Botnets boomed in 2010, says report

New report from Damballa finds botnets are growing at new levels as DIY botnet kits become commercially available, easy to get

2010 was a great year for botnets, particularly for the cyber criminals who run them. A report released Tuesday by security firm Damballa finds new botnets cropped up at a record pace in 2010.

Of the top-10-largest botnets being run today, six did not even exist in 2009. Only one, the botnet known as Monkif, was present in the 2009 top-10-largest-botnets list, Damballa officials said.

2010's largest botnet is responsible for 14.8 percent of all unique infected victims and is associated with the TDL Gang — a criminal organization made famous for its advances in master-boot-record (MBR) rootkit technology and their commercially available do-it-yourself (DIY) botnet construction kit. Familiar names such as Conficker, Mariposa, as well as Zeus-based botnets were also in the top-ten list this year. At its peak in 2010, the total number of unique botnet victims grew by 654 percent, with an average incremental growth of 8 percent per week.

Also see: Smartphone botnets? Report predicts mobile devices will be part of DDoS attacks

"Prior to 2010, many people thought in terms of spam and DDoS whenever the term 'botnet' was discussed," said Gunter Ollmann, vice president of research, Damballa. "By the end of the year, botnets such as Mariposa, Aurora, Koobface and Stuxnet had become household names — revealing the breadth of crime commonly being facilitated with remotely controllable bot agents."


The Top 10 largest botnets in 2010 accounted for approximately 47 percent of all botnet compromised victims — down from 81 percent of the 2009 Top 10. Ollmann said the decrease was not unexpected as the number of new criminal botnet operators increased, as did the average number of botnets owned and managed by each botnet master. Of the tens-of-millions of infected systems identified in 2010, Damballa ascertained that more than 35 percent of unique IP addresses infected were simultaneously victims of two or more different botnet campaigns.

The second half of 2010 saw the rapid evolution of many popular botnet do-it-yourself (DIY) construction kits and the increased availability of feature-rich browser exploit packs, said Ollmann. Cyber criminals providing specialized malware distribution services became more proficient at installing bot agents on behalf of their customers (i.e. botnet operators). The last quarter of 2010 was heavily influenced by the rapid growth of botnets utilizing the TDL master-boot-record (MBR) rootkit technology, the report states.

Copyright © 2011 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.