“Criminal operators continue to hone their craft in 2011 using crimeware that can be repurposed for multiple fraud opportunities, sold or leased to other criminals, and that is now successfully infiltrating the mobile space”
The report looks at Internet crime trends with a specific focus on criminal C&C activity in North America as monitored by Damballa Labs over the first six months of 2011. The Damballa Threat Report reveals a number of findings, including:
- The top 10 largest botnets for the first half of 2011
- A first-ever look at the growth in mobile malware C&C activity
- The top 10 most abused TLDs
“Criminal operators continue to hone their craft in 2011 using crimeware that can be repurposed for multiple fraud opportunities, sold or leased to other criminals, and that is now successfully infiltrating the mobile space,” said Gunter Ollmann, vice president of research for Damballa. “As the arms race rages on between the criminals, their increasingly federated crime-as-a-service ecosystem, and the security professionals tasked with combating them, it has become increasingly important that the defenders obtain advanced knowledge of the existence and behavior of new criminal operators and their network of infected assets.”
Report highlights include:
Top 10 Largest Botnets
- There were major changes in the list - Only three of the top 10 largest botnets for the first half of 2011 appeared in the Damballa Top 10 Botnets for 2010 Threat Report.
- “OneStreetTroop,” the Damballa reference to a botnet operation reliant on crimeware generated by the popular SpyEye do-it-yourself (DIY) construction set, climbed from number 10 in 2010 to the number 1 position for the first half of 2011.
- The prevalence of improved DIY crimeware construction kits and associated exploit packs is visible in the makeup of the results for the first half of 2011; with 8 out of the top 10 largest botnets utilizing popular “off-the-shelf” construction kits.
- Over the first six months of 2011, the number of hijacked Android devices engaging in “live” communications with criminal operators grew at a significant rate.
- Until recently, mobile malware abuse has been limited, to some extent, to premium rate fraud or other tactics that did not rely on a command-and-control architecture. Having mobile malware contact the criminal operator and establish two-way Internet communication now makes the mobile market as susceptible to criminal breach activity as desktop devices.
Most Abused TLDs for Live C&C
- Not surprisingly, the most popular TLDs (.com, .info, .net, .org and .biz) are among the top 10 most abused by criminals.
- The TLD “.in” (India) ranked as the fifth most popular TLD for C&C use. This country code TLD has not historically been considered to be heavily abused.
- 90 percent of all “live” C&C take advantage of the top 10 most abused TLDs.
About Damballa Labs - Damballa Labs is a team of recognized authorities in cyber threats, malware analysis, and applied scientific research that collaborate with some of the best minds in the academic community to discover new and innovative ways to stay ahead of cyber crime activity. Specifically, Damballa Labs retains some of the most knowledgeable experts on DNS, machine learning technologies, and criminal command-and-control infrastructure.
About Damballa Inc. - Pioneering the fight against cybercrime, Damballa protects enterprise, ISP and cloud networks from the devastating effects of targeted attacks, persistent threats, advanced malware, and other cyber threats. Damballa provides the only network security solution that detects and terminates remote-control communication used by criminals to breach networks. Patent-pending solutions from Damballa are platform and system-agnostic, protecting networks with any device type including PCs, Macs, smartphones, and mobile devices. Headquartered in Atlanta, Damballa customers include Fortune 2000 companies, government and educational organizations, and Internet and telecommunication providers. http://www.damballa.com.