The average botnet in the first quarter of 2015 was made up of 1,700 infected hosts per command-and-control (C&C) server, according to Level 3 Threat Research Labs' “Safeguarding the Internet: Level 3 Botnet Research Report.”
The report is based on the more than one thousand C&C servers analyzed by Level 3 in the first quarter of this year, of which 600 were found being used for malicious communications targeting corporate environments.
According to the report, the average number of infected hosts per C&C server in 2015's first quarter was 1,700, with the volume of infected hosts per C&C server declining over the months – it peaked at 3,763 in January and bottomed out at 338 in March.
Explaining the drop from January to March, Chris Richter, senior VP of managed security services at Level 3, told SCMagazine.com in a Thursday email correspondence, “A few large [C&C] servers were removed from the Internet that were targeting a disproportionate amount of victims.”
The first quarter of 2015 saw the average lifespan of a C&C server at 38 days, and during that time possibly being used for malware distribution, phishing, or destruction of critical information assets, the report said, adding that 22 percent of C&C servers performed more than one function.
One of the most common functions for botnets is distributed denial-of-service (DDoS) attacks, Level 3 researchers highlighted in the report, showing that 56 percent of DDoS attacks in Q1 2015 were directed at targets in the U.S., while 32 percent were aimed at targets in Europe, the Middle East and Africa. The biggest targets of DDoS attacks included the gaming industry and internet service providers.
Altogether, the U.S. is the top country generating C&C server traffic, with Ukraine, Russia, Netherlands, Germany, Turkey, France, UK, Vietnam and Romania respectively rounding out the rest of the top ten. Level 3 researchers observed an average 20 percent of C&C servers based in North America.
With 532,000 unique victim IP addresses, China is the country with the highest absolute number of victims that conversed with C&C servers at one point during the quarter. The U.S. had 528,000 unique victim IP addresses, while Norway had 213,000, Spain had 129,000, and Ukraine had 124,000.
Another trend noted in the report is movement to the cloud, whereby threat actors are shifting from compromising legitimate servers to creating bots on rogue virtual machines (VM).
“We use both geolocation mechanisms and network topology details to isolate and validate the origin of the traffic, identifying cloud providers,” Richter said. “We believe this trend makes sense due to the ease of setting up VMs and the potential lack of security controls on existing valid VMs being compromised.”