Endpoint
4/22/2014
01:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Bots Attack US Mainly During Dinnertime

Most bot-infected machines hail from the US and wage attacks there between 6 and 9 p.m. Eastern Time, new report finds.

Botnets do most of their dirty work in the US during dinner and after dinnertime -- and they now create twice the web traffic they did a year ago, a new report finds.

Distil Networks' "2014 Annual Bad Bot Report," published today, found bad bots (versus search engine and other automated "good" bots) account for nearly 24 percent of all web traffic. The report covers activity of some 2.2 million bots from January through December of 2013, and draws from Distil's database of 7 billion bad bots. Good bot traffic actually dropped from 27.2 percent to 19.4 percent.

"They are very clearly proliferating," says Rami Essaid, CEO and co-founder of Distil. "The costs to rent out bots are declining, and the supply is growing so much."

Pushdo is currently the world's biggest botnet, according to Distil's data, with 4 million bots and 4.2 million IP addresses sending spam and Trojans such as SpyEye and Zeus. Distil found Pushdo traffic originating from 15,000 ISPs, hosting providers, and others, with US government and military networks among those infected with the bot malware.

"Pushdo is the most prolific one. It's been around for awhile, and [declined] for a bit, but starting last year there was a resurgence," Essaid says. "The Pushdo command and control is very unique... It sends out 10,000 different messages."

Source: Distil Networks
Source: Distil Networks

But not all botnets run off of infected end-user machines: Distil spotted cloud-hosted bots. Most were from Amazon, which was seen hosting 14 percent of bad bot traffic among hosting providers. "How cheap cloud computing has become has allowed bot-makers to leverage legitimate cloud hosting. The US is the biggest harborer of bots -- not just botnets."

The US (46 percent), Great Britain (19 percent), Germany (9.6 percent), and The Netherlands (3.3 percent) are the top four homes to bad bots, according to Distil's report, and more than 1,100 ISPs and hosting providers have bad bots accounting for 70 percent or more of their traffic.

According to the report, Verizon Business generates 11 percent of all bad bot traffic, and Level 3 Communications 10 percent. "From the ISP perspective, costs run much higher when trying to clean up infected computers. In the case of residential ISPs, informing consumers that their computers are infected with malware and helping them perform the associated cleanup would triple support costs," the report says.

The security-savvy financial services industry, ironically, serves up more bad bot traffic than other industries. Distil found that QTrade Capital Partners LLC originated more than 120 million bot requests over the 12-month period, serving mostly bot traffic. Some 99.5 percent of its traffic across Distil customer sites was bot-generated. "Other notable launchers of bots in financial services include Bloomberg and Nasdaq, which had over a million bot requests each," Distil said in its report.

Botnets are also growing in the mobile space, with an increase of more than 1,000 percent in the past year. Distil discovered bad bots in nine of the world's top 10 mobile provider networks, with US mobile networks the worst offenders.

"The highest volume of bad bot traffic was identified across AT&T’s network, while internationally, Vodaphone had the highest number of malicious bot requests," according to the report.

Essaid says a botnet operator can abuse mobile devices over a longer period of time, and the number of these devices is on the rise, making it more difficult to pinpoint bot infections on them.

The full report is available here for download.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SevilC489
50%
50%
SevilC489,
User Rank: Apprentice
7/7/2014 | 9:32:37 AM
Re: Hungry Bots
why dinnertime?

is it not better if attack on all night
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/23/2014 | 10:42:58 AM
Re: Hungry Bots
They are both evil. That's for sure.
Drew Conry-Murray
100%
0%
Drew Conry-Murray,
User Rank: Ninja
4/23/2014 | 10:42:12 AM
Re: Hungry Bots
Bots and telemarketers both strike at dinnertime? Maybe they're run by the same organizations.  : )
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/23/2014 | 7:52:45 AM
Re: Hungry Bots
I thought the same thing about time zones, Robert. In the Internet, there probably is never a time when no one is looking, but it makes sense that attackers would optimize their strategy in that way.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
4/23/2014 | 6:51:49 AM
Re: Hungry Bots
That makes sense, mirroring the way special forces units will often launch raids in the early hours of the morning - catching your enemy unawares. 

However I think it's no-coincidence, as you say, that China and Russia are just starting business when these attacks happen. Especially if the rumours surrounding the autonomous PLA Unit 61398 are true.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
4/23/2014 | 2:19:37 AM
Re: Hungry Bots
It's a good time to take the defense by surprise ... nothing more, but we have to consider that it is just a tentative. I have found very interesting the data on bad bot originator by country, in particular by the ranking of China, India and Russia ... the report explicititly mention the Internet exchange points as motivation ... but I think that there is something else.

 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
4/22/2014 | 9:59:03 PM
Re: Hungry Bots
I agree with the logic of launching attacks when no one is looking as well.  However, it also corresponds to the start of the business day in countries such as China, where many attacks originate.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/22/2014 | 3:53:30 PM
Re: Hungry Bots
Good question, Marilyn. The report attributes it to the attackers waiting for most IT and web security pros to leave the office for the day--kind of like how many attacks occur after hours or on weekends, when the security team is at skeletal numbers. 

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/22/2014 | 3:48:45 PM
Hungry Bots
Interesting about the timing around dinner time. Is there a theory about why then? Or just coincidence? 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.