Understanding a Botnet Lifecycle

Tuesday, June 23, 2015 @ 08:06 PM gHale

The average botnet in the first quarter consisted of 1,700 infected hosts per command-and-control (C&C) server, a new survey said.

The report is the result of more than 1,000 C&C servers analyzed by Level 3 Threat Research Labs in the first quarter, of which 600 ended up used for malicious communications targeting corporate environments.

Boards More Active with Security
Malware Injection Prevalent on eCommerce Sites
Malware May: Most Threats Recorded in ‘15
Breach Detection, Mitigation Still Slow

The average number of infected hosts per C&C server in 2015’s first quarter was 1,700, with the volume of infected hosts per C&C server declining over the months, according to Level 3 Threat Research Labs’ “Safeguarding the Internet: Level 3 Botnet Research Report.” It peaked at 3,763 in January and bottomed out at 338 in March.

The first quarter of 2015 saw the average lifespan of a C&C server at 38 days. During that time frame, botnets usually performed more than one function like malware distribution, phishing, or destruction of critical information assets, the report said.

One of the most common functions for botnets is distributed denial-of-service (DDoS) attacks. In Q1, 56 percent of DDoS attacks directed at targets in the U.S., while 32 percent aimed at Europe, the Middle East and Africa. The biggest targets of DDoS attacks included the gaming industry and Internet service providers.

Altogether, the U.S. is the top country generating C&C server traffic, with Ukraine, Russia, Netherlands, Germany, Turkey, France, UK, Vietnam and Romania rounding out the top ten. Level 3 researchers observed an average 20 percent of C&C servers based in North America.

With 532,000 unique victim IP addresses, China is the country with the highest absolute number of victims that conversed with C&C servers at one point during the quarter. The U.S. had 528,000 unique victim IP addresses, while Norway had 213,000, Spain had 129,000, and Ukraine had 124,000.

Another trend noted in the report is movement to the cloud, whereby attackers are shifting from compromising legitimate servers to creating bots on rogue virtual machines (VM).