Endpoint
4/22/2014
01:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Bots Attack US Mainly During Dinnertime

Most bot-infected machines hail from the US and wage attacks there between 6 and 9 p.m. Eastern Time, new report finds.

Botnets do most of their dirty work in the US during dinner and after dinnertime -- and they now create twice the web traffic they did a year ago, a new report finds.

Distil Networks' "2014 Annual Bad Bot Report," published today, found bad bots (versus search engine and other automated "good" bots) account for nearly 24 percent of all web traffic. The report covers activity of some 2.2 million bots from January through December of 2013, and draws from Distil's database of 7 billion bad bots. Good bot traffic actually dropped from 27.2 percent to 19.4 percent.

"They are very clearly proliferating," says Rami Essaid, CEO and co-founder of Distil. "The costs to rent out bots are declining, and the supply is growing so much."

Pushdo is currently the world's biggest botnet, according to Distil's data, with 4 million bots and 4.2 million IP addresses sending spam and Trojans such as SpyEye and Zeus. Distil found Pushdo traffic originating from 15,000 ISPs, hosting providers, and others, with US government and military networks among those infected with the bot malware.

"Pushdo is the most prolific one. It's been around for awhile, and [declined] for a bit, but starting last year there was a resurgence," Essaid says. "The Pushdo command and control is very unique... It sends out 10,000 different messages."

Source: Distil Networks
Source: Distil Networks

But not all botnets run off of infected end-user machines: Distil spotted cloud-hosted bots. Most were from Amazon, which was seen hosting 14 percent of bad bot traffic among hosting providers. "How cheap cloud computing has become has allowed bot-makers to leverage legitimate cloud hosting. The US is the biggest harborer of bots -- not just botnets."

The US (46 percent), Great Britain (19 percent), Germany (9.6 percent), and The Netherlands (3.3 percent) are the top four homes to bad bots, according to Distil's report, and more than 1,100 ISPs and hosting providers have bad bots accounting for 70 percent or more of their traffic.

According to the report, Verizon Business generates 11 percent of all bad bot traffic, and Level 3 Communications 10 percent. "From the ISP perspective, costs run much higher when trying to clean up infected computers. In the case of residential ISPs, informing consumers that their computers are infected with malware and helping them perform the associated cleanup would triple support costs," the report says.

The security-savvy financial services industry, ironically, serves up more bad bot traffic than other industries. Distil found that QTrade Capital Partners LLC originated more than 120 million bot requests over the 12-month period, serving mostly bot traffic. Some 99.5 percent of its traffic across Distil customer sites was bot-generated. "Other notable launchers of bots in financial services include Bloomberg and Nasdaq, which had over a million bot requests each," Distil said in its report.

Botnets are also growing in the mobile space, with an increase of more than 1,000 percent in the past year. Distil discovered bad bots in nine of the world's top 10 mobile provider networks, with US mobile networks the worst offenders.

"The highest volume of bad bot traffic was identified across AT&T’s network, while internationally, Vodaphone had the highest number of malicious bot requests," according to the report.

Essaid says a botnet operator can abuse mobile devices over a longer period of time, and the number of these devices is on the rise, making it more difficult to pinpoint bot infections on them.

The full report is available here for download.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SevilC489
50%
50%
SevilC489,
User Rank: Apprentice
7/7/2014 | 9:32:37 AM
Re: Hungry Bots
why dinnertime?

is it not better if attack on all night
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/23/2014 | 10:42:58 AM
Re: Hungry Bots
They are both evil. That's for sure.
Drew Conry-Murray
100%
0%
Drew Conry-Murray,
User Rank: Ninja
4/23/2014 | 10:42:12 AM
Re: Hungry Bots
Bots and telemarketers both strike at dinnertime? Maybe they're run by the same organizations.  : )
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/23/2014 | 7:52:45 AM
Re: Hungry Bots
I thought the same thing about time zones, Robert. In the Internet, there probably is never a time when no one is looking, but it makes sense that attackers would optimize their strategy in that way.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
4/23/2014 | 6:51:49 AM
Re: Hungry Bots
That makes sense, mirroring the way special forces units will often launch raids in the early hours of the morning - catching your enemy unawares. 

However I think it's no-coincidence, as you say, that China and Russia are just starting business when these attacks happen. Especially if the rumours surrounding the autonomous PLA Unit 61398 are true.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
4/23/2014 | 2:19:37 AM
Re: Hungry Bots
It's a good time to take the defense by surprise ... nothing more, but we have to consider that it is just a tentative. I have found very interesting the data on bad bot originator by country, in particular by the ranking of China, India and Russia ... the report explicititly mention the Internet exchange points as motivation ... but I think that there is something else.

 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
4/22/2014 | 9:59:03 PM
Re: Hungry Bots
I agree with the logic of launching attacks when no one is looking as well.  However, it also corresponds to the start of the business day in countries such as China, where many attacks originate.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/22/2014 | 3:53:30 PM
Re: Hungry Bots
Good question, Marilyn. The report attributes it to the attackers waiting for most IT and web security pros to leave the office for the day--kind of like how many attacks occur after hours or on weekends, when the security team is at skeletal numbers. 

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/22/2014 | 3:48:45 PM
Hungry Bots
Interesting about the timing around dinner time. Is there a theory about why then? Or just coincidence? 
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.