Botnet Trend Report

Botnet Trend Report-14

September 18, 2019

Conclusion and Recommendations

In 2018, botnets continued using DDoS as their primary weapon to attack regions with ubiquitous high speed networking for direct economic gains. However, they underwent significant changes in behavioral patterns, host platforms, C&C server deployment, infection methods, attack methods, and payload types. Security service providers need to adapt their strategies to better mitigate the increasing threats posed by the new generation of botnets. (more…)

Botnet Trend Report-13

September 11, 2019

4.4 Satan: Evolving Ransomware

In late April 2018, MalwareHunterTeam reported seeing new ransomware that leveraged EternalBlue to propagate. Through analysis, we found that the ransomware was based on a new version (dubbed V2) of Satan, a ransomware family launched in 2017. The ransom demanded in this version increased from 0.1 to 0.3 Bitcoin. At the same time, a certain variant of IRCBOT also captured download instructions related to this malware. From the instruction set, Satan was confirmed to be the ransomware payload. (more…)

Botnet Trend Report-12

September 4, 2019

4.3 XMRig: Cryptomining For Fun and Profit Cryptomining by botnets has gained popularity in the past two years. Unlike other common malicious activities like DDoS, ransomware attacks, and confidential information theft, cryptomining has some unique characteristics: 1. Predictable earnings. Cryptominers are good at hiding their presence by controlling their CPU usage within 30%–40%. Based on […]

Botnet Trend Report-11

August 28, 2019

4.2.2 Analysis  During the first quarter of 2018 when BillGates was extremely active, the family was found to attack 3962 targets, most of which were in two Central American countries. The following map shows the distribution of BillGates targets in China that NSFOCUS was able to directly monitor. BillGates ignored common ports, such as 22, […]

Botnet Trend Report-10

August 21, 2019

4.2 BillGates: Best Cross-Platform Family

In February 2014, a new botnet family was reported by the Russian website, habr5 and named BillGates because of its bill and gates modules. Subsequently the research group, MalwareMustDie reported that botnet family was operated by a Chinese hacker group, closely related with other known families such as ChinaZ and Elknot. This has helped BillGates attract wide attention. (more…)

Botnet Trend Report-9

August 16, 2019

This chapter explores further into active botnet families detected in 2018. We concentrate on four distinct families and tools focusing our analysis on their behavior changes, sample version changes, sample variants, and average age of C&C servers, to better understand the dynamic lifecycle of botnet families throughout 2018. (more…)

Botnet Trend Report-8

August 9, 2019

3.5 Delivery and Propagation 

3.5.1 Behavior Seen 

Studying 25 million intrusion logs extracted from NSFOCUS managed services customers in 2018, we found that approximately 14 million logs recorded intrusions using weak password cracking mainly against Telnet, RDP, and SSH services. From other logs, a large portion of intrusions seen were vulnerability-based intrusions, with 54 vulnerabilities frequently exploited (Shown in the table) mostly against routers and IoT cameras. (more…)

Botnet Trend Report-7

August 2, 2019

3.4 DDoS Attacks 3.4.1 Behavior Seen Effective attack instructions are botnet attack instructions that control a task other that starting and stopping.  Effective attack instructions captured in 2018 included DDoS, Local Area Network (LAN) scanning, and vulnerability exploits among other types of attacks. There were 440,000 DDoS attack instructions issued from botnet families, constituting most […]

Botnet Trend Report-6

July 24, 2019

3.3.2 Analysis Most Botnets Deployed on VPSs for Economic Reasons Low-cost virtual private servers, which have little security oversight, have become the main target for hosting command & control servers. When setting up C&C servers, botnet groups will attempt to take over any available system. Having evolved past traditional on-premises servers, botnet groups now target […]

Botnet Trend Report-5

July 17, 2019

3.3 Geographical Distribution

3.3.1 Behavior Seen

According to geographical analysis of IP addresses, 2018 saw most new C&C servers in the USA (30.64%), closely followed by China (29.79%). Other top C&C hosting countries include Canada, Russia, Germany, France, and Italy. (more…)