#1289883: A decade of malware: Top botnets of the 2010s
ZDNet goes over the list of biggest malware botnets of the past decade, from Necurs to Mirai.
Over the past decade, the information security (infosec) field has seen a near-constant rise in malware activity.
Without a doubt, the 2010s was the decade when malware exploded from a casual semi-ammateriush landscape into a full-blown criminal operation, capable of generating hundreds of millions of US dollars per year for the actors involved.
While there were thousands of malware strains that have been active in the 2010s, a few malware botnets have risen above the rest in terms of spread and size, ammounting to what some security researchers would call "super botnets."
Malware strains like Necurs, Andromeda, Kelihos, Mirai, or ZeroAccess have made a name for themselves after they've infected millions of devices across the globe.
This article aims to summarize the biggest malware botnets that we've seen over the past ten years. Since tracking botnets is never a 100% accurate operation, we're going to list the botnets in alphabetical order, and mention their peak size, as they were reported at the time.
3ve is considered the most advanced click-fraud botnet ever assembled. It operated from 2013 to 2018, when it was dismantled by an international law enforcement action, with help from Google and cyber-security firm White Ops.
The botnet relied on a mixture between malicious scripts running on data center-hosted servers and click-fraud modules loaded on computers infected with third-party malware, such as Methbot and Kovter.
3ve operators also created fake websites where they loaded ads and then used the bots to click on ads and generate profits. At one point, the botnet is believed to have been comprised of more than 1.5 million home computers and 1,900 servers clicking on ads loaded on more than 10,000 fake websites.
The Andromeda malware was first seen in the wild back in 2011, and it's your typical "spam & malware downloader" botnet -- also known as Malware-as-a-Service (MaaS) scheme.
By this term, we are referring to a type of malware operation where crooks are mass-spamming users to infect them with the Andromeda (Gamarue) malware strain. Crooks then use these infected hosts to send out new email spam to other users, and expand or keep the botnet alive, or they download a second-stage malware strain at the behest of other (paying) malware gangs.
MaaS botnets that provide "install space" are some of the most lucrative cyber-criminal schemes around, and crooks can use different malware strains to set up the backend infrastructure for such an operation.
Andromeda, is one of these types of malware strains, and has been very popular across the years. The reason for its success is because Andromeda's source code leaked online, a few years back, and has allowed several criminal gangs to set up their own botnet and try their hand at "cybercrime."
Across the years, cyber-security firms have tracked multiple criminal gangs operating an Andromeda botnet. The biggest one known to date reached two million infected hosts, and was shut down by Europol in December 2017.
Readers can find a collection of infosec reports on the Andromeda malware on its Malpedia page, plus this one, and this one.
Bamital is an adware botnet that operated between 2009 and 2013. It was taken down following a joint effort by Microsoft and Symantec.
On infected hosts, the Bamital malware modified search results to insert custom links and content, often redirecting users to malicious sites offering malware-laced downloads.
Bamital is believed to have infected more than 1.8 million computers.
Bashlite, also known under names like Gafgyt, Lizkebab, Qbot, Torlus, and LizardStresser, is a malware strain designed to infect poorly secured WiFi home routers, smart devices, and Linux servers.
Its primarily and only role is to carry out DDoS attacks.
The malware was created in 2014 by members of the Lizard Squad hacking group, and its code leaked online in 2015.
Due to this leak, the malware has often been used to host most of today's DDoS botnets, and is often the second most popular IoT malware strain, behind Mirai. Hundreds of Bashlite variations currently exist.
The Bredolab botnet is believed to have infected a whopping 30 million Windows computers between 2009 and November 2010, the date of its takedown, when Dutch law enforcement seized more than 140 of its command and control servers.
The botnet was built by an Armenian malware author, who used spam email and drive-by downloads to infect users with the Bredolab malware. Once infected, victims' computers would be used to send out massive quantities of spam.
The Carna botnet is not what you'd call "malware." This was a botnet created by an anonymous hacker for the purpose of running an internet census.
It infected over 420,000 internet routers back in 2012, and merely gathered statistics on internet usage directly from users... and without permission.
It infected routers that didn't use a password, or were secured with default or easy to guess passwords -- a tactic weaponized for malicious DDoS attacks four years later by the Mirai botnet.
You can learn more about Carna from the botnet's Wikipedia page or this Darknet Diaries podcast episode.
Chameleon was a short-lived botnet that operated in 2013. It's one of the rare ad-fraud botnets on this list.
According to reports at the time, the botnet's authors infected over 120,000 users with the Chameleon malware. This malware would open an Internet Explorer window in the background and navigate to a list of 202 sites, where it would trigger ad impressions that helped the botnet's authors generate revenues of up to $6.2 million per month.
The botnet stopped operating after being publicly ousted.
Coreflood is one of the internet's forgotten threats. It appeared in 2001 and was shut down in 2011.
The botnet is believed to have infected more than 2.3 million Windows computers, having more than 800,000 bots at the time it was taken down in June 2011.
Coreflood operators used booby-trapped websites to infect users' computers via a technique called drive-by download. Once a victim was infected, they used Coreflood to download other, more potent malware -- Coreflood working as a typical "malware dropper/downloader."'
Dridex is one of today's most infamous botnets. The Dridex malware and the associated botnet have been around since 2011, being initially known as Cridex, before evolving into the current Dridex strain (sometimes also referred to as Bugat).
The Dridex malware is primarily a banking trojan that steals banking credentials and grants hackers access to bank accounts, but it also comes with a info-stealer component.
The malware is usually distributed via malspam (emails with malicious file attachments). There have been several reports that the group who created Dridex also runs the Necurs email spamming botnet. There are code similarities between the two malware strains, and the spam that spreads Dridex is always distributed via the Necurs spam botnet.
One of the lead Dridex coders was arrested back in 2015, but the Dridex botnet continued to operate, and it is still active today.
The size of the botnet (number of computers infected with the Dridex malware) has varied wildly across the years, and across vendors. The Dridex and TA505 Malpedia pages list a fraction of the hundreds of Dridex reports, showing how immensly active this botnet has been this decade.
Emotet was first seen in the wild in 2014. It initially worked as a banking trojan, but re-tooled itself into a malware dropper for other cyber-criminal operations in 2016 and 2017.
Today, Emotet is the world's leading MaaS operation, and is often used to allow crooks access to corporate networks, where hackers can steal proprietary files or install ransomware to encrypt sensitive data, and later extort companies for large sums of money.
The size of the botnet varies from week to week. Emotet also operates via three smaller "epochs" (mini-botnets), so it can avoid coordinated law enforcement takedowns and test various actions before a wider deployment.
The Emotet malware is also known as Geodo, and its technical capabilities have been widely documented. The infographic below provides an updated look at Emotet's capabilities, at the time of writing, courtesy of Sophos Labs.
|Date added||Dec. 3, 2019, 10:39 a.m.|