Twelve Million New IP Addresses Used by Botnets This Year

Global security vendor McAfee has released its report (PDF) regarding the developments observed on the threat landscape during the first three months of 2009. The Conficker hype has helped other forms of malware go unnoticed, the researchers warn.

The report starts with the good news first, or at least partially good. Spam levels have been lower for this period than what they were in the past two years. However, experts argue that this is because of last year's takedown of McColo ISP, a company hosting command and control servers from some of the biggest spam botnets. "The question is not whether spam will return to previous levels, but rather when it will return," the researchers note.

The bad news is that botnets are on the rise. The Conficker worm, which is said to have infected as much as 12 million computers alone at its peak, might have been partially responsible for this, but, still, the numbers have exceeded expectations – 50% more than during the last quarter of 2008. In fact, a new record number of zombie computers has been registered during Q1 2009, exceeding the previous record set in Q3 2008 by one million.

According to the IP location of the infected computers that have joined a botnet during this period, the United States users have been the most affected, accounting for 18% of IP addresses. They are followed by those in China, 13.4%, and Australia, which has jumped four places since Q4 2008, at 6.3%.

The number of URLs serving malicious content has also considerably increased. The data has revealed that 46% of them are hosted in the United States, 10% in China, and 6% in Germany. What? No Russia in the top 3? Apparently, Russia has dropped on the 4th place after a very long time. It currently amounts to 3% of malicious websites, but so do Canada, the United Kingdom, and the Netherlands.

"Malware authors are boosting their use of redirected-URL attacks, whether via an anonymizer or a Web 2.0 interface using a content server. This may be to avoid standard detection (by acting as an embedded URL instead of a source URL) or to benefit from the reputation of the site that appears to deliver the malware," the researchers explain about the rise in anonymizers for this quarter.

Other worrying conclusions are that the Koobface worm is back and active, with some 800 variants being released during March alone. AutoRun malware has also spiked, with 10% of all detected malware during Q1 2009 displaying this behavior. This number is even more significant, as it does not take Conficker infections into account, even though Conficker can also spread via AutoRun.

David Marcus, security research manager for McAfee Avert Labs, points out that, even though Conficker has received a lot of media attention and has been actively analyzed by security experts, "Compared with the overall landscape, the Conficker worm represents a small subset of all threat reports."