Special Feature
Part of a ZDNet Special Feature: 2010s: The Decade in Review

A decade of malware: Top botnets of the 2010s

ZDNet goes over the list of biggest malware botnets of the past decade, from Necurs to Mirai.

botnet-world-map.png

CNET

Decade in Review: 2010-2019

From the iPad to selfies to fake meat, we look back at an action-packed decade

Read More

Over the past decade, the information security (infosec) field has seen a near-constant rise in malware activity.

Without a doubt, the 2010s was the decade when malware exploded from a casual semi-ammateriush landscape into a full-blown criminal operation, capable of generating hundreds of millions of US dollars per year for the actors involved.

While there were thousands of malware strains that have been active in the 2010s, a few malware botnets have risen above the rest in terms of spread and size, ammounting to what some security researchers would call "super botnets."

Malware strains like Necurs, Andromeda, Kelihos, Mirai, or ZeroAccess have made a name for themselves after they've infected millions of devices across the globe.

This article aims to summarize the biggest malware botnets that we've seen over the past ten years. Since tracking botnets is never a 100% accurate operation, we're going to list the botnets in alphabetical order, and mention their peak size, as they were reported at the time.


3ve

3ve is considered the most advanced click-fraud botnet ever assembled. It operated from 2013 to 2018, when it was dismantled by an international law enforcement action, with help from Google and cyber-security firm White Ops.

The botnet relied on a mixture between malicious scripts running on data center-hosted servers and click-fraud modules loaded on computers infected with third-party malware, such as Methbot and Kovter.

3ve operators also created fake websites where they loaded ads and then used the bots to click on ads and generate profits. At one point, the botnet is believed to have been comprised of more than 1.5 million home computers and 1,900 servers clicking on ads loaded on more than 10,000 fake websites.

See previous ZDNet coverage, Google & White Ops PDF report, and Google blog post.


Andromeda (Gamarue)

The Andromeda malware was first seen in the wild back in 2011, and it's your typical "spam & malware downloader" botnet -- also known as Malware-as-a-Service (MaaS) scheme.

By this term, we are referring to a type of malware operation where crooks are mass-spamming users to infect them with the Andromeda (Gamarue) malware strain. Crooks then use these infected hosts to send out new email spam to other users, and expand or keep the botnet alive, or they download a second-stage malware strain at the behest of other (paying) malware gangs.

MaaS botnets that provide "install space" are some of the most lucrative cyber-criminal schemes around, and crooks can use different malware strains to set up the backend infrastructure for such an operation.

Andromeda, is one of these types of malware strains, and has been very popular across the years. The reason for its success is because Andromeda's source code leaked online, a few years back, and has allowed several criminal gangs to set up their own botnet and try their hand at "cybercrime."

Across the years, cyber-security firms have tracked multiple criminal gangs operating an Andromeda botnet. The biggest one known to date reached two million infected hosts, and was shut down by Europol in December 2017.

Readers can find a collection of infosec reports on the Andromeda malware on its Malpedia page, plus this one, and this one.


Bamital

Bamital is an adware botnet that operated between 2009 and 2013. It was taken down following a joint effort by Microsoft and Symantec.

On infected hosts, the Bamital malware modified search results to insert custom links and content, often redirecting users to malicious sites offering malware-laced downloads.

Bamital is believed to have infected more than 1.8 million computers.


Bashlite

Bashlite, also known under names like Gafgyt, Lizkebab, Qbot, Torlus, and LizardStresser, is a malware strain designed to infect poorly secured WiFi home routers, smart devices, and Linux servers.

Its primarily and only role is to carry out DDoS attacks.

The malware was created in 2014 by members of the Lizard Squad hacking group, and its code leaked online in 2015.

Due to this leak, the malware has often been used to host most of today's DDoS botnets, and is often the second most popular IoT malware strain, behind Mirai. Hundreds of Bashlite variations currently exist.


Bredolab

The Bredolab botnet is believed to have infected a whopping 30 million Windows computers between 2009 and November 2010, the date of its takedown, when Dutch law enforcement seized more than 140 of its command and control servers.

The botnet was built by an Armenian malware author, who used spam email and drive-by downloads to infect users with the Bredolab malware. Once infected, victims' computers would be used to send out massive quantities of spam.


