Endpoint
4/22/2014
01:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Bots Attack US Mainly During Dinnertime

Most bot-infected machines hail from the US and wage attacks there between 6 and 9 p.m. Eastern Time, new report finds.

Botnets do most of their dirty work in the US during dinner and after dinnertime -- and they now create twice the web traffic they did a year ago, a new report finds.

Distil Networks' "2014 Annual Bad Bot Report," published today, found bad bots (versus search engine and other automated "good" bots) account for nearly 24 percent of all web traffic. The report covers activity of some 2.2 million bots from January through December of 2013, and draws from Distil's database of 7 billion bad bots. Good bot traffic actually dropped from 27.2 percent to 19.4 percent.

"They are very clearly proliferating," says Rami Essaid, CEO and co-founder of Distil. "The costs to rent out bots are declining, and the supply is growing so much."

Pushdo is currently the world's biggest botnet, according to Distil's data, with 4 million bots and 4.2 million IP addresses sending spam and Trojans such as SpyEye and Zeus. Distil found Pushdo traffic originating from 15,000 ISPs, hosting providers, and others, with US government and military networks among those infected with the bot malware.

"Pushdo is the most prolific one. It's been around for awhile, and [declined] for a bit, but starting last year there was a resurgence," Essaid says. "The Pushdo command and control is very unique... It sends out 10,000 different messages."

Source: Distil Networks
Source: Distil Networks

But not all botnets run off of infected end-user machines: Distil spotted cloud-hosted bots. Most were from Amazon, which was seen hosting 14 percent of bad bot traffic among hosting providers. "How cheap cloud computing has become has allowed bot-makers to leverage legitimate cloud hosting. The US is the biggest harborer of bots -- not just botnets."

The US (46 percent), Great Britain (19 percent), Germany (9.6 percent), and The Netherlands (3.3 percent) are the top four homes to bad bots, according to Distil's report, and more than 1,100 ISPs and hosting providers have bad bots accounting for 70 percent or more of their traffic.

According to the report, Verizon Business generates 11 percent of all bad bot traffic, and Level 3 Communications 10 percent. "From the ISP perspective, costs run much higher when trying to clean up infected computers. In the case of residential ISPs, informing consumers that their computers are infected with malware and helping them perform the associated cleanup would triple support costs," the report says.

The security-savvy financial services industry, ironically, serves up more bad bot traffic than other industries. Distil found that QTrade Capital Partners LLC originated more than 120 million bot requests over the 12-month period, serving mostly bot traffic. Some 99.5 percent of its traffic across Distil customer sites was bot-generated. "Other notable launchers of bots in financial services include Bloomberg and Nasdaq, which had over a million bot requests each," Distil said in its report.

Botnets are also growing in the mobile space, with an increase of more than 1,000 percent in the past year. Distil discovered bad bots in nine of the world's top 10 mobile provider networks, with US mobile networks the worst offenders.

"The highest volume of bad bot traffic was identified across AT&T’s network, while internationally, Vodaphone had the highest number of malicious bot requests," according to the report.

Essaid says a botnet operator can abuse mobile devices over a longer period of time, and the number of these devices is on the rise, making it more difficult to pinpoint bot infections on them.

The full report is available here for download.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SevilC489
50%
50%
SevilC489,
User Rank: Apprentice
7/7/2014 | 9:32:37 AM
Re: Hungry Bots
why dinnertime?

is it not better if attack on all night
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/23/2014 | 10:42:58 AM
Re: Hungry Bots
They are both evil. That's for sure.
Drew Conry-Murray
100%
0%
Drew Conry-Murray,
User Rank: Ninja
4/23/2014 | 10:42:12 AM
Re: Hungry Bots
Bots and telemarketers both strike at dinnertime? Maybe they're run by the same organizations.  : )
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/23/2014 | 7:52:45 AM
Re: Hungry Bots
I thought the same thing about time zones, Robert. In the Internet, there probably is never a time when no one is looking, but it makes sense that attackers would optimize their strategy in that way.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
4/23/2014 | 6:51:49 AM
Re: Hungry Bots
That makes sense, mirroring the way special forces units will often launch raids in the early hours of the morning - catching your enemy unawares. 

However I think it's no-coincidence, as you say, that China and Russia are just starting business when these attacks happen. Especially if the rumours surrounding the autonomous PLA Unit 61398 are true.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
4/23/2014 | 2:19:37 AM
Re: Hungry Bots
It's a good time to take the defense by surprise ... nothing more, but we have to consider that it is just a tentative. I have found very interesting the data on bad bot originator by country, in particular by the ranking of China, India and Russia ... the report explicititly mention the Internet exchange points as motivation ... but I think that there is something else.

 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
4/22/2014 | 9:59:03 PM
Re: Hungry Bots
I agree with the logic of launching attacks when no one is looking as well.  However, it also corresponds to the start of the business day in countries such as China, where many attacks originate.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/22/2014 | 3:53:30 PM
Re: Hungry Bots
Good question, Marilyn. The report attributes it to the attackers waiting for most IT and web security pros to leave the office for the day--kind of like how many attacks occur after hours or on weekends, when the security team is at skeletal numbers. 

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/22/2014 | 3:48:45 PM
Hungry Bots
Interesting about the timing around dinner time. Is there a theory about why then? Or just coincidence? 
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report