The Spamhaus Project
BETA

report

Spamhaus Botnet Summary 2016

2016 was a busy year for existing and emerging cyber threats. In the past year, Spamhaus researchers issued listings for over 7,000 botnet Command & Control (“C&C”) servers on more than 1,100 different networks. These C&C servers enabled and controlled online crime such as credential theft, e-banking fraud, spam and DDoS attacks. They were also used for the retrieval of stolen data. 2016 will also go down in history as the first year that security issues related to the “Internet of Things” (IoT) not only became mainstream, but turned into a serious enabler of ever larger attacks and a source of many future problems.

by The Spamhaus TeamJanuary 17, 201712 minutes reading time
Botnet C C
Threat Intelligence
Malware
Service Providers

Jump to

Introduction

2016 was a busy year for existing and emerging cyber threats. In the past year, Spamhaus researchers issued listings for over 7,000 botnet Command & Control ("C&C") servers on more than 1,100 different networks. These C&C servers enabled and controlled online crime such as credential theft, e-banking fraud, spam and DDoS attacks. They were also used for the retrieval of stolen data. 2016 will also go down in history as the first year that security issues related to the "Internet of Things" (IoT) not only became mainstream, but turned into a serious enabler of ever larger attacks and a source of many future problems.

In 2016, one out of five SBL listings was for a botnet C&C server. Such servers are used by cybercriminals to control infected computers ("bots") and to retrieve stolen data from them. While 7,314 is a very high number of C&C servers, it is however a decrease of 1,166 (or 13.8%) in botnet controllers from the number we detected in 2015.

The majority (4,481 or 61.3%) of botnet controllers Spamhaus found in 2016 were hosted on servers that had been ordered by cybercriminals for the exclusive purpose of hosting a botnet controller (so called fraudulent sign-ups). This is an increase of 472 (or 11.8%) compared to 2015 and a new development that emerged in 2015, where the majority of newly detected botnet controllers moved from compromised websites to servers specifically ordered by cybercriminals for hosting botnet C&Cs.

All botnet C&C IP addresses detected were automatically listed on the Spamhaus Botnet Controller List (BCL), a specialized "drop all traffic" list intended for use by networks to null traffic to and from botnet controllers. The Spamhaus BCL only lists IP addresses of servers set up and operated by cybercriminals for the exclusive purpose of hosting a botnet controller. Because these IP addresses host no legitimate services or activities, they can be directly blocked on ISP and corporate networks without risk of affecting legitimate traffic, effectively rendering harmless infected computers that may be present on their networks.

Botnet listings total (BCL + compromised):

YearListings
20167,314
20158,480
20147,182

Pure BCL listings:

YearListings
20164,481

As we show here, during 2016, the numbers of server-hosted botnet controllers decreased. One of the reasons for this is the increase use of anonymization networks ("dark web") by miscreants to cover the real location of their botnet controllers. In particular, the use of Tor by cybercriminals has vastly increased in past year. Due to the nature of such anonymization networks, it is impossible to easily block certain content hosted in the dark web (e.g. botnet controllers), nor to identify the final target of a C&C communication (e.g. where the malware is sending the stolen data, such as credentials or credit card details, to). From the perspective of a network operator, the only way to prevent abuse from anonymization networks is to block them entirely (which can be a difficult choice as there are also legitimate uses for them). We believe that ISPs and hosting providers will be confronted in the near future with the question of whether to allow the use of anonymization services such as Tor or to block them completely, unless operators of anonymization services step up to stop abusers in a more effective way.

For botnet controllers that were not behind an anonymization network, we produced some statistics. The following table shows a list of ISPs ranked by number of C&Cs detected on that ISP's network during the past year, and also includes 2015 data to observe trends. These data include botnet controllers that were hosted on compromised webservers or websites, as well as those hosted through fraudulent sign-ups (BCL listings).

Overall botnet hosting (compromised websites, compromised servers, fraudulent sign-ups):

RankC&Cs 2016C&Cs 2015NetworkCountry
1395385ovh.netFR France (FR)
2257143godaddy.comUS United States (US)
3167183endurance.comUS United States (US)
4144197hetzner.deDE Germany (DE)
5128170ispserver.comRU Russia (RU)
6118106colocrossing.comUS United States (US)
798172cloudflare.comUS United States (US)
88950quadranet.comUS United States (US)
98373digitalocean.comUS United States (US)
1075121worldstream.nlNL Netherlands (NL)
117126blazingfast.ioUA Ukraine (UA)
127189choopa.comUS United States (US)
13693chinanet-jsCN China (CN)
1469108softlayer.comUS United States (US)
1568126heg.comGB Great Britain (GB)
1668103itl.uaUA Ukraine (UA)
17686virpus.comUS United States (US)
1866137leaseweb.comNL Netherlands (NL)
196524timeweb.ruRU Russia (RU)
206546uk2group.comFR Great Britain (GB)

The table shows the total number of detected botnet controllers per ISP, not distinguishing between compromised webservers/websites or fraudulent sign-ups. This has to be considered carefully before drawing conclusions from these data. In general, large networks attract more abuse than smaller ones, simply due to the fact that they host more servers and websites that are poorly patched or not maintained at all.

