Over the past decade, the information security (infosec) field has seen a near-constant rise in malware activity.
Without a doubt, the 2010s was the decade when malware exploded from a casual semi-ammateriush landscape into a full-blown criminal operation, capable of generating hundreds of millions of US dollars per year for the actors involved.
While there were thousands of malware strains that have been active in the 2010s, a few malware botnets have risen above the rest in terms of spread and size, ammounting to what some security researchers would call "super botnets."
Malware strains like Necurs, Andromeda, Kelihos, Mirai, or ZeroAccess have made a name for themselves after they've infected millions of devices across the globe.
This article aims to summarize the biggest malware botnets that we've seen over the past ten years. Since tracking botnets is never a 100% accurate operation, we're going to list the botnets in alphabetical order, and mention their peak size, as they were reported at the time.
3ve is considered the most advanced click-fraud botnet ever assembled. It operated from 2013 to 2018, when it was dismantled by an international law enforcement action, with help from Google and cyber-security firm White Ops.
The botnet relied on a mixture between malicious scripts running on data center-hosted servers and click-fraud modules loaded on computers infected with third-party malware, such as Methbot and Kovter.
3ve operators also created fake websites where they loaded ads and then used the bots to click on ads and generate profits. At one point, the botnet is believed to have been comprised of more than 1.5 million home computers and 1,900 servers clicking on ads loaded on more than 10,000 fake websites.
The Andromeda malware was first seen in the wild back in 2011, and it's your typical "spam & malware downloader" botnet -- also known as Malware-as-a-Service (MaaS) scheme.
By this term, we are referring to a type of malware operation where crooks are mass-spamming users to infect them with the Andromeda (Gamarue) malware strain. Crooks then use these infected hosts to send out new email spam to other users, and expand or keep the botnet alive, or they download a second-stage malware strain at the behest of other (paying) malware gangs.
MaaS botnets that provide "install space" are some of the most lucrative cyber-criminal schemes around, and crooks can use different malware strains to set up the backend infrastructure for such an operation.
Andromeda, is one of these types of malware strains, and has been very popular across the years. The reason for its success is because Andromeda's source code leaked online, a few years back, and has allowed several criminal gangs to set up their own botnet and try their hand at "cybercrime."
Across the years, cyber-security firms have tracked multiple criminal gangs operating an Andromeda botnet. The biggest one known to date reached two million infected hosts, and was shut down by Europol in December 2017.
Bamital is an adware botnet that operated between 2009 and 2013. It was taken down following a joint effort by Microsoft and Symantec.
On infected hosts, the Bamital malware modified search results to insert custom links and content, often redirecting users to malicious sites offering malware-laced downloads.
Bamital is believed to have infected more than 1.8 million computers.
Bashlite, also known under names like Gafgyt, Lizkebab, Qbot, Torlus, and LizardStresser, is a malware strain designed to infect poorly secured WiFi home routers, smart devices, and Linux servers.
Its primarily and only role is to carry out DDoS attacks.
The malware was created in 2014 by members of the Lizard Squad hacking group, and its code leaked online in 2015.
Due to this leak, the malware has often been used to host most of today's DDoS botnets, and is often the second most popular IoT malware strain, behind Mirai. Hundreds of Bashlite variations currently exist.
The Bayrob malware botnet was active between 2007 and 2016. The botnet's purpose evolved across time. In its initial version, the Bayrob malware was used to aid hackers in carrying out eBay scams.
But as eBay and others cracked down on this type of online fraud, the Bayrob gang evolved their malware throughout the years and turned it into a spam and crypto-mining botnet by the mid-2010s, when the botnet was said to have infected at least 400,000 computers.
The entire operation was shut down in 2016, when the malware's authors were apprehended in Romania, and later extradited to the US. The two main developers behind the botnet were recently sentenced to 18 and 20 years in prison, respectively.
You can read the entire history of the Bayrob malware gang in a special feature we ran earlier this year.
The botnet was built by an Armenian malware author, who used spam email and drive-by downloads to infect users with the Bredolab malware. Once infected, victims' computers would be used to send out massive quantities of spam.
