Endpoint
4/22/2014
01:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Bots Attack US Mainly During Dinnertime

Most bot-infected machines hail from the US and wage attacks there between 6 and 9 p.m. Eastern Time, new report finds.

Botnets do most of their dirty work in the US during dinner and after dinnertime -- and they now create twice the web traffic they did a year ago, a new report finds.

Distil Networks' "2014 Annual Bad Bot Report," published today, found bad bots (versus search engine and other automated "good" bots) account for nearly 24 percent of all web traffic. The report covers activity of some 2.2 million bots from January through December of 2013, and draws from Distil's database of 7 billion bad bots. Good bot traffic actually dropped from 27.2 percent to 19.4 percent.

"They are very clearly proliferating," says Rami Essaid, CEO and co-founder of Distil. "The costs to rent out bots are declining, and the supply is growing so much."

Pushdo is currently the world's biggest botnet, according to Distil's data, with 4 million bots and 4.2 million IP addresses sending spam and Trojans such as SpyEye and Zeus. Distil found Pushdo traffic originating from 15,000 ISPs, hosting providers, and others, with US government and military networks among those infected with the bot malware.

"Pushdo is the most prolific one. It's been around for awhile, and [declined] for a bit, but starting last year there was a resurgence," Essaid says. "The Pushdo command and control is very unique... It sends out 10,000 different messages."

Source: Distil Networks
Source: Distil Networks

But not all botnets run off of infected end-user machines: Distil spotted cloud-hosted bots. Most were from Amazon, which was seen hosting 14 percent of bad bot traffic among hosting providers. "How cheap cloud computing has become has allowed bot-makers to leverage legitimate cloud hosting. The US is the biggest harborer of bots -- not just botnets."

The US (46 percent), Great Britain (19 percent), Germany (9.6 percent), and The Netherlands (3.3 percent) are the top four homes to bad bots, according to Distil's report, and more than 1,100 ISPs and hosting providers have bad bots accounting for 70 percent or more of their traffic.

According to the report, Verizon Business generates 11 percent of all bad bot traffic, and Level 3 Communications 10 percent. "From the ISP perspective, costs run much higher when trying to clean up infected computers. In the case of residential ISPs, informing consumers that their computers are infected with malware and helping them perform the associated cleanup would triple support costs," the report says.

The security-savvy financial services industry, ironically, serves up more bad bot traffic than other industries. Distil found that QTrade Capital Partners LLC originated more than 120 million bot requests over the 12-month period, serving mostly bot traffic. Some 99.5 percent of its traffic across Distil customer sites was bot-generated. "Other notable launchers of bots in financial services include Bloomberg and Nasdaq, which had over a million bot requests each," Distil said in its report.

Botnets are also growing in the mobile space, with an increase of more than 1,000 percent in the past year. Distil discovered bad bots in nine of the world's top 10 mobile provider networks, with US mobile networks the worst offenders.

"The highest volume of bad bot traffic was identified across AT&T’s network, while internationally, Vodaphone had the highest number of malicious bot requests," according to the report.

Essaid says a botnet operator can abuse mobile devices over a longer period of time, and the number of these devices is on the rise, making it more difficult to pinpoint bot infections on them.

The full report is available here for download.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SevilC489
50%
50%
SevilC489,
User Rank: Apprentice
7/7/2014 | 9:32:37 AM
Re: Hungry Bots
why dinnertime?

is it not better if attack on all night
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/23/2014 | 10:42:58 AM
Re: Hungry Bots
They are both evil. That's for sure.
Drew Conry-Murray
100%
0%
Drew Conry-Murray,
User Rank: Ninja
4/23/2014 | 10:42:12 AM
Re: Hungry Bots
Bots and telemarketers both strike at dinnertime? Maybe they're run by the same organizations.  : )
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/23/2014 | 7:52:45 AM
Re: Hungry Bots
I thought the same thing about time zones, Robert. In the Internet, there probably is never a time when no one is looking, but it makes sense that attackers would optimize their strategy in that way.
Whoopty
50%
50%
Whoopty,
User Rank: Moderator
4/23/2014 | 6:51:49 AM
Re: Hungry Bots
That makes sense, mirroring the way special forces units will often launch raids in the early hours of the morning - catching your enemy unawares. 

However I think it's no-coincidence, as you say, that China and Russia are just starting business when these attacks happen. Especially if the rumours surrounding the autonomous PLA Unit 61398 are true.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
4/23/2014 | 2:19:37 AM
Re: Hungry Bots
It's a good time to take the defense by surprise ... nothing more, but we have to consider that it is just a tentative. I have found very interesting the data on bad bot originator by country, in particular by the ranking of China, India and Russia ... the report explicititly mention the Internet exchange points as motivation ... but I think that there is something else.

 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
4/22/2014 | 9:59:03 PM
Re: Hungry Bots
I agree with the logic of launching attacks when no one is looking as well.  However, it also corresponds to the start of the business day in countries such as China, where many attacks originate.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/22/2014 | 3:53:30 PM
Re: Hungry Bots
Good question, Marilyn. The report attributes it to the attackers waiting for most IT and web security pros to leave the office for the day--kind of like how many attacks occur after hours or on weekends, when the security team is at skeletal numbers. 

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/22/2014 | 3:48:45 PM
Hungry Bots
Interesting about the timing around dinner time. Is there a theory about why then? Or just coincidence? 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.