Botnet Operators Shifting To The Cloud


Botnet controllers are increasingly taking advantage of the convenience of cloud infrastructure for launching attacks, Level 3 has found

Botnet operators, like legal businesses, are moving to the cloud, according to a new study, which found a sharp rise in botnet-launched distributed denial-of-service (DDoS) attacks during the first quarter of 2015.

The attacks included one by a single network of compromised Linux systems that at times accounted for more than one-third of all of the Internet’s SSH traffic, according to “Safeguarding the Internet”, a botnet report carried out by infrastructure provider Level 3 Communications.


Botnet providers are taking advantage of the robust Internet infrastructure offered by cloud providers to set up malicious virtual servers that can contribute to operations such as DDoS attacks or the spread of junk emails, according to the report.

Botnets are typically made up of large numbers of systems infected with malware that allows an operator to use them as remote servers to launch attacks or for other purposes. However, botnet operators are increasingly making use of Infrastructure-as-a-Service (IaaS) providers, something enabled in part by lax security procedures, which mean an operator can set up an account with nothing more than a PayPal account or a stolen credit card, Level 3 said.

“It is our belief that the ratio of bad actors who have infected legitimate servers versus those who have created bots on rogue virtual machines is shifting in favor of VM (virtual machine) deployment,” the report said. “The flexibility to quickly spin up and take down VM instances as well as easily scale a deployment makes IaaS cloud computing a perfect fit for the dark trade.”

DDoS spike

DDoS attack volume rose sharply at the end of 2014 and the beginning of 2015, in part due to a widely reported Christmas attack on Sony’s online gaming infrastructure by hacker group Lizard Squad, Level 3 said.

The attack generated publicity for the group’s low-cost DDoS-for-hire service, as well as inspiring other hackers to carry out their own attacks, according to the report.

“During the end of 2014 and into early 2015, Level 3 Security Operations teams saw DDoS attack volume spike after high-profile threats gained public attention and ignited copycat behaviour,” the report said.


Another contributor to attack traffic was SSHPsychos, malware that targets Linux systems in order to bring them into its botnet.

Level 3 said it worked with Cisco earlier this year to mitigate a massive attack launched by the SSHPsychos-controled machines, first documented last summer. In April the two companies worked together to block traffic generated by the infected systems, Level 3 said.

The attack was carried out on a massive scale, according to Level 3, at times accounting for 35 percent of all Internet SSH traffic. “Level 3’s network data confirmed the massive scale this single attacker,” the company wrote.

Scandinavia targeted

Norway, Sweden and the Netherlands registered a disproportionately high volume of communications traffic between command-and-control (C2) servers and the systems under their control during the quarter, as attackers took advantage of the region’s robust communications infrastructure to carry out botnet activity.

The C2 servers were located in the Netherlands, with the controlled systems being in the Scandinavian countries, according to Level 3. “The Netherlands affords a robust infrastructure, which makes it ideal for centralising botnets for the region,” the company said.

Because of this trend, Norway ranked top of Level 3’s list of countries with systems communicating with C2s, ahead of the US at No. 2, with Sweden fourth on the list, while the Netherlands was fourth in the worldwide rankings for countries generating C2 traffic.

Norway also ranked third on the list of countries with absolute numbers of IP addresses controlled by botnets, following China and the US.

Twenty percent of the C2s tracked were based in North America, with another 20 percent based in Russia and the Ukraine combined, and Western Europe, including the UK, contributing another 12 percent of C2 traffic, Level 3 said.

Are you clued up about Amazon’s cloud computing platform? Try our quiz!

Read also :
Click to read the authors bio  Click to hide the authors bio