An overview on the Bad Bot Landscape by Distil Networks

Distil Networks security firm has published an interesting report on the Bad Bot Landscape, it is full of data on the evolution of malicious architecture.

Surfing on the Internet I have found The Bad Bot Landscape Report Q1 2014 and interesting study issued by the Distil Networks security firm which provides an interesting analysis of botnet evolution detected by the system of the company.

The Bad Bot Landscape Report Q1 2014 contains statistics on the evolution of malicious architectures under different axis of analysis like geographical area, originating ISP, originating organization and hosting provider, size and many others.

Experts at Distil observed an increase of cloud-hosted botnets, mainly based on the Amazon cloud architecture which was seen hosting 14% of malicious traffic.

Amazon isn’t the only provider abused by cybercrime, “cheap hosting” providers represent a privileged choice for bad actors because they usually implement a poor monitoring and a put in place a few safeguards to prevent bad bot origination.

Where Bad Bots Come From?

Russia, China, and India are not in the top positions of the ranking, the US (46%), Great Britain (19%), Germany (9.6 %), and The Netherlands (3.3%) are the top four countries exploited by criminals to host the malicious structure.

The botmasters preferred those countries because they host the largest number of quality Internet exchange points, an essential factor for the successfully deployment of the botnets.

“Those who develop bad bots want them to attack as fast as possible, prior to detection and mitigation steps, and they want to do this as cost effectively as possible. For this reason, they attempt to use inexpensive cloud hosting providers that offer quick and easy set-up. These cloud providers locate their infrastructure where space and bandwidth come cheap, which is at major Internet exchange points. Therefore, most frequent offending nations represent those with the largest number of quality Internet exchange points.” states the The Bad Bot Landscape Report Q1 2014.

The experts at Distil Networks revealed that Verizon Business was responsible for nearly 11 % of all malicious bot traffic while and Level 3 Communications account for  10%.

“From the ISP perspective, costs run much higher when trying to clean up infected computers. In the case of residential ISPs, informing consumers that their computers are infected with malware and helping them perform the associated cleanup would triple support costs,” explains the The Bad Bot Landscape Report Q1 2014.

Analyzing the botnet distribution per industry The Bad Bot Landscape Report Q1 2014 reports that the financial services industry is the one that serves up the highest botnet traffic.

During the last year Distil firm detected bad bot traffic originating from every wireless provider operating in the United States, botnets are targeting mobile platform, the illicit activities grew up of more than 1,000 percent in the last 12 months.

Following the Key findings:

• To date, Distil has identified, tracked and catalogued over 8 Billion bad bots 4 Bad bots ~doubled as a percentage of all web traffic between Q1 and Q4 2013, from 12.25% to 23.6%.
• Good bots dropped as a percentage of all web traffic between Q1 and Q4 2013, from 27.25% to 19.4%
• More bad bots originate in the USA than from any other country
• The top four bad-bot countries are the USA, Great Britain, Germany and The Netherlands, NOT the usual suspects of Russia, China and India
• Verizon Business and Level 3 Communications originate the most bad bot traffic in a global ISP comparison, 11% and 10% of all bad bot traffic, respectively
• Amazon serves the most bad bot traffic among hosting providers worldwide, 14%
• More than 1,100 ISPs and hosting providers serve bad bots as 70% or more of their total traffic
• Bad bots attack most between 6pm and 9pm ET (US-only data for this point)
• The biggest bad bot of 2013 was “Pushdo”, impacting 4.2 million IP addresses and ~4 million computers
• The Financial Services industry had more organizations serving a high percentage of bad bot traffic than any other industry
• Bad bots are 5 times more likely to attempt to ‘Get’ data/information than ‘Post’ it
• The Mobile bad bot threat is gaining significance, with bad bots running across 9 of the world’s top 10 mobile operators
• Mobile bad bots are far more prevalent in the US mobile networks than those of other nations

Pierluigi Paganini

(Security Affairs –  The Bad Bot Landscape Report Q1 2014, botnet)