Botnet Trend Report-1

Botnet Trend Report-1

junho 18, 2019 | Adeline Zhang

Executive Summary

Botnets, one of the oldest threats on the internet, are still the most popular weapon in a hacker’s arsenal. They offer ease of use, flexibility, and high availability, traits ideal for launching large-scale lethal cyber-attacks ar-ound the world.

Current, accurate and high-value threat intelligence is one of the best defenses against Botnets.  Intelligence about global botnet activity allows analysis of attacks to identify and predict botnet behavior based on attack types, attack sizes, targets and other indicators.  NSFOCUS has developed profiles on 82 IP Chain-Gangs, groups of bots from multiple botnets acting in concert during specific cyber-attack campaigns.  Understanding botnets in general and IP Chain-Gangs in particular helps improve defensive strategies and, thus, better able to mitigate attacks.

Through continuous monitoring and research of botnets, NSFOCUS Security Labs has discovered significant changes taking place in the coding of malware used to create bots, operations & maintenance of botnets and IP Chain-Gangs, as well as the monetization of these attackers in 2018. Poor security has made IoT platforms the bot of choice over historically Windows based systems.  And with billions of IoT devices online and millions more each week, attack capability is ever increasing to massively destructive levels.

Much of the newer malware shows mature coding practices leading to more efficient software that can launch multiple and different types of attacks than just DDoS. Network/system scanning, cryptomining and ransomware are only some of the capabilities of these newer Swiss Army knife bots.

Rising from these more mature malware developers are several malware families that are preferred because they are more stable with access to global Command & Control (C&C) servers hosted on high-bandwidth internet connections.  Less C&C servers with access to high-speed internet reduce the complexity and O&M requirements for managing botnet networks.

Controllers of botnets have started to monetize their capabilities both by offering Botnet-as-a-Service (BaaS), DDoS-as-a-Service (DaaS) as well as turning them in to crypto-miners for profit and for hire. In the future, defeating botnets will require not only local security protection, but also a concerted effort by governance organizations worldwide to enforce security best practices to reduce the proliferation of botnets and their use.


NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.

About NTI

NTI is the NSFOCUS Threat Intelligence division of NSFOCUS.  With over 90 researchers around the world, NTI’s charter is to help customers better defend against current and next-generation cyber threats.  NTI provides an array of threat intelligence products and services.

to be continued