Attacks/Breaches
2/18/2011
12:10 PM
50%
50%

Botnet Victims Increased 654% In 2011

The top 10 botnets are responsible for 57% of all infections, says Damballa report.

Top 10 Security Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010

The botnet market is both growing and consolidating. The top 10 botnets of 2010 -- based on total number of PCs compromised -- began the year with 22% market share, but grew to account for 57% of all botnet infections by the end of the year. Meanwhile, in the same timeframe, the number of unique botnet victims grew by 654%.

Those findings come from a report, released on Tuesday, by anti-botnet security company Damballa. The report finds a botnet landscape that is changing rapidly, driven in part by the ready availability of inexpensive botnet-building toolkits.

Which botnets rule? The biggest botnets in 2010 (based on their percentage of victims) were the TDLBotnetA botnet run by RudeWarlockMob (15% market share), the RogueAVBotnet run by FreakySpiderCartel (6%), the ZeusBotnetB run by FourLakeRiders (5%), followed by Monkif (5%), Koobface.A (4%), and Conficker.C (3%). That list includes one-off botnets created and customized by criminal gangs, many of whom use DIY tools such as Zeus as the base.

Interestingly, 60% of botnets seen in 2010 didn't even exist in 2009. In fact, "only one botnet -- Monkif -- made it to the top 10 of both years," said Gunter Ollmann, VP of research for Damballa, in a blog post.

In general, what sets apart the botnet winners from losers is that the biggest ones get updated frequently with revised fraud targets. They also embrace the latest botnet features and functionality. That includes updating the malware on infected PCs, running multiple infection campaigns at once, generating one-of-a-kind malware for each victim, and using multiple infection vectors.

Today's top botnet are also succeeding thanks to a thriving ecosystem of best-of-breed, complementary services. "The federated ecosystem of botnet building means that malware authoring, drive-by-download infections, content delivery, and [command-and-control] hosting are increasingly distributed amongst multiple unaffiliated service providers," said Ollmann. "The increased accessibility to specialist service providers has made it easier for botnet operators to rapidly grow their botnets and monetize their ill-gotten gains."

Interestingly, this distributed approach to botnets means that a PC today can be infected with malware that places it under the control of multiple pieces of botnet-driven malware. According to Ollmann, "over 35% of botnet victims were simultaneously members of multiple botnets in 2010."

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.