Damballa Inc., at the RSA Conference in San Francisco today released its “Top 10 Botnet Threat Report – 2010” which revealed a dramatic increase in Internet crime and targeted botnet attacks. At its peak in 2010, the total number of unique botnet victims grew by 654 percent, with an average incremental growth of eight percent per week.
“Prior to 2010, many people thought in terms of spam and DDoS whenever the term ‘botnet’ was discussed,” said Gunter Ollmann, vice president of research, Damballa. “By the end of the year, botnets such as Mariposa, Aurora, Koobface and Stuxnet had become household names – revealing the breadth of crime commonly being facilitated with remotely controllable bot agents.”
The eight-page Damballa report reveals that many new botnets were discovered in 2010. Some highlights include:
• Of the Top 10 largest botnets in 2010, six of these botnets did not exist in 2009, and only one (Monkif) was present in the 2009 Top 10 largest botnets.
• The biggest botnet of 2010 (a botnet associated with the TDL Gang), dramatically rose to international attention in the second half of the year – claiming nearly 15 percent of all unique infected victims in 2010.
• The Top 10 largest botnets in 2010 accounted for approximately 47 percent of all botnet compromised victims – down from 81 percent of the 2009 Top 10. This decrease was not unexpected as the number of new criminal botnet operators increased, as did the average number of botnets owned and managed by each botnet master.
• Of the tens-of-millions of infected systems identified in 2010, Damballa ascertained that more than 35 percent of unique IP addresses infected were simultaneously victims of two or more different botnet campaigns.
Damballa suggests that it is important to note that the substantial growth in botnet infections observed is a reflection of the following:
• The second half of 2010 saw the rapid evolution of many popular botnet do-it-yourself (DIY) construction kits and the increased availability of feature-rich browser exploit packs.
• Cyber criminals providing specialized malware distribution services became more proficient at installing bot agents on behalf of their customers (i.e. botnet operators).
• The last quarter of 2010 was heavily influenced by the rapid growth of botnets utilizing the TDL master-boot-record (MBR) rootkit technology.
• Damballa developed and deployed multiple new command-and-control detection technologies that increased its ability to detect additional categories of stealthy botnet deployments.
The report notes that whether using well known techniques, or the latest in armoring and deception, botnets continue to dominate the cyber threat landscape. With malware that can be repurposed, botnets that can be rented, and new and attractive targets in the proliferation of smart phones and mobile devices, 2011 will be a challenging year for enterprise security teams and service provider network abuse professionals.
The full report is available here (Direct PDF Download)
