Botnet Ecosystem Diversified in 2010

According to a recent report from security vendor Damballa, the botnet ecosystem has seen a lot of diversification last year due to the launch of many do-it-yourself toolkits.

For the past couple of years now, botnets has been the core of all cybercriminals operations. They are used for everything, from spam and malware distribution to fraud and denial of service.

In July last year we even reported about a check counterfeiting gang that used a modified ZeuS botnet for almost all activities related to the scheme.

It harvested email addresses from job sites, scraped check repositories for images of scanned checks and bought self-print postal labels from shipping companies using stolen credit card details.

Damballa, which specializes in botnet intelligence and protection solutions, reports that six of the top ten botnets in 2010 did not exist two years ago and that a single one was present in top for 2009.

This suggests that the botnet ecosystem has changed considerably, not only in market share leadership, but also in diversity.

A botnet formed in the second part of 2010 as a result of the TDL master boot record (MBR) rootkit, took the top spot on Damballa's list with 14.8% of all unique victims.

This was almost three times more than the second place, a botnet distributing rogue antivirus software, which accounted for 5.7% of victims, or ZeuS with 5.3%, that came in third.

Monkif, the only botnet in the 2009, ended up in forth place this year with a 5.2% victim percentage and was followed by the well known Koobface (4.0%) and Conficker (2.8%).

The rest of the top reads Hamweq (2.5%), AdwareTrojanBotnet (2.2%), Sality (2.1%) and SpyEye (1.9%). For some of these, Damballa uses its own aliases.

"The prevalence of improved DIY botnet construction kits and associated exploit packs is visible in the makeup of the 2010 Top 10. Botnet operators RudeWarlockMob, FreakySpiderCartel, FourLakeRiders, WickedRockMonsters and OneStreetTroop [gang aliases] all built their botnets based on popular construction kits – often changing and augmenting the kits throughout the year as their infection campaigns and fraud objectives changed," the security company concludes in its report. [pdf]