Botnets in 2014: ZeuS surge, lax policies place Web users at risk

Financial and personal data increases in value, botnet use rises. Are companies doing enough to stem the flow?
Written by Charlie Osborne, Contributing Writer

As 2014 shuts its doors and security professionals return to their desks for another year, we turn towards 2015 and muse over how the security landscape is likely to change.

Botnets to malware evolution, never-ending security patches and the likelihood of new, crippling security breaches within the enterprise are all predictably on the horizon. It should come as no surprise that the use of botnets is becoming an increasingly popular tool, and as noted in the Spamhaus project's Botnet summary for 2014, botnet activity appears to be increasing.

Command and control (C&C) servers control slave computers which have been compromised by malware. Without user consent, computing power generated by these slave units is then used by the controller for a variety of uses, from sending spam to Distributed Denial-of-Service (DDoS) attacks and pushing out new malware streams to grow the network.

Botnets can also be used to obtain sensitive financial, banking and personal data, which then may be sold on the black market.

C&C domains are often signed up with registrars that have lax laws or inadequate enforcement against cybercrime, according to Spamhaus. Abuse departments may be understaffed, there may be inadequate abuse policies, or processes which detect abuse and close down offending domains may be lax -- and all these elements add to the global issue of botnet creation and maintenance.

In 2014, Spamhaus detected 7,182 distinct IP addresses that hosted a botnet controller, which is an increase of 525 -- or approximately eight percent -- over the number recorded in 2013. C&C centers were hosted on a total of 1,183 networks.

While the majority of these botnet controllers were hosted on compromised webservers, 48 percent of botnets Spamhaus detected were detected on IP addresses which hosted purely illegal activities.

Where were they? The table below reveals 2014 botnet locations:


The data above is raw, and does not show how long a C&C server was active, or whether takedown requests were ever received by the ISP. However, some of the smaller ISPs on the list host a disproportionate number of cybercriminals, which may indicate inadequate signup protocols, lax security policies and vetting, or slow abuse handling processes which allow C&C centers to operate for some time before being closed down.

How about malware families? ZeuS and malware strains based on the leaked source code of the ZeuS kit -- including Citadel and KINS -- were most often associated with detected botnet controllers. These types of malware are used to compromise financial transactions conducted online. However, spam and click fraud-supporting malware types also made the list.


Last year, a total of 3,793 botnet C&C domains were registered and set up purely to host botnets. This value excludes hijacked domain names and domains provided by 'free sub-domain' services.

Both top-level domains and country-based domains are used by botnet controllers. In 2014, .com, .ru, .su, .net and .info were heavily abused.

In terms of domain registrars favored by botnet controllers, a number of companies used are large and so botnet domains may slip through the net.


Looking ahead, cybercrime is only going to become a worsening problem. In order to protect against threats, keeping operating systems and software up-to-date, installing patches and conducting regular malware scans is important. In addition, agreeing to two-step verification processes for online accounts and treating email attachments suspiciously can limit the risk of having your system compromised.

Read on: In the world of security

Editorial standards