The length of time a botnet command and control server is online has remained constant over the past six months, despite increased awareness of this type of threat.
Research by ISP Level 3 Communications found that during the first quarter of 2015 C&C servers survived an average of 38 days on the internet before being taken offline - a figure that has remained constant since Q4 2014.
Perhaps more worryingly, the server going offline can be as much a byproduct of the server owner upgrading software or patching vulnerabilities as malware discovery and removal.
However, the average number of victims per C&C server fell dramatically over the quarter, from 3,763 in January to 338 in March.
Level 3 said this can be attributed both to general "vigilance on behalf of the security community" and, while no one action is mentioned by the company, it is worth noting the precipitous drop in numbers follows almost immediately in the wake of the Ramnit botnet, which had infected 3.2 million computers, being taken offline by Europol's European Cybercrime Centre (EC3) in late February.
Cyber crime economics
Despite big takedowns like Ramnit, the economics of cyber crime still work in the favour of malicious actors. Last year, Dell Secureworks found the cost of renting a 1,000-server UK-based botnet was $120 per month, an increase of 600 per cent from 2013 and a lucrative deal for the botnet owners.
Level 3 Communications also found that 22 per cent of C&C servers have more than one threat purpose.
"Most likely, many of these botnets are commercial in nature, and they are part of a diversified business," said Level 3. "For example, they may serve multiple, for-profit purposes, such as malware distribution, DDoS attacking and phishing services."
"Botnet operation is a lucrative business, with a simple setup. Operational costs to create, maintain and move a botnet, once shut down, are low. Blocked botnets can come back online often within hours of being shut down," the company added.
This doesn't mean those renting the infrastructure get a raw deal, though.
In its 2015 Global Security Report, security firm Trustwave found attackers' estimated ROI for exploit kit and ransomware schemes, the "vast bulk" of which is distributed by a botnet, was over 1,400 per cent.
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
Horabot campaign targeted businesses for more than two years before finally being discoveredNews The newly-discovered Horabot botnet has attacked companies in the accounting, investment, and construction sectors in particular
-
Brand-new Emotet campaign socially engineers its way from detectionNews This latest resurgence follows a three-month hiatus and tricks users into re-enabling dangerous VBA macros
-
Microsoft says “it’s just too difficult” to effectively disrupt ransomwareNews The company details its new approach to combatting cyber crime as the underground industry drains $6 trillion from the global economy
-
Beating the bad bots: Six ways to identify and block spam trafficIn-depth Not all traffic is good. Learn how to prevent bad bots from overrunning your website
-
Ukraine's vigilante IT army now has a DDoS bot to automate attacks against RussiaNews The 270,000-strong IT Army of Ukraine will now combine supporters' cloud infrastructure to strengthen the daily attacks against their invaders
-
Microsoft's secure VBA macro rules already being bypassed by hackersNews Recent analysis of Emotet activity has revealed a shift away from malicious Office documents to drop malware
-
Emotet infrastructure has almost doubled since resurgence was confirmed
News Researchers confirm the infrastructure has also been upgraded for a "better secured", more resilient operation
