Botnet Trend Report-6

Botnet Trend Report-6

July 24, 2019 | Adeline Zhang

3.3.2 Analysis

Most Botnets Deployed on VPSs for Economic Reasons

Low-cost virtual private servers, which have little security oversight, have become the main target for hosting command & control servers.

When setting up C&C servers, botnet groups will attempt to take over any available system. Having evolved past traditional on-premises servers, botnet groups now target platforms such as cloud service providers, compromised smart devices, public platforms where custom contents can be posted, and exploitable chat tools such as Slack and Telegram for C&C server deployment. As popular as those platforms have become, VPSs are the most sought-after platforms, increasing share among C&C deployment platforms in recent years.

Studying geographical locations of C&C servers newly added in 2018, we found that a great number of IP addresses belonged to devices residing in equipment rooms of several renowned VPS vendors. These C&C servers set up on VPSs have a long survival period and a high activity level.

VPSs’ following features make them important tools for botnet attacks:

1. Price. In recent years, emerging VPS service providers have sprung up all over the world. The price competition in the VPS market is becoming increasingly intense, thus bringing the C&C server deployment cost down. This provides an incentive for mercenary hacking groups to move C&C servers to VPSs.

2. Covertness. Currently, many VPS providers exercise marginal review and control over user registration information, thus offering opportunities for hackers to easily hide their real identities.

3. Flexibility. VPS hosts are easy to deploy and destroy, allowing botnet groups to develop new ways to evade detection and crackdown by security vendors.

Thus, VPSs provide a new level of flexibility for deploying C&C servers at a much lower cost.

In China, there is a different type of dark web or underground hosting activities considered illegal there. Since there are no protections, the hacking underground controlling botnets has made a huge profit preying on industries like gambling and porn.

Underground industries represented by gambling and porn, as well as illegal shopping sites, have been using home-grown servers or non-standard managed hosts as main operation platforms. These platforms have little, or poor security protections deployed at best and O&M personnel lack sufficient security awareness. This lack of security makes these platforms popular ransom targets of botnet groups using DDoS attacks to take their operations hostage.

To be continued.