The Spamhaus Project

report

Botnet Threat Update: Q2 2020

Botnet operators certainly were busy during in lock-down. It's unfortunate to report a 29% increase quarter on quarter of newly observed botnet Command and Controllers (C&Cs) after last month's reduction.

by The Spamhaus TeamJuly 30, 202010 minutes reading time

Jump to

Introduction

The pandemic certainly didn’t put the brakes on botnet operators in Q2 2020. After the welcome decrease in activity at the end of Q1, the research team tracked and listed a 29%[*](

Highlighting networks 
with the most active 
botnet C&Cs

Historically, our Quarterly Botnet Threat Updates have focused on newly observed botnet Command and Controllers (C&Cs). In doing so, we can clearly illustrate the quality of a network’s customer vetting process and security mechanisms; however, it doesn’t provide insight into how particular networks handle abuse reports.

Additionally, purely counting new botnet C&Cs enables “bulletproof” hosting companies to evade listings in our Botnet Threat Updates; they don’t take down botnet C&Cs on their network. Therefore, fewer new ones appear.

To address this problem, we will now be including in this Update, statistics on those networks hosting the highest total number of active botnet C&Cs.

To produce these figures, we review the number of total unresolved botnet C&C listings detailed on the Spamhaus Blocklist (SBL) per network. Realtime data on these statistics can be accessed 24/7 on the Spamhaus website: www.spamhaus.org/statistics/networks/

Number of botnet C&Cs observed, Q2 2020

What is a ‘fraudulent sign-up’?

This is where a miscreant is using a fake, or stolen identity to sign-up for a service, usually a Virtual Private Server (VPS) or a dedicated server, for the sole purpose of using it for hosting a botnet C&C.

In the second quarter of 2020, Spamhaus Malware Labs identified a total of 3,559 new botnet Command & Control servers (C&Cs). Out of this total number, 2,701 were under the direct control of miscreants i.e., as a result of a fraudulent sign-up.

After the first quarter of this year, there was a 57% decrease in newly observed botnet C&Cs with malicious control - extremely positive. At the end of this quarter, figures unfortunately swung back in the opposite direction, with a 29%* increase.

Spamhaus Malware Labs has also identified that, over the past few months, botnet C&Cs appear to be staying active for an increased duration i.e., it’s taking longer for them to be shutdown.

Number of new botnet C&Cs detected by Spamhaus since the beginning of 2020:

Number of new botnet C&Cs detected by Spamhaus since the beginning of 2020

Geolocation of botnet C&Cs in Q2, 2020

Let’s take a more in-depth look at where in the world these botnet C&Cs were hosted. Given the increase in the total number of new botnet C&Cs, it’s not surprising that all countries, except China, had an uptick in the number of botnet C&Cs they were hosting. However, there are some newcomers to the chart, while other countries improved and left the Top 20 listing.

Significant increases Russia is making a strong bid to take the top spot back from the USA; it increased its listing numbers by 198 botnet C&Cs quarter on quarter.

Nonetheless, Singapore had the highest percentage increase of 157%, taking it from #9 in Q1 to #5 in Q2.

New entries #10 Hungary, #14 Estonia, #18 India and #20 Lithuania – Hungary was the highest newcomer to the Top 20 list with 70 newly detected botnet C&Cs.

Departures Hong Kong, Malaysia, Luxembourg and Switzerland – all these countries improved and dropped off the Top 20 List. Well done!

Top 20 locations of botnet C&Cs

Number of new botnet C&Cs detected by Spamhaus since the beginning of 2020Number of new botnet C&Cs detected by Spamhaus since the beginning of 2020
Number of new botnet C&Cs detected by Spamhaus since the beginning of 2020

Malware associated with botnet C&Cs, Q2 2020

Credential Stealers

What are Credential Stealers?

This kind of malware is used by bad actors to steal personal information from a victim’s computer, including key strokes (key logging functionality), session cookies, email addresses, and also credentials to various online services, such as email and File Transfer Protocol (FTP).

The high volume of credential stealers we had previously reported in 2019 continued into Q2, 2020. While we have seen a decrease in malware activity linked to Lokibot (#1 in Q1) and AZORult (#2 in Q1), we have seen a substantial increase in the amount of spam emails distributing another credential stealer: AgentTesla. In Q2, we saw a rise of 772% in the number of botnet C&Cs associated with this malware family between Q1 & Q2. Let’s be honest – that’s one behemoth increase!

QNodeService A malware family that is new on the scene is QNodeService. It first appeared in March 2020, and acts as a download for a malicious script written in the JavaScript framework Node.js.

Looking at our records, it seems that QNodeService is the very first malware-as-a-service that is using Node.js. Using Java + JavaScript comes with a handful benefits from a threat actor’s perspective, including poor AV detection rates and multi-OS support.

Emotet With no activity tracked for Emotet in Q2, it dropped off the Top 20 list. However, at the time of writing this report, we have seen Emotet’s malspam campaigns fire up, so we suspect Emotet will be reappearing in Q3.

Malware families associated with botnet C&Cs

Number of new botnet C&Cs detected by Spamhaus since the beginning of 2020

Most abused top-level domains, Q2 2020

Here are the top-level domains (TLDs) chosen most frequently by botnet operators to host their infrastructure on. There have been significant changes in these between the two quarters, with six new entries and one meteoric rise.

