This article is part of our Essential Guide: How the Mirai botnet changed IoT security and DDoS defense

Global hacker botnet tops 6 million hijacked devices

A year after the first Mirai botnet attacks, the global botnet has grown, with many countries and cities unwittingly hosting large number of bot-infected devices

About 6.7 million bots joined the global botnet in 2016, and Europe made up nearly one-fifth of the world’s total bot population, a report has revealed.

London, Manchester and Maidenhead are the UK’s leading cities for fuelling botnet-enabled attacks, but none is in the top 10 cities in Europe, nor is the UK in the top 10 European countries.

Russia is the country with the most bots, accounting for 14% in the region and 3% globally, according to the Norton by Symantec report.

Then comes Italy, which hosts 10% of bots in Europe, Germany (9%) and Turkey (8%). The UK ranks as Europe’s 11th highest source of bot infections, falling from 7th place in 2015.

Madrid is the city that hosts the most bots in Europe, accounting for 4.64% of the region, with more bots than the whole of the UK. Second is Istanbul (4.62%), followed by Moscow (4.59%) and Utrecht (3.86%).

Bots are internet-connected devices infected with malware that allows hackers to remotely take control of many devices at a time.

As demonstrated by the Mirai botnet attack on DNS services provider Dyn in October 2016, these devices combine to form powerful bot networks (botnets) that can carry out distributed denial of service (DDoS) attacks, spread malware, generate spam, and commit other types of crime and fraud online.

Not only are overall bot infections growing, but they have a longer lifespan, the research shows. In 2016, bots lasted an average of 51 days, a huge jump from 2015’s average bot lifespan of eight days.

The recent Symantec internet threat security report found that in 2016, internet of things (IoT)  devices were attacked within two minutes of connecting to the internet, highlighting how cyber criminals are harnessing the processing power of IoT devices to fuel botnets.

 “More than 689 million people were victims of online crime in the past year, and bots and botnets are a key tool in the cyber attacker’s arsenal,” said Norton security expert Candid Wueest.

“It’s not just computers that are providing criminals with their robot army. In 2016, we saw cyber criminals making increasing use of smartphones and IoT devices to strengthen their botnet ranks. Servers also offer a much larger bandwidth capacity for a DDoS attack than traditional consumer PCs.”

Read more about Mirai

  • Customers of broadband internet service providers (ISPs) Post Office Broadband and Kcom have been hit by a cyber attack perpetrated by the evolving Mirai internet of things (IoT) botnet.
  • Organisations with an online presence should prepare for terabit-class Mirai IoT botnet-based DDoS attacks that could knock almost any business offline or disable chunks of the internet.
  • The Mirai DDoS attack on DNS firm Dyn at the end of October 2016 highlighted both the vulnerability of the world’s internet infrastructure and the dangers of leaving devices unsecured.
  • A new nematode worm proof of concept could help the internet avoid the next massive Mirai IoT botnet DDoS attack, but experts are unsure of the legality of the option.

According to Wueest, IoT devices may be part of the uptick in global bot infections in 2016. Norton research shows that at its peak last year, when the Mirai botnet – comprising almost half a million connected devices, such as IP cameras and home routers – was expanding rapidly, attacks on IoT devices were taking place every two minutes.

Unbeknown to the device owners, nearly one-third (31%) of attacks originated from devices in Europe alone. The UK accounted for 2.7% of global IoT attacks in 2016, the 4th highest in Europe.

However, the report noted that where a bot resides is not indicative of where its creator may live. For example, an infected device in London could contribute to an attack in Asia, and be controlled by a cyber criminal in the US.

Although Russia was home to the largest number of bots in Europe, the Norton research shows that Russia’s “bot density” is comparatively low. “Bot density” or “bots per connected capita” is a comparison between a country’s number of internet users and the volume of bot infections. It aims to make it clear which countries have a higher rate of infection.

With one bot for every 41 internet users, Russia ranked 31st in Europe and 94th in the world for bot density.  This comparatively low infection rate may be influenced to some degree by the codes of conduct of Russia’s hacking community.

“Russians infecting Russians is considered a hacking faux pas,” said Wueest. “There have been instances in the past of hackers being ‘doxxed’ or outed to police by the hacking community for the sin of infecting local computers.

“The number of bot infections isn’t typically representative of where cyber criminals live. Infection rates are typically lower in countries where users have better cyber hygiene and hackers are often the most ‘hygienic’ or paranoid when it comes to their devices.”

A bot might cause a device to slow down, display mysterious messages, or even crash for no apparent reason. Consumers should run a full diagnostic if any warning signs appear, says Norton.

Tips to safeguard against malicious bots:

  • Install robust security software and firewalls to secure your device.
  • Never ignore system updates. Configure your software’s settings to update automatically.
  • Never click on file attachments within emails or messages unless you can verify the source.
  • Be particularly wary of Microsoft Office attachments that prompt users to enable macros.
  • Use a long and complex password that contains numbers and symbols.
  • Never use the same password for multiple services.
  • Enable advanced account security features, such as two-factor authentication.
  • Increase the security settings on your browser and devices.
  • Always log out of your session when done.

Read more on Hackers and cybercrime prevention

Data Center
Data Management