The botnet's first infection campaign began at the end of April. In its first week, attackers were able to infect more than 35,000 machines. Since then, several smaller campaigns have added 20,000 additional compromised machines to the botnet.
“This group has perfected a mass production system for deploying phishing sites and data-stealing malware,” Roger Thompson, chief research officer at AVG, wrote in a blog post Monday.
The botnet uses four different variations of the Zeus malware to steal social networking credentials, bank account details, credit card numbers and email communications from the zombie machines. Zeus v22.214.171.124 supports the latest Microsoft operating system, Windows 7, and also is capable of stealing HTTP traffic from Mozilla Firefox users, according to AVG.Unlike most Zeus botnets, which use bulletproof hosting or hijacked web servers to host stolen data, Mumba uses a fast-flux network, the report states. Fast-flux, a DNS technique used to hide malicious websites behind an ever-changing network of compromised hosts, often increases the longevity of phishing and malware distribution sites because it makes it more difficult to get the domain taken down.
Avalanche's fast-flux network was mainly used in the past for phishing and malware attacks, but now the group is using the technique to host its stolen goods as well.
“The unique infrastructure of the Mumba botnet means that going after the servers hosting the stolen data is now much more difficult than before,” Yuval Ben-Itzhak, senior vice president at AVG, said in a statement.
The United States had the most PCs infected by the Mumba botnet, according to the report. Thirty-three percent of Mumba-infected machines are in the United States, while 17 percent came are based in Germany, seven percent in Spain, six percent are in the U.K. and five percent each are in Mexico and Canada.