Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/29/2020
06:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Number of Botnet Command & Control Servers Soared in 2019

Servers worldwide that were used to control malware-infected systems jumped more than 71% compared to 2018, Spamhaus says.

For the second year in a row, the number of servers used by attackers worldwide to control malware-infected systems increased sharply.

The Spamhaus Project, which tracks both the domain names and the IP addresses used by threat actors for hosting botnet command-and-control servers (C2), identified 17,602 such servers hosted on a total of 1,210 different networks worldwide in 2019.

The number represented a big 71.5% jump over the 10,263 botnet C2 servers that Spamhaus detected and blocked in 2018, and a near doubling in number from the 9,500 servers in 2018. Botnet C2s, in fact, accounted for 41% of all the listings on Spamhaus' block list in 2019, compared to just 15% in 2017 and 25% last year.

The sharp increase is an indication of the growing popularity of botnets as an attack vector among threat actors, Spamhaus said in a report this week. About 60% of the new botnet C2s that Spamhaus detected in 2020 were associated with credential-stealing malware such as Lokibot and AZORult. About 20% -- the next highest proportion -- were used to control data-stealing Remote Access Trojans (RATs), the most prolific of which was Nanocore.

The Spamhaus Block List (SBL) is a real-time database of IP addresses and URLs associated with known spam sources and threats like botnet C2s. Companies and ISP can use the database tandem with other block lists to block spam and other online threats.

As with previous years, Spamhaus' data showed that some of the ISPs that hosted the highest number of botnet C2s last year were based in the United States. Over 1,580 botnet servers in 2019, for instance, were hosted on Cloudflare alone -- more than double the 629 hosted by second-place Alibaba of China.

In many cases, the command-and-control servers were running on compromised websites and servers belonging to customers of ISPs such as Cloudflare. This likely made it difficult for them to spot the illegal activity. But a substantial proportion were also set up via fraudulent registrations, as a result of weaknesses in the ISPs customer-vetting and verification processes, Spamhaus said.

But for the first time ever, Russia took the top spot among countries hosting the most number of command-and-control servers. The number of botnet C2s in the country soared 143% over 2018 to 4,712, compared to 4,007 in the United States.

Lax Customer Vetting

Spamhaus attributed the increase in Russia to threat actors taking advantage of the relatively lax registration procedures among Internet Service Providers in the country. China, too, leapt up the charts from 13th spot in 2018 to the fourth spot last year with 770 servers, an increase that Spamhaus attributed to lax registration procedures as well.

US-based Namecheap was once again the most abused domain registrar, with almost 25% of all botnet C2s detected and blocked last year - all registered via the company. But China and Russia both had more registrars on the top 20 list last year than the US. "They are mostly being legitimately abused," says Vincent Hanna, a researcher at The Spamhaus Project. "The registrar market is one of very thin margins and lots of automation. Neither leaves much space for careful vetting of customers and orders."

According to Spamhaus, its botnet data from 2019 showed that ISPs in the East in general are lagging behind their Western counterparts when it comes to sign-up procedures and in enforcement of their terms and conditions.

Western companies on the list of ISPs hosting the most botnet C&Cs have a high volume, but they are few in number. "At the same time many more eastern companies have fraudulent customers, signaling that abuse procedures and customer-vetting problems are more widespread there, and not limited to a handful of companies," Hanna says.

The most abused Top Level Domains (TLDs) in 2019 were the .com and .net domains. More than 50% of botnet C2s were hosted on these two domains alone. Other heavily abused TLDs included dot ru, dot info, dot cm, and dot pw, the top level domain for Palau. Several other previously abused domains however fell off the most abused list including, .review, .stream, .bid, and .trade.

For registrars and ISPs, careful customer vetting is key. "Finding the fraudulent registrations is often not that hard, but it needs to be done," Hanna says. "Registries that care about the reputation of the entire TLD will proactively go out and try to find problematic registrations themselves."

Related Content:

Botnets Serving Up More Multipurpose Malware

What's in a Botnet? Researchers Spy on Geost Operators

MasterMana Botnet Shows Trouble Comes at Low Cost

8 Ways Businesses Unknowingly Help Hackers

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/30/2020 | 9:28:56 PM
Re: fraudulent
All too true. Still need resources to do so. It would be nice if AI matured to the point where we could have bots monitor the bad bots.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/30/2020 | 9:27:42 PM
Re: Eastern companies
Agreed. Even if there were, question is would the penalty outweigh the reward to the point where it would cause a change in behavior?
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/30/2020 | 9:25:45 PM
Re: Cloudfare
Thats the million dollar question. I've typically found that aspect to be performed quite rarely. The infrastructure is so expansive that without extensive resources it is difficult to police all that binary area.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/30/2020 | 9:23:40 PM
Re: Credentials
Agreed. Passwords are the weakest form of authentication after all. Thats why MFA needs to be employed wherever possible.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/30/2020 | 9:22:45 PM
Re: Servers?
Keyphrase "supposed to". I would also say that this is more akin to servers should have "limited" access to the internet. 

Its rare to see us do things we are supposed to do, in light of doing whats easier unfortunately.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2020 | 6:52:45 PM
fraudulent
Finding the fraudulent registrations is often not that hard, but it needs to be done, Unless somebody checks what those bots are really doing it may not be that easy to find out if they are fraudulent or not.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2020 | 6:51:12 PM
Eastern companies
At the same time many more eastern companies have fraudulent customers, signaling that abuse procedures and customer-vetting problems are more widespread there, and not limited to a handful of companies This makes sense. There may not be enough regulations and enforcement in those regions.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2020 | 6:48:05 PM
Cloudfare
Over 1,580 botnet servers in 2019, for instance, were hosted on Cloudflare alone -- more than double the 629 hosted by second-place Alibaba of China. Interesting. The question is that if anybody checks what those boys are really doing.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2020 | 6:45:26 PM
Credentials
Spamhaus detected in 2020 were associated with credential-stealing malware such as Lokibot and AZORult. This explains it. Once credentials are compromised there is not much anyone can do.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2020 | 6:42:33 PM
Servers?
The number represented a big 71.5% jump over the 10,263 botnet C2 servers that Spamhaus detected and blocked in 2018, and a near doubling in number from the 9,500 servers in 2018 This is surprising. Servers supposed to have no direct collections to internet so these bots could not be executed.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13871
PUBLISHED: 2020-06-06
SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
CVE-2020-11696
PUBLISHED: 2020-06-05
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
CVE-2020-11697
PUBLISHED: 2020-06-05
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.