|Tweet Follow @spamhaus||
Spamhaus Botnet Summary 2016
Network Hijacking on the Rise
Subscription Bombing: COI, CAPTCHA, and the Next Generation of Mail Bombs
More Domain Stats: The 10 Most Abused Registrars
SBL/ZEN DNS lookups to return DROP/eDROP status
Spamhaus Presents: The World's Worst Top Level Domains
Verizon Routing Millions of IP Addresses for Cybercrime Gangs
Brazilian internet users suffer SoftLayer's security fail
Older News Articles:
Spamhaus News INDEX
2016 was a busy year for existing and emerging cyber threats. In the past year, Spamhaus researchers issued listings for over 7,000 botnet Command & Control ("C&C") servers on more than 1,100 different networks. These C&C servers enabled and controlled online crime such as credential theft, e-banking fraud, spam and DDoS attacks. They were also used for the retrieval of stolen data. 2016 will also go down in history as the first year that security issues related to the "Internet of Things" (IoT) not only became mainstream, but turned into a serious enabler of ever larger attacks and a source of many future problems.
In 2016, one out of five SBL listings was for a botnet C&C server. Such servers are used by cybercriminals to control infected computers ("bots") and to retrieve stolen data from them. While 7,314 is a very high number of C&C servers, it is however a decrease of 1,166 (or 13.8%) in botnet controllers from the number we detected in 2015.
The majority (4,481 or 61.3%) of botnet controllers Spamhaus found in 2016 were hosted on servers that had been ordered by cybercriminals for the exclusive purpose of hosting a botnet controller (so called fraudulent sign-ups). This is an increase of 472 (or 11.8%) compared to 2015 and a new development that emerged in 2015, where the majority of newly detected botnet controllers moved from compromised websites to servers specifically ordered by cybercriminals for hosting botnet C&Cs.
All botnet C&C IP addresses detected were automatically listed on the Spamhaus Botnet Controller List (BCL), a specialized "drop all traffic" list intended for use by networks to null traffic to and from botnet controllers. The Spamhaus BCL only lists IP addresses of servers set up and operated by cybercriminals for the exclusive purpose of hosting a botnet controller. Because these IP addresses host no legitimate services or activities, they can be directly blocked on ISP and corporate networks without risk of affecting legitimate traffic, effectively rendering harmless infected computers that may be present on their networks.
Botnet listings total (BCL + compromised):
Pure BCL listings:
As we show here, during 2016, the numbers of server-hosted botnet controllers decreased. One of the reasons for this is the increase use of anonymization networks ("dark web") by miscreants to cover the real location of their botnet controllers. In particular, the use of Tor by cybercriminals has vastly increased in past year. Due to the nature of such anonymization networks, it is impossible to easily block certain content hosted in the dark web (e.g. botnet controllers), nor to identify the final target of a C&C communication (e.g. where the malware is sending the stolen data, such as credentials or credit card details, to). From the perspective of a network operator, the only way to prevent abuse from anonymization networks is to block them entirely (which can be a difficult choice as there are also legitimate uses for them). We believe that ISPs and hosting providers will be confronted in the near future with the question of whether to allow the use of anonymization services such as Tor or to block them completely, unless operators of anonymization services step up to stop abusers in a more effective way.
For botnet controllers that were not behind an anonymization network, we produced some statistics. The following table shows a list of ISPs ranked by number of C&Cs detected on that ISP's network during the past year, and also includes 2015 data to observe trends. These data include botnet controllers that were hosted on compromised webservers or websites, as well as those hosted through fraudulent sign-ups (BCL listings).
Overall botnet hosting (compromised websites, compromised servers, fraudulent sign-ups):
The table shows the total number of detected botnet controllers per ISP, not distinguishing between compromised webservers/websites or fraudulent sign-ups. This has to be considered carefully before drawing conclusions from these data. In general, large networks attract more abuse than smaller ones, simply due to the fact that they host more servers and websites that are poorly patched or not maintained at all.
It can be quite difficult for an ISP or hosting provider to prevent the compromise of a customer's server or website, since these are often fully under the control of the customer. In fact, many servers and websites are running outdated software, which makes them therefore vulnerable to attacks from the internet. It is an easy task for a cybercriminal to scan the internet for servers or websites that are running outdated or vulnerable software. Some of the most popular open source CMSes like WordPress, Joomla, Typo3 or Drupal are especially popular targets, due the high number of poorly maintained installations of these packages. We have seen that some of the more proactive ISPs and hosting providers are now using newer tools and methods to track down outdated software and monitor C&C traffic. Of course, blocking traffic to known C&Cs is a good start.
However, compromised servers and websites are just part of the problem. The other part of the ongoing botnet problem are the fraudulent sign-ups. "Fraudulent sign-ups" are generally when a miscreant orders a server (e.g. VPS) at a hosting provider that is intended for the exclusive purpose of hosting a botnet controller. This means that the host running at such an IP address is not compromised; it is operated by cybercriminals. To ensure they are not traceable, cybercriminals use fake or stolen identities to place orders with service providers. Services are paid for using either stolen credit cards, compromised PayPal accounts or (anonymous) crypto-currency such as Bitcoin. Providers can battle such fraudulent sign-ups by doing proper customer verification. However, it is not unusual that a fraudulent sign-up can slip through the anti-fraud checks. Our article, "How hosting providers can battle fraudulent sign-ups", contains more information on this topic.
Note that this table shows the raw number of C&Cs on each provider. It says nothing about how long each botnet C&C was left active, or whether the provider heeded C&C reports from Spamhaus or not. In many cases, the volume of abuse originating from a provider is proportional to the size of the ISP or hosting provider's network and the number of customers.
However, the table also contains a few smaller providers that you may never have heard of, but that have hosted disproportionately large numbers of C&Cs. These providers attract more cybercriminals than other providers. Why? There are several reasons that this may happen:
Let us also have a look at what kind of malware was associated with the botnet controllers Spamhaus detected in 2016. The table below shows the number of all botnet listings per malware family in 2016.
It is fair to say that 2016 was the year of extortion. While many of the listings where related to ebanking Trojans, a new threat grew very quickly in 2016: Ransomware. The number of listings concerning Ransomware (such as TorrentLocker, Locky or Cerber) increased on an unprecedented scale in 2016.
In the autumn of 2016 Spamhaus also began listing botnet controllers associated with malware specifically targeting the "Internet of Things". Within just two months Spamhaus researchers identified, blocklisted and helped dismantle almost 400 IoT malware botnet controllers. We will soon publish a separate article detailing the specific challenges of IoT bots.
Spamhaus News Index
Spamhaus in the media
Spamhaus Official Statements
Permanent link to this news article:
Spamhaus Botnet Summary 2016
Subscribe to RSS News Feed
Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.