Carna

The Carna botnet is not what you'd call "malware." This was a botnet created by an anonymous hacker for the purpose of running an internet census.

It infected over 420,000 internet routers back in 2012, and merely gathered statistics on internet usage directly from users... and without permission.

It infected routers that didn't use a password, or were secured with default or easy to guess passwords -- a tactic weaponized for malicious DDoS attacks four years later by the Mirai botnet.

You can learn more about Carna from the botnet's Wikipedia page or this Darknet Diaries podcast episode.


Chameleon

Chameleon was a short-lived botnet that operated in 2013. It's one of the rare ad-fraud botnets on this list.

According to reports at the time, the botnet's authors infected over 120,000 users with the Chameleon malware. This malware would open an Internet Explorer window in the background and navigate to a list of 202 sites, where it would trigger ad impressions that helped the botnet's authors generate revenues of up to $6.2 million per month.

The botnet stopped operating after being publicly ousted.


Coreflood

Coreflood is one of the internet's forgotten threats. It appeared in 2001 and was shut down in 2011.

The botnet is believed to have infected more than 2.3 million Windows computers, having more than 800,000 bots at the time it was taken down in June 2011.

Coreflood operators used booby-trapped websites to infect users' computers via a technique called drive-by download. Once a victim was infected, they used Coreflood to download other, more potent malware -- Coreflood working as a typical "malware dropper/downloader."'

For a description of its technical capabilities, please see Symantec's Coreflod technical analysis.


Dridex

Dridex is one of today's most infamous botnets. The Dridex malware and the associated botnet have been around since 2011, being initially known as Cridex, before evolving into the current Dridex strain (sometimes also referred to as Bugat).

The Dridex malware is primarily a banking trojan that steals banking credentials and grants hackers access to bank accounts, but it also comes with a info-stealer component.

The malware is usually distributed via malspam (emails with malicious file attachments). There have been several reports that the group who created Dridex also runs the Necurs email spamming botnet. There are code similarities between the two malware strains, and the spam that spreads Dridex is always distributed via the Necurs spam botnet.

One of the lead Dridex coders was arrested back in 2015, but the Dridex botnet continued to operate, and it is still active today.

The size of the botnet (number of computers infected with the Dridex malware) has varied wildly across the years, and across vendors. The Dridex and TA505 Malpedia pages list a fraction of the hundreds of Dridex reports, showing how immensly active this botnet has been this decade.


Emotet

Emotet was first seen in the wild in 2014. It initially worked as a banking trojan, but re-tooled itself into a malware dropper for other cyber-criminal operations in 2016 and 2017.

Today, Emotet is the world's leading MaaS operation, and is often used to allow crooks access to corporate networks, where hackers can steal proprietary files or install ransomware to encrypt sensitive data, and later extort companies for large sums of money.

The size of the botnet varies from week to week. Emotet also operates via three smaller "epochs" (mini-botnets), so it can avoid coordinated law enforcement takedowns and test various actions before a wider deployment.

The Emotet malware is also known as Geodo, and its technical capabilities have been widely documented. The infographic below provides an updated look at Emotet's capabilities, at the time of writing, courtesy of Sophos Labs.

emotet-infographic.png

Image: Sophos

Festi

The Festi botnet was built with the help of the eponymous Festi rootkit. The botnet was active between 2009 and 2013, when the botnet's activity slowly died out on its own.

During its peak in 2011 and 2012, the botnet is believed to have infected more than 250,000 computers and was capable of sending out over 2.5 billion spam emails per day.

Besides its well documented spamming capabilities, the botnet was also used to carry out DDoS attacks on rare ocassions, being one of the rare Windows-based botnets that did this.

The botnet was also known as Topol-Mailer. Several sources have identified Russian programmer Igor Artimovich as the botnet's creator [1, 2].


Gameover ZeuS

Gameover ZeuS is a malware botnet that operated between 2010 and 2014, when its infrastructure was seized by international law enforcement.

The botnet was assembled by infecting computers with Gameover ZeuS, a banking trojan built on the leaked source code of the ZeuS trojan. Gameover ZeuS is believed to have infected up to one million devices.

Besides stealing banking information from infected hosts, the Gameover Zeus gang also offered access to infected hosts to other cybercrime groups, so they could install their own malware. The Gameover ZeuS botnet was the primary distributor of CryptoLocker, one of the first ever ransomware strains that encrypted files, rather than locking a user's desktop.