.top & .gq Having sat in the lower part of the Top 20 List in Q1, .top, has seen an extraordinary 530% increase in Q2 to take it into second place, behind .com. Another TLD which has seen huge increases between the two quarters is .gq, with a 316% increase.

.pw With a 91% decrease in associated botnet traffic .pw has dropped from #3 in Q1, to #20 in Q2.

.de The country code top-level domain (ccTLD) of Germany, .de, has been listed for the first time in our Top 20 list.

Top abused TLDS - number of domains

Number of new botnet C&Cs detected by Spamhaus since the beginning of 2020

Most abused domain registrars, Q2 2020

When setting up a botnet C&C infrastructure, threat actors need to decide who they are going to register their domain with. Registrars can’t easily detect fraudulent sign-ups; however, domains used for botnet C&Cs don’t tend to have a long lifespan with well-run registrars.

Namecheap The US-based domain registrar Namecheap has been in the #1 spot for a significant length of time.

Enom Entering the Top 20 at #2, Enom had 419 botnet C&Cs operating on domains registered to it in Q2.

Highest climbers NameSilo had a 90% increase in the number of botnet C&Cs operating on domains registered through them in Q2, taking them to #3 on the Top 20 List. However, with an even more considerable increase of 202%, was Alibaba, moving up #11 in Q1 to #4 in Q2.

Most abused domain registrars - number of domains

Number of new botnet C&Cs detected by Spamhaus since the beginning of 2020

Networks hosting the most newly observed botnet C&Cs, Q2 2020

The hosting landscape is fast-moving. You only have to regularly look at “The World’s Worst Spam Support ISPs” on The Spamhaus Project’s website to understand the changing environment. It is therefore not surprising that there were multiple changes in our Top 20 listings: 6 networks dropped off our charts, resulting in 6 newcomers!

selectel.ru This Russian based hosting company has been present in the Top 20 for a long time. However, the situation deteriorated in Q2; we witnessed a 194% increase in new botnet C&Cs on their network. As a result, selectel.ru has knocked cloudflare.com off their #1 spot.

cloudflare.com We are delighted to see that the US CDN provider Cloudflare improved their abuse situation in Q2, by reducing the number of botnet C&Cs operating on their network by 50%. This is a great effort – and we’re looking forward to seeing this reduce further in the forthcoming quarter.

namecheap.com Namecheap, as detailed earlier in this report, is the most abused domain registrar when it comes to botnet C&Cs. Sadly, Namecheap also managed to get into the Top 10 list of Networks hosting the most botnet C&Cs in Q2.

tencent.com The Chinese cloud service provider Tencent was heavily abused by threat actors over the past two years for hosting botnet C&Cs. We are very pleased to see that Tencent dropped out of our Top 20 list in Q2. We hope that this will be a signal to their rival, Alibaba, also to improve. Unfortunately, we haven’t seen much sign of this yet. Russian hosting providers improved We were pleased to observe that a handful of Russian based hosting providers, including mgnhost.ru, firstbyte. ru and best-hoster.ru, improved their fight against abuse, resulting in a lower number of new botnet C&Cs on their networks. As a result, these dropped off the Top 20 list.

Newly observed botnet C&Cs per network

Number of new botnet C&Cs detected by Spamhaus since the beginning of 2020

Networks hosting the most active botnet C&Cs, Q2 2020

As mentioned in the “Spotlight” section of this Update, we are going to be listing network operators with the highest total number of active botnets on their network i.e., not only botnets Spamhaus has seen for the first time this quarter.

ghlc.biz This network, according to RIPE location in the UK, was hosting more than 300 active botnet C&Cs by the end of Q2. This network shows little interest in acting upon abuse reports, which in turn enables botnet C&Cs to remain online. Consequently, we currently consider this network as “bulletproof” and have added it to the Spamhaus Do not Route Or Peer (DROP) List, advising our users not to accept any traffic to or from this network.

inter-cloud.tech The situation at inter-cloud.tech is similar to ghlc.biz. This network rarely takes positive actions in relation to abuse reports, allowing botnet C&Cs to remain on their network. As a result, their network ranges (prefixes) are also listed on Spamhaus DROP.

fink.org At the end of Q2, we calculated there close to 100 active botnet C&Cs on this network, mostly associated with Remote Access Tools (RATs).

Cloud providers Surprisingly, the two cloud providers Microsoft (Azure) and Google (Compute Engine) are hosting, compared to others, a large number of active botnet C&Cs.

Our experience has shown that getting a response from them on abuse reports is sometimes difficult. This illustrates one of the reasons why they have a large number of active botnet C&Cs in their network.

Total number of active botnet C&Cs per network

Number of new botnet C&Cs detected by Spamhaus since the beginning of 2020

You can download the 2020 Q2 Botnet Threat Report as PDF. We look forward to seeing you in Octover when we’ll be providing you with Quarter 3’s update. Stay safe!


  1. Data updated since original publication to ensure parity of figures - comparing new botnet Command & Control servers (C&Cs) under the direct control of miscreants: 2,014 in Q1 and 2,701 in Q2. ↩︎

Help and recommended content

See below for helpful articles and recommended content
Botnet Threat Update Q4 2023

Botnet Threat Update Q4 2023

Report • January 11, 2024 • The Spamhaus Team
Botnet Threat Update Q3 2023

Botnet Threat Update Q3 2023

Report • October 05, 2023 • The Spamhaus Team
Botnet Threat Update Q2 2023

Botnet Threat Update Q2 2023

Report • July 11, 2023 • The Spamhaus Team