p. 46 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 E-CRIME + MALWARE DELIVERY TACTICS
Fig. 1
Malicious Activity by Source: Bots, 2012–2013 Source: Symantec
Country/Region
2013 Bots Rank
2013 Bots %
2012 Bots Rank
2012 Bots %
United States
1
20.0%
1
15.3%
China
2
9.1%
2
15.0%
Italy
3
6.0%
5
7.6%
Taiwan
4
6.0%
3
7.9%
Brazil
5
5.7%
4
7.8%
Japan
6
4.3%
6
4.6%
Hungary
7
4.2%
8
4.2%
Germany
8
4.2%
9
4.0%
Spain
9
3.9%
10
3.2%
Canada
10
3.5%
11
2.0%
compromised computers, redirecting the users to predetermined pay-per-click sites, with the goal of making money off those clicks. When a computer is used to perform click fraud, the user will rarely notice. The fraud consumes few computer resources to run, and at the most takes up extra bandwidth with the clicks. The attackers make money from pay-per-click advertisers and publishers—not from the user. This is in contrast with other forms of malware such as ransomware, where it is clear that an infection has occurred. A computer may be used in a click-fraud operation for an extended period of time, performing its activity invisibly during the daily operation of the computer. The partial takedown during the year made a lasting impact on the operations of the ZeroAccess botnet. Symantec security researchers looking at the threat discovered a flaw in ZeroAccess that could allow them to sinkhole computers within the botnet. The operation succeeded in liberating approximately half a million ZeroAccess clients from the botnet network.15 At that time, ZeroAccess was one of the larger botnets in existence, and one that used P2P communications to maintain links between clients. These types of P2P botnets tend to be quite large overall; Helios and Zbot (a.k.a. GameOver Zeus) are two other examples of large botnets that use similar communication mechanisms. It isn’t entirely clear if these botnets are big because they utilize P2P, or they utilize P2P because they’re big. However, using P2P for communications does make it more difficult to take down a botnet, given the lack of a centralized C&C server. Large botnets like Cutwail and Kelihos have made their presence felt in the threat landscape this year by sending out malicious attachments. The threats are generally like banking Trojans or downloaders, such as Downloader.Ponik and Downloader.Dromedan (also called Pony and Andromeda respectively), which download more malware. Trojan.Zbot (a.k.a. Zeus) continues to make an impact in the botnet world. Having its malicious payload based on easy-to-use toolkits has allowed Zbot to maintain its popularity with threat actors. In 2013 we’ve seen Zbot being packed in different ways and at different times in order to evade detection. These packing techniques appear almost seasonal in their approach to evading detection, but underneath it all it’s always the same Zeus code base.
• Unsurprisingly, the US and China have the most densely populated bot populations, largely owing to their large Internet populations. The US population are avid users of the Internet, with 78 percent Internet penetration, but undoubtedly their keen use of the Internet contributes to their popularity with malware authors. China also has the largest population of Internet users in the Asia region, with 40 percent Internet penetration and accounting for approximately 50 percent of the Internet users in the Asia region.14 • Italy has a lower percentage of bots in the country, but is ranked third highest in 2013, compared with fifth in 2012. • The US, Germany, Spain and Canada all increased their relative proportions of the world’s bots in 2013, while the proportions in the other geographies listed has diminished.