Bad bots are big – and getting bigger. There was a 37% increase in botnet command-and-control (C&C) listings in 2017, with the majority (68%) of them being hosted on servers run by threat actors.
According to the Spamhaus Botnet Threat Report 2017, the company’s malware division identified and issued Spamhaus Block List (SBL) listings for more than 9,500 botnet C&C servers on 1,122 different networks. In 2017, nearly every seventh SBL listing that Spamhaus issued was for a botnet controller.
Of course, not all botnets are bad bots; but Spamhaus's Botnet Controller List (BCL), which exclusively lists IP addresses of botnet servers set up and operated by cybercriminals, saw listings increase by more than 40% in one year (and more than 90% since 2014). On average, Spamhaus is issuing between 600 and 700 BCL listings per month.
The reality of the situation is probably much worse: The statistics exclude botnet controllers that are hosted on anonymization networks like Tor.
Botnet C&C controllers are used by cybercriminals to send out spam and ransomware, launch distributed denial of service (DDoS) attacks, commit e-banking fraud or click fraud or mine cryptocurrencies such as Bitcoin and Monero. With the rise of the internet of things (IoT)–enslaved class of devices, such as smart thermostats, webcams or network attached storage devices (NAS), controller palettes have continued to get more diverse – and numerous.
In fact, the number of IoT botnet controllers alone more than doubled from 393 in 2016 to 943 in 2017.
“Looking forward to 2018, there is no sign that the number of cyber threats will decrease,” Spamhaus noted in its report. “The big increase of IoT threats in 2017 is very likely to continue in 2018. We are sure that securing and protecting IoT devices will be a core topic in 2018.”
This will likely correspond with an uptick in DDoS attacks.
"The latest 2017 threat report from Spamhaus shows a notable uptick in detected botnets, compared to 2016,” said Stephanie Weagle, vice president of marketing at DDoS specialist Corero Network Security, via email. “The increase is no surprise, given the recent trend of leveraging poorly secured IoT devices, and is only set to increase given the increasing sophistication with which devices are being compromised and recruited. Combined with new DDoS attack vectors and techniques, such as the recent appearance of so-called pulse-wave attacks, the risk of being hit by a damaging attack for those not properly protected is higher than ever."
The report also uncovered that, looking at the geographic location of the botnet controllers, the top botnet hosting country is the US, followed by Russia. Also, when it comes to the kinds of malware associated with the botnet controllers, the Pony downloader topped the list, with 1,015 associated C&Cs. Generic IoT malware came in second; and the Loki credential stealer/banking Trojan took third place with 933 C&Cs.
Interestingly, while Locky and TorrentLocker where omnipresent in 2016, these two ransomware families did not make it into the top 20 in 2017. They have been replaced by the Cerber ransomware, which claimed the No. 7 spot, with 293 C&Cs.