The botnet's main operator was identified as a Russian man named Evgeniy Mikhailovich Bogachev, still at large in Russia. The FBI is currently offering a $3 million reward for information leading to Bogachev's arrest, the biggest reward the FBI is offering for any hacker.


Gozi family

The Gozi malware family deserves a mention on this list, primarily due to the impact it had on the current malware scene, and not necessarily because of the size of the botnets that have been created (most of which have been very small, but persistent across the years).

The original Gozi banking trojan was developed in 2006 as a direct competitor to the ZeuS trojan and its Malware-as-a-Service offering.

Just like ZeuS, Gozi's source code leaked online (in 2010) and was immediately adopted by other cyber-criminal gangs, which incorporated and reused it to create numerous other banking trojans that have been plaguing the malware scene for the past decade.

While there have been tens of Gozi-based malware strains, the most persistent of all were the Gozi ISFB version, the Vawtrak (Neverquest) variant, and the GozNym botnet -- a combination between Gozi IFSB and Nymain.

Currently, Gozi is considered outdated, primarily because it doesn't really bode well with modern browsers and operating systems, and has been slowly abandoned in recent years.


Grum

The Grum botnet operated between 2008 and 2012 and was built using the eponymous rootkit malware strain. At its peak, the botnet reached a massive size of 840,000 infected computers, mostly comprised of Windows XP systems.

The botnet was shut down in 2012 after a joint effort by Spamhaus, Group-IB, and FireEye, although, by that time, the botnet's size had gone down to a meager 20,000.

Grum's primary purpose was to use infected computers to send out tens of millions of spam email messages per day, primarily for pharma products and dating sites.


Hajime

The Hajime botnet appeared in April 2017 and is still active today. It is your classical IoT botnet that infects routers and smart devices via unpatched vulnerabilities and weak passwords.

The botnet was the first IoT botnet to have used a P2P (peer-to-peer) structure among all IoT botnets. During its peak, the botnet reached a size of 300,000 infected devices; however, it couldn't mantain its mass for long, and other botnets chewed on its sides, and the botnet has now shrunk to a size of around 90,000 devices, on average.

The botnet has never been seen engaging in DDoS attacks, and is believed that crooks are using it to proxy malicious traffic or carry out credential stuffing attacks.


Kelihos (Waledac)

The Kelihos botnet, also known as Waleac, was active between 2010 and April 2017, when authorities finally managed to take it down in their fourth attempt, after they failed in 2011, 2012, and 2013.

The botnet peaked at a few hundred thousand bots, but it had died down to around 60,000 bots at the time time it was taken down.

As for its modus operandi, Kelihos was your classic spam botnet, using infected bots to send email spam campaigns on the behalf of various fraudsters or malware operations.

The Kelihos botnet operator was arrested in 2017 in Spain and extradited to the US, where he pleaded guilty last year and is now awaiting sentencing.


Mirai

Developed by angry students so they could launch DDoS attacks against their university and Minecraft servers, the Mirai malware has become today's most widespread IoT malware strain.

The malware was designed to infect routers and smart IoT devices that use weak or no Telnet login credentials. Infected devices are assembled in a botnet that was specifically designed to launch DDoS attacks.

The botnet was privately operated for almost a year before a series of DDoS attacks drew too much attention toward its operators. In an attempt to hide their tracks, the authors released Mirai's source code to the public, hoping that others will set up their own Mirai botnets and prevent law enforcement from tracking their original botnet.

The plan didn't succeed, and the code's public release made things many times worse, as multiple threat actors had gained access to a powerful tool for free. Ever since then, Mirai-based botnets have been plaguing internet servers with DDoS attacks on a daily basis, with some reports putting the number of different Mirai botnets active at one single time at over 100.

Since the public release of the Mirai source in late 2016, other malware authors have used the Mirai code to build their own custom variants, with the most widely known being Okiru, Satori, Akuma, Masuta, PureMasuta, Wicked, Sora, Owari, Omni, and Mirai OMG.


Necurs

Necurs is a spam botnet that was first seen circa 2012 and is believed to have been created by the same crew that runs the Dridex banking trojan (namely, the TA505 crew).

