Harnig botnet returns

Part of the once mighty Rustock empire has reappeared online, despite servers being seized by law enforcement agencies

The Harnig botnet, which downloads and disseminates malware to computers over the internet, has reappeared after a six-month absence.

In March Microsoft, working with law enforcement agencies including the FBI, took down the Rustock botnet by seizing its servers and issuing software to clean up malware from infected customers.

This also meant the Harnig botnet, principally used to infect machines with the Rustock malware, was largely put out of action.

However, researchers at threat analysis firm FireEye say Harnig has returned.

"After months of silence, Harnig is finally back in business, resuming all of its usual malicious activities," wrote FireEye researcher Atif Mushtaq.

Botnet operators are using new command control (CnC) servers to manage their operations, as many of the previous servers would have been seized in the Rusktock takedown.

And aware that law enforcement agencies are now more experienced in targeting and removing CnC servers, the cyber criminals have taken steps to protect their network.

"Harnig is changing its CnCs with lightning speed," wrote Mushtaq. "During the last week or so I have observed 26 CnCs in use by different variants of the Harnig botnet and most of these CnCs popped up during the last few days."

To protect their networks from malware from Harnig and other botnets, organisations should follow a common sense approach, said Raj Samani, chief technology officer in EMEA for security firm McAfee.

"Follow common sense, have appropriate security, and adhere to continuous processes of protecting yourself. Identify and plan for your risks, and check that your controls work."

Graham Cluley, senior technology consultant at security firm Sophos, explained that technology and education play a part in protecting the business.

"Keep your software patching and anti-virus up to date. And educate your staff regarding the form threats are likely to take - this could be unsolicited emails, dodgy attachments and weblinks."