Spamhaus released botnet statistics for Q3 2019

Analysts from the nonprofit organization Spamhaus continue to observe an increase in the number of domain names used by attackers to control botnets. Spamhaus released botnet statistics for Q3 2019.

Between July and September, activists recorded an average of 1,300 new C&C servers per month; in the first half of 2019, this norm was 1000. July was the most “fruitful” month, when 1587 C&C addresses were added in the Spamhaus base.

“The amount of newly detected botnet command & control servers (C&Cs) reached an all-time high in July this year with more than 1,500 botnet C&Cs detected by Spamhaus Malware Labs. This is far in excess of the monthly average, set in the first half of this year, of 1,000 botnet C&Cs”, — report in Spamhaus.

It is noteworthy that Emotet, which stopped sending spam in early June, resumed its activity only in September. During the summer holidays, the behavior of the malware, according to Spamhaus, has not changed: it still steals email addresses, passwords and other people’s correspondence in order to spread malicious messages on behalf of the victims.

Read also: Europol called the main cyberthreats of 2019

The list of malicious programs whose operators are actively introducing new C&C servers is still headed by Lokibot, although the number of finds associated with it has significantly decreased – from 1277 to 898. Trickbot took the second place in the top twenty – the number of its command servers sharply increased over the quarter (from 64 to 614), and as a result he overtook AZORult, having lost almost half of the control centers.

The main part of this Spamhaus rating is made up of RAT Trojans and information thieves, and almost all of them are constantly changing positions. Activists believe that the reason for such a high rotation in this case is fierce competition in crowded markets. Therefore, in the third quarter, RevengeRAT fell out of the top twenty, and another remote access tool, AveMariaRAT, appeared in its place. The list of the top 20 was also left by the Baldr infostiller, which quickly gained points in the II quarter, and the IcedID banking trojan.

The new rating of TLD zones, which are preferred by the bots, was expected to be headed by the generic .com domain, whose rate was an order of magnitude higher than all the others. .Com accounted for 4,058 C&C servers during the reporting period, compared to 1,178 in the previous quarter. The number of abuses in the .ru zone was almost halved (from 731 to 392); as a result, the Russian national domain dropped from second to fourth place, skipping forward .net and .info.

“The rating of domain registrars by the number of C&C detected again headed American company Namecheap which was ahead of the rest by a wide margin. The Dutch OpenProvider, aka Hosting Concepts, significantly worsened its performance and climbed to third place; Russian REG.RU, on the contrary, corrected its position (326 against 408 in the II quarter) and moved from second to fourth place. The top five on abuse also included two Chinese registrars – West263.com (2nd place) and 55hl.com”, – report in Spamhaus.