Symantec.com > Enterprise > Security Response > Internet Security Threat Report > View the Report > Threat Activity Trends

Threat Activity Trends

Threat Activity Trends | Spam and Fraud Activity Trends | Malicious Website Activity | Analysis of Malicious Web Activity by Attack Toolkits | Analysis of Web-based Spyware and Adware Activity | Analysis of Web Policy Risks from Inappropriate Use | Analysis of Website Categories Exploited to Deliver Malicious Code | Bot-infected Computers | Analysis of Mobile Threats | Data Breaches that Could Lead to Identity Theft

Bot-infected Computers

Background

Bot-infected computers, or bots, are programs that are covertly installed on a user’s machine in order to allow an attacker to control the targeted system remotely through a communication channel, such as Internet relay chat (IRC), P2P, or HTTP. These channels allow the remote attacker to control a large number of compromised computers over a single, reliable channel in a botnet, which can then be used to launch coordinated attacks.
Bots allow for a wide range of functionality and most can be updated to assume new functionality by downloading new code and features. Attackers can use bots to perform a variety of tasks, such as setting up denial-of-service (DoS) attacks against an organization’s website, distributing spam and phishing attacks, distributing spyware and adware, propagating malicious code, and harvesting confidential information that may be used in identity theft from compromised computers—all of which can lead to serious financial and legal consequences. Attackers favor bot-infected computers with a decentralized C&C6 model because they are difficult to disable and allow the attackers to hide in plain sight among the massive amounts of unrelated traffic occurring over the same communication channels, such as P2P. Most importantly, botnet operations can be lucrative for their controllers because bots are also inexpensive and relatively easy to propagate.

Methodology

A bot-infected computer is considered active on a given day if it carries out at least one attack on that day. This does not have to be continuous; rather, a single such computer can be active on a number of different days. A distinct bot-infected computer is a distinct computer that was active at least once during the period. Of the bot-infected computer activities that Symantec tracks, they can be classified as actively attacking bots or bots that send out spam, i.e. spam zombies.
Distributed denial-of-service (DDoS) campaigns may not always be indicative of bot-infected computer activity, DDoS activity can occur without the use of bot-infected computers. For example, systems that participated in the high-profile DDoS “Operation Payback” attacks used publically available software such as “Low Orbit Ion Cannon” (LOIC) in a coordinated effort to disrupt many businesses Web site operations. Users sympathetic to the Anonymous cause could voluntarily download the free tool from the Web and participate en masse in a coordinated DDoS campaign and required very little technical knowledge. These attacks began at the end of 2010 and continued in 2011, with a wide variety of targets. Interestingly, because of the way the software operated, some attackers didn’t bother to disguise their machines online identifiers, resulting in a number of legal actions later in the year. The analysis reveals the average lifespan of a bot-infected computer for the highest populations of bot-infected computers. To be included in the list, the geography must account for at least 0.1% of the global bot population.

Data

Commentary

  • Bots located in Romania were active for an average of 29 days in 2011; 1 in 737 of bots worldwide was located in Romania. Romania has one of the lowest fixed-broadband adoption rates in Europe, with fewer than 15%7 of households being connected to high-speed Internet access.
  • It takes more than twice as long to identify and clean-up a bot-infected computer in Romania than in the United States, although the number of infections in the United States is on a magnitude of more than a hundred times greater than that of Romania. One factor contributing to this disparity may be a low level of user-awareness of the issues involved combined with the lower availability of remediation guidance and support tools in the Romanian language.
  • In the United States, which was home to 1 in 8 (12.6%) of global bot-infected computers, the average lifespan for a bot was 13 days.
  • Further analysis revealed that 65.2% of bots were controlled using HTTP-based command and control channels.

6Command and control

7http://ec.europa.eu/information_society/digital-agenda/scoreboard/pillars/broadband/index_en.htm