It can be quite difficult for an ISP or hosting provider to prevent the compromise of a customer's server or website, since these are often fully under the control of the customer. In fact, many servers and websites are running outdated software, which makes them therefore vulnerable to attacks from the internet. It is an easy task for a cybercriminal to scan the internet for servers or websites that are running outdated or vulnerable software. Some of the most popular open source CMSes like WordPress, Joomla, Typo3 or Drupal are especially popular targets, due the high number of poorly maintained installations of these packages. We have seen that some of the more proactive ISPs and hosting providers are now using newer tools and methods to track down outdated software and monitor C&C traffic. Of course, blocking traffic to known C&Cs is a good start.

However, compromised servers and websites are just part of the problem. The other part of the ongoing botnet problem are the fraudulent sign-ups. "Fraudulent sign-ups" are generally when a miscreant orders a server (e.g. VPS) at a hosting provider that is intended for the exclusive purpose of hosting a botnet controller. This means that the host running at such an IP address is not compromised; it is operated by cybercriminals. To ensure they are not traceable, cybercriminals use fake or stolen identities to place orders with service providers. Services are paid for using either stolen credit cards, compromised PayPal accounts or (anonymous) crypto-currency such as Bitcoin. Providers can battle such fraudulent sign-ups by doing proper customer verification. However, it is not unusual that a fraudulent sign-up can slip through the anti-fraud checks. Our article, "How hosting providers can battle fraudulent sign-ups", contains more information on this topic.

RankC&Cs 2016C&Cs 2015NetworkCountry
1295247ovh.netFR France (FR)
211282colocrossing.comUS United States (US)
3109153ispserver.comRU Russia (RU)
479119hetzner.deDE Germany (DE)
57245quadranet.comUS United States (US)
66924blazingfast.ioUA Ukraine (UA)
7683chinanet-jsCN China (CN)
86688itl.uaUA Ukraine (UA)
9655virpus.comUS United States (US)
1064106worldstream.nlNL Netherlands (NL)
116167choopa.comUS United States (US)
125751hostkey.ruRU Russia (RU)
135651digitalocean.comUS United States (US)
1455110hostsailor.comAE United Arab Emirates (AE)
155366leaseweb.comNL Netherlands (NL)
164964heg.comFR Great Britain (GB)
174945severius.nlNL Netherlands (NL)
184911zomro.comUA Ukraine (UA)
194338selectel.ruRU Russia (RU)
204133qhoster.comNL Netherlands (NL)

Note that this table shows the raw number of C&Cs on each provider. It says nothing about how long each botnet C&C was left active, or whether the provider heeded C&C reports from Spamhaus or not. In many cases, the volume of abuse originating from a provider is proportional to the size of the ISP or hosting provider's network and the number of customers.

However, the table also contains a few smaller providers that you may never have heard of, but that have hosted disproportionately large numbers of C&Cs. These providers attract more cybercriminals than other providers. Why? There are several reasons that this may happen:

  • Employing the automated sign-up of new customers that skips or has inadequate fraud checking in place, thus allowing cybercriminals to set up C&Cs quickly.
  • Inadequately staffed abuse departments and/or lax abuse handling processes can allow cybercriminals to continue to operate for relatively long periods of time before their C&Cs are shut down.
  • The provider's datacenter might be located in a legal jurisdiction, province, or country that lacks sufficient resources to investigate and prosecute cybercrime, or that even actively encourages it.

Let us also have a look at what kind of malware was associated with the botnet controllers Spamhaus detected in 2016. The table below shows the number of all botnet listings per malware family in 2016.

RankC&CsMalwareNotes
1602Downloader.PonyDropper / Credential Stealer
2404LockyRansomware
3393IoTGeneric IoT malware
4305CryptoWallRansomware
5282VMZeuSe-banking Trojan
6271Gozie-banking Trojan
7263Dridexe-banking Trojan
8253TeslaCryptRansomware
9229NeurevtBackdoor
10213ISRStealerBackdoor
11210NitolDDoS bot
12203Citadele-banking Trojan
13201Vawtrake-banking Trojan
14200TorrentLockerRansomware
15193LuminosityLinkRemote Access Tool (RAT)
16178ZeuSe-banking Trojan
17157Gootkite-banking Trojan
18124Smoke LoaderDropper / Credential Stealer
19120GluptebaSpam bot
20103NeutrinoDDoS bot / Credential Stealer
n/a2,411otherOther malware families
n/a552genericC&Cs where the associated malware could not be identified

It is fair to say that 2016 was the year of extortion. While many of the listings where related to ebanking Trojans, a new threat grew very quickly in 2016: Ransomware. The number of listings concerning Ransomware (such as TorrentLocker, Locky or Cerber) increased on an unprecedented scale in 2016.

In the autumn of 2016 Spamhaus also began listing botnet controllers associated with malware specifically targeting the "Internet of Things". Within just two months Spamhaus researchers identified, blocklisted and helped dismantle almost 400 IoT malware botnet controllers. We will soon publish a separate article detailing the specific challenges of IoT bots.