The Carna botnet is not what you'd call "malware." This was a botnet created by an anonymous hacker for the purpose of running an internet census.
It infected over 420,000 internet routers back in 2012, and merely gathered statistics on internet usage directly from users... and without permission.
It infected routers that didn't use a password, or were secured with default or easy to guess passwords -- a tactic weaponized for malicious DDoS attacks four years later by the Mirai botnet.
Chameleon was a short-lived botnet that operated in 2013. It's one of the rare ad-fraud botnets on this list.
According to reports at the time, the botnet's authors infected over 120,000 users with the Chameleon malware. This malware would open an Internet Explorer window in the background and navigate to a list of 202 sites, where it would trigger ad impressions that helped the botnet's authors generate revenues of up to $6.2 million per month.
The botnet stopped operating after being publicly ousted.
Coreflood is one of the internet's forgotten threats. It appeared in 2001 and was shut down in 2011.
The botnet is believed to have infected more than 2.3 million Windows computers, having more than 800,000 bots at the time it was taken down in June 2011.
Coreflood operators used booby-trapped websites to infect users' computers via a technique called drive-by download. Once a victim was infected, they used Coreflood to download other, more potent malware -- Coreflood working as a typical "malware dropper/downloader."'
Dridex is one of today's most infamous botnets. The Dridex malware and the associated botnet have been around since 2011, being initially known as Cridex, before evolving into the current Dridex strain (sometimes also referred to as Bugat).
The Dridex malware is primarily a banking trojan that steals banking credentials and grants hackers access to bank accounts, but it also comes with a info-stealer component.
The malware is usually distributed via malspam (emails with malicious file attachments). There have been several reports that the group who created Dridex also runs the Necurs email spamming botnet. There are code similarities between the two malware strains, and the spam that spreads Dridex is always distributed via the Necurs spam botnet.
One of the lead Dridex coders was arrested back in 2015, but the Dridex botnet continued to operate, and it is still active today.
The size of the botnet (number of computers infected with the Dridex malware) has varied wildly across the years, and across vendors. The Dridex and TA505 Malpedia pages list a fraction of the hundreds of Dridex reports, showing how immensly active this botnet has been this decade.
Emotet was first seen in the wild in 2014. It initially worked as a banking trojan, but re-tooled itself into a malware dropper for other cyber-criminal operations in 2016 and 2017.
Today, Emotet is the world's leading MaaS operation, and is often used to allow crooks access to corporate networks, where hackers can steal proprietary files or install ransomware to encrypt sensitive data, and later extort companies for large sums of money.
The size of the botnet varies from week to week. Emotet also operates via three smaller "epochs" (mini-botnets), so it can avoid coordinated law enforcement takedowns and test various actions before a wider deployment.
The botnet was assembled by infecting computers with Gameover ZeuS, a banking trojan built on the leaked source code of the ZeuS trojan. Gameover ZeuS is believed to have infected up to one million devices.
Besides stealing banking information from infected hosts, the Gameover Zeus gang also offered access to infected hosts to other cybercrime groups, so they could install their own malware. The Gameover ZeuS botnet was the primary distributor of CryptoLocker, one of the first ever ransomware strains that encrypted files, rather than locking a user's desktop.
The botnet's main operator was identified as a Russian man named Evgeniy Mikhailovich Bogachev, still at large in Russia. The FBI is currently offering a $3 million reward for information leading to Bogachev's arrest, the biggest reward the FBI is offering for any hacker.
The FBI's most wanted cybercriminals
The Gozi malware family deserves a mention on this list, primarily due to the impact it had on the current malware scene, and not necessarily because of the size of the botnets that have been created (most of which have been very small, but persistent across the years).
Just like ZeuS, Gozi's source code leaked online (in 2010) and was immediately adopted by other cyber-criminal gangs, which incorporated and reused it to create numerous other banking trojans that have been plaguing the malware scene for the past decade.
Currently, Gozi is considered outdated, primarily because it doesn't really bode well with modern browsers and operating systems, and has been slowly abandoned in recent years.
The Grum botnet operated between 2008 and 2012 and was built using the eponymous rootkit malware strain. At its peak, the botnet reached a massive size of 840,000 infected computers, mostly comprised of Windows XP systems.
