The number of botnet Command and Control (C&C) IP addresses has dramatically increased in the past year, according to the 2017 annual report from The Spamhaus Project. Spamhaus is an international nonprofit organization that tracks spam and related cyber threats such as phishing, malware and botnets; among other things, it issues Spamhaus Block Lists (SBLs), IP addresses from which Spamhaus does not recommend the acceptance of electronic mail.
Whenever Spamhaus Malware Labs comes across a botnet controller, they issue a special kind of SBL listing: A BCL listing. The BCL, which stands for Botnet Controller List, is a “drop all traffic” list intended for use by networks to null route traffic to and from botnet controllers. The Spamhaus BCL lists only IP addresses of servers set up and operated by cybercriminals for the exclusive purpose of hosting a botnet controller. According to Spamhaus, “Because these IP addresses host no legitimate services or activities, they can be directly blocked on ISP and corporate networks without risk of affecting legitimate traffic, effectively rendering harmless infected computers that may be present on their networks.”
The report includes the following findings:
- Nearly 1 out of every 7 SBLs that Spamhaus issued was for a botnet controller;
- Botnet “C&C” listings increased by a massive 32% in 2017. The majority (6,588 or 68%) of botnet controllers Spamhaus found in 2017 were hosted on servers that had been ordered by cybercriminals for the sole purpose of hosting a botnet controller;
- Cybercriminals are using fraudulent names to get C&C servers hosted on legitimate cloud providers (including Amazon and Google); some cloud providers are reportedly overwhelmed with the task of trying to curb so many fraudulent listings that are created with stolen or fake identities;
- The number of IoT botnet controllers more than doubled from 393 in 2016 to 943 in 2017;
- The statistics exclude botnet controllers that are hosted on the dark web (like Tor).