The botnet's sole purpose is to infect Windows computers and then use them to send spam email. Across its lifetime, the botnet has been seen sending spam for all sorts of schemes:

- Viagra and pharma spam
- miracle cures
- dating sites spam
- stock/cryptocurrency pump-and-dump schemes
- malspam spreading other malware -- such as the Dridex banking trojan, the Locky ransomware, or the Bart ransomware

The botnet reached its peak in 2016-2017, when it could be found on around 6-7 million devices on a monthly basis. The botnet is still alive today, but is not as active as it was a few years back. Here's a short list of technical reports about the Necurs botnet and some of its campaigns.


Ramnit

Ramnit is yet another botnet created to control the eponymously named banking trojan. It appeared in 2010 and was based on the leaked source code of the the older ZeuS banking trojan.

In its first incarnation, the botnet reached a size of 350,000 bots, which drew the attention of cyber-security vendors and law enforcement.

Authorities sinkholed a first version in February 2015, but since they didn't manage to arrest its creators, the Ramnit operators resurfaced with a new botnet a few months later.

Ramnit is still active today, but nowhere near the numbers it was in its heyday, in 2015.


retadup-infection-map.png

Image: Avast

Retadup

The Retadup malware and its botnet has first been seen in 2017. It was a basic info-stealer trojan that stole various types of data from infected hosts and sent the information to a remote server.

The Retadup trojan went under the radar for most of its life until this August when Avast and French police intervened to take down the botnet and instruct the malware to self-delete from all infected hosts.

It was only then that authorities learned that Retadup had been quite the large-scale operation, having infected more than 850,000 systems across the globe, and primarily in Latin America.


Smominru (Hexmen, MyKings)

Smominru -- also tracked under the names of MyKings or Hexmen -- is today's largest botnet dedicated solely to mining cryptocurrency.

It does this on both desktop and enterprise servers, to which it usually gains access by exploiting unpatched systems.

The botnet appeared in 2017, when it infected more than 525,000 Windows computers and mined more than $2.3 million worth of Monero (XMR) for its operators, in its first months of life.

Despite a drop in cryptocurrency trading prices, the botnet is still active today, infecting around 4,700 new devices each day, according to a report published over the summer.


TrickBot

TrickBot operates similar to Emotet. It is a former banking trojan that evolved into a malware dropper and adopted a pay-per-install scheme, and is now making most of its money by installing other criminal groups' malware on the computers they infect.

The botnet first appeared in 2016, and its initial versions shared large chuncks of code with the now-defunct Dyre banking trojan. At the time, security researchers suggested remnants of the original Dyre gang created TrickBot after Russian authorities cracked down on some of the group's members in earlier that year.

However, TrickBot didn't operate as a banking trojan for long. It slowly changed into a malware dropper by the summer of 2017, about the same time Emotet was also making its change.

Although there is no evidence the two botnets are managed by the same crew, there is a collaboration between the two groups. The TrickBot gang often rents access to computers that have been previously infected with Emotet, where they drop their trojan, something that the Emotet crew has tolerated, even if TrickBot is one of their main competitors.

The size of the TrickBot botnet has varied across the years, from 30,000 to 200,000, depending on the source of the report and the visibility they have into the malware's infrastructure.


WireX

WireX is one of the few happy cases on this list. It's a malware botnet that was taken down within a month of its inception, after several security firms and content delivery networks united to take down its infrastructure.

The botnet was built with the WireX Android malware, which appeared out of the blue in July 2017 to infect more than 120,000 smartphones within a few weeks.

While most Android malware today is used for adware and click-fraud, this botnet was extremely noisy, being used to launch powerful DDoS attacks.

This drew the immediate attention of security firms, and in a coordinated effort, the botnet and malware's backend infrastructure was taken down by mid-August, of the same year. Companies like Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru, and a few others, participated in the takedown.


ZeroAccess

ZeroAccess is a botnet that was built using the ZeroAccess rootkit. The botnet's operators used it to make money by downloading other malware on infected hosts, or by performing click-fraud on web ads.

The botnet was first spotted in 2009 and was shut down in 2013 following a takedown operation coordinated by Microsoft.

According to Sophos, the botnet infected more than 9 million Windows systems during its lifetime, peaked at one million devices infected at the same time, and helped operators make around $100,000 per day.

A collection of ZeroAccess technical reports can be found on Malpedia. This Symantec write-up is also pretty complete.