The botnet was shut down in 2012 after a joint effort by Spamhaus, Group-IB, and FireEye, although, by that time, the botnet's size had gone down to a meager 20,000.
Grum's primary purpose was to use infected computers to send out tens of millions of spam email messages per day, primarily for pharma products and dating sites.
The Hajime botnet appeared in April 2017 and is still active today. It is your classical IoT botnet that infects routers and smart devices via unpatched vulnerabilities and weak passwords.
The malware was designed to infect routers and smart IoT devices that use weak or no Telnet login credentials. Infected devices are assembled in a botnet that was specifically designed to launch DDoS attacks.
The botnet was privately operated for almost a year before a series of DDoS attacks drew too much attention toward its operators. In an attempt to hide their tracks, the authors released Mirai's source code to the public, hoping that others will set up their own Mirai botnets and prevent law enforcement from tracking their original botnet.
The plan didn't succeed, and the code's public release made things many times worse, as multiple threat actors had gained access to a powerful tool for free. Ever since then, Mirai-based botnets have been plaguing internet servers with DDoS attacks on a daily basis, with some reports putting the number of different Mirai botnets active at one single time at over 100.
Since the public release of the Mirai source in late 2016, other malware authors have used the Mirai code to build their own custom variants, with the most widely known being Okiru, Satori, Akuma, Masuta, PureMasuta, Wicked, Sora, Owari, Omni, and Mirai OMG.
Necurs is a spam botnet that was first seen circa 2012 and is believed to have been created by the same crew that runs the Dridex banking trojan (namely, the TA505 crew).
The botnet's sole purpose is to infect Windows computers and then use them to send spam email. Across its lifetime, the botnet has been seen sending spam for all sorts of schemes:
- Viagra and pharma spam - miracle cures - dating sites spam - stock/cryptocurrency pump-and-dump schemes - malspam spreading other malware -- such as the Dridex banking trojan, the Locky ransomware, or the Bart ransomware
The botnet reached its peak in 2016-2017, when it could be found on around 6-7 million devices on a monthly basis. The botnet is still alive today, but is not as active as it was a few years back. Here's a short list of technical reports about the Necurs botnet and some of its campaigns.
Ramnit is yet another botnet created to control the eponymously named banking trojan. It appeared in 2010 and was based on the leaked source code of the the older ZeuS banking trojan.
In its first incarnation, the botnet reached a size of 350,000 bots, which drew the attention of cyber-security vendors and law enforcement.
TrickBot operates similar to Emotet. It is a former banking trojan that evolved into a malware dropper and adopted a pay-per-install scheme, and is now making most of its money by installing other criminal groups' malware on the computers they infect.
However, TrickBot didn't operate as a banking trojan for long. It slowly changed into a malware dropper by the summer of 2017, about the same time Emotet was also making its change.
Although there is no evidence the two botnets are managed by the same crew, there is a collaboration between the two groups. The TrickBot gang often rents access to computers that have been previously infected with Emotet, where they drop their trojan, something that the Emotet crew has tolerated, even if TrickBot is one of their main competitors.
The size of the TrickBot botnet has varied across the years, from 30,000 to 200,000, depending on the source of the report and the visibility they have into the malware's infrastructure.
WireX is one of the few happy cases on this list. It's a malware botnet that was taken down within a month of its inception, after several security firms and content delivery networks united to take down its infrastructure.
The botnet was built with the WireX Android malware, which appeared out of the blue in July 2017 to infect more than 120,000 smartphones within a few weeks.
While most Android malware today is used for adware and click-fraud, this botnet was extremely noisy, being used to launch powerful DDoS attacks.
This drew the immediate attention of security firms, and in a coordinated effort, the botnet and malware's backend infrastructure was taken down by mid-August, of the same year. Companies like Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru, and a few others, participated in the takedown.
ZeroAccess is a botnet that was built using the ZeroAccess rootkit. The botnet's operators used it to make money by downloading other malware on infected hosts, or by performing click-fraud on web ads.
According to Sophos, the botnet infected more than 9 million Windows systems during its lifetime, peaked at one million devices infected at the same time, and helped operators make around $100,000 per day.