Kroxxu botnet hits a million web users

Security experts have uncovered a dangerous new botnet which has already infected over 100,000 domains and one million systems worldwide, although it is still unclear how the cyber criminals are monetising their efforts.

The Kroxxu botnet has been designed solely to steal FTP passwords but, unlike traditional botnets, it is able to spread through infected web sites alone rather than individual PCs, according to researchers at Avast Software who have been tracking it for over a year.

The stolen passwords enable Kroxxu's creators to add a script tag to the original web site content which then makes it possible to upload and modify files on infected servers and spread to other servers globally.

The malware relies heavily on redirects to obfuscate itself, while various components of the network are able to perform different roles, known as " indirect cross infection".

"Kroxxu's indirect cross infections are based on all parts being equal and interchangeable," said Jiri Sejtko, head virus researcher at Avast.

"If one part is used as an initial redirector, it may also be used as a final distribution part at the same or even a different time. This gives it an enormous range of designed-in duplicity."

Avast has not yet discovered how the botnet organisers are making money from the scam, but Setjko suspects they could be selling stolen credentials or hacked space on infected servers, or using key-loggers to spread other spam.

The botnet has infected 1,000 domains a month since its discovery in October 2009, and many of the PHP redirectors and malware distributors placed in the sites have survived for months at a time.

By infecting legitimate sites, the botnet could have a serious impact on the success of URL blocking software, warned Avast.