resilience, ZeroAccess added TCP-based P2P for module distribution, with a list of 256 supernode IPs. It delivered two payloads: click fraud and mining modules. By May 2012, the kernel driver was dropped, and all operations moved to user mode. The P2P protocol was tweaked, RSA key length doubled, and communication split between UDP (for peer lists) and TCP (for modules).

By late summer 2012, Sophos estimated over 9 million infected computers, with about a million active infections. ZeroAccess was the most active botnet of 2012.

Antivirus companies worked to disrupt ZeroAccess via its P2P protocol. In March 2013, Symantec engineers found a vulnerability that allowed them to disrupt the botnet. On June 29, 2013, Symantec noticed a new version spreading via P2P, which patched the vulnerability. This prompted a takedown operation on July 16, removing over half a million bots from the network.

Microsoft achieved even greater success in December 2013, working with law enforcement to seize C&C servers. Bots received a final update with the message “WHITE FLAG”—the botnet surrendered.

How It Works

Technically, the botnet still exists, but without updates, detection rates are rising, and more antivirus programs can neutralize it. However, new ZeroAccess versions may be in development.

Dridex

  • Type: Banking trojan
  • Active Years: 2011 – present
  • Infections: Unknown
  • Spread Methods: Spam, social engineering, free software

Dridex is one of the top financial cyberthreats since Zeus faded. In 2015, its damage was estimated at over $40 million.

Dridex (originally Cridex) first appeared around September 2011, already using web injects to steal money online and infecting USB drives. Its web injects were suspiciously similar to Zeus, likely due to the 2011 Zeus source code leak. By 2012, USB infection was dropped.

Dridex and GameOver Zeus share several features: regex handling, spam-based spread, installer design, and available components like SOCKS proxies and hidden VNC (borrowed from Zeus).

By early 2015, Dridex had a quasi-P2P network with supernodes listed in the trojan’s XML config. Communication with C&C was encrypted. After the August 28, 2015 arrest of a Dridex admin, some botnets disappeared but soon returned, likely under new management.

Security was tightened with IP-based geofiltering, and the XML config was replaced with a binary one to hinder researchers. In early 2017, a new version appeared with a loader that only worked for a couple of days, after which encryption keys changed and old samples became useless.

Dridex uses RC4 encryption with a static key to evade traffic analysis, not to block research, since RC4 is easily cracked, but traffic analysis tools struggle with its pseudo-random data.

Dridex Distribution

Most victims are in Europe, especially the UK, Germany, and France. Dridex does not infect Russian computers—its C&C servers ignore Russian IPs.

Despite repeated efforts by white hats and law enforcement, Dridex remains active. In 2009, the US Department of Justice indicted two Russians, Maksim Yakubets and Igor Turashev, as Dridex’s developers (and Yakubets as the group’s leader). Yakubets is also accused of developing and spreading Zeus.

Dridex continues to evolve new techniques to bypass User Account Control (UAC) and infect Windows machines. The total damage is hard to estimate, but even conservative figures put it in the hundreds of millions of dollars.

To be continued…

Leave a Reply