Kroxxu botnet targets one million users

The Kroxxu botnet is believed to have affected over one million web users.


A new botnet has been detected which could have potentially affected over a million web users in the last 12 months.

The Kroxxu botnet currently has its grip on around 100,000 web domains and has been spreading password-stealing malware whilst covering its tracks extremely effectively, avast! Virus Lab found.

The surreptitious nature of the botnet meant researchers were unable to determine how the masterminds had monetised the operation.

"There are a number of ways they could be supporting themselves," said Jiri Sejtko, head of virus research at the avast! Virus Lab.

Advertisement - Article continues below
Advertisement - Article continues below

"The four most likely methods are through selling hacked space on infected servers, use of this malware to support the activities of other, more directly profitable malware, selling stolen credentials, or using keyloggers to spread other spam."

Kroxxu differs from traditional botnets, as its expansion has been achieved solely through infected websites.

It's owners gained passwords to take control of websites, before making alterations to the site's content in order to upload and modify files on infected servers, avast! explained.

The operators then spread the botnet to other servers across the world.

Kroxxu has used redirectors in order to make it difficult to track the botnet's activities. The security company estimated over 10,000 redirectors had been employed by Kroxxu over the last year.

The malicious network also used alterable components, as each layer of the botnet performs a specific task, giving it greater flexibility.

Advertisement - Article continues below

"Kroxxu's indirect cross infections are based on the fact that all parts [are] equal and interchangeable," explained Sejtko.

"If one part is used as an initial redirector, it may also be used as a final distribution part at the same or even a different time. This gives it an enormous range of designed-in duplicity."

Kroxxu could spread to gain much more traction, avast! said. URL blocking engines may struggle to differentiate between standard malware distribution domains run by the malware authors and hacked zombie domains like those controlled by Kroxxu, the security firm explained.

There have been a number of successful botnet takedowns this year, which led to a drop in spam in the last quarter.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
cyber security

If not passwords then what?

8 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020