Botnets live long and prosper, despite cyber security efforts


The length of time a botnet command and control server is online has remained constant over the past six months, despite increased awareness of this type of threat.

Research by ISP Level 3 Communications found that during the first quarter of 2015 C&C servers survived an average of 38 days on the internet before being taken offline - a figure that has remained constant since Q4 2014.

Perhaps more worryingly, the server going offline can be as much a byproduct of the server owner upgrading software or patching vulnerabilities as malware discovery and removal.

However, the average number of victims per C&C server fell dramatically over the quarter, from 3,763 in January to 338 in March.

Level 3 said this can be attributed both to general "vigilance on behalf of the security community" and, while no one action is mentioned by the company, it is worth noting the precipitous drop in numbers follows almost immediately in the wake of the Ramnit botnet, which had infected 3.2 million computers, being taken offline by Europol's European Cybercrime Centre (EC3) in late February.

Cyber crime economics

Despite big takedowns like Ramnit, the economics of cyber crime still work in the favour of malicious actors. Last year, Dell Secureworks found the cost of renting a 1,000-server UK-based botnet was $120 per month, an increase of 600 per cent from 2013 and a lucrative deal for the botnet owners.

Level 3 Communications also found that 22 per cent of C&C servers have more than one threat purpose.

"Most likely, many of these botnets are commercial in nature, and they are part of a diversified business," said Level 3. "For example, they may serve multiple, for-profit purposes, such as malware distribution, DDoS attacking and phishing services."

"Botnet operation is a lucrative business, with a simple setup. Operational costs to create, maintain and move a botnet, once shut down, are low. Blocked botnets can come back online often within hours of being shut down," the company added.

This doesn't mean those renting the infrastructure get a raw deal, though.

In its 2015 Global Security Report, security firm Trustwave found attackers' estimated ROI for exploit kit and ransomware schemes, the "vast bulk" of which is distributed by a botnet, was over 1,400 per cent.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.