What You Need to Know About the 2019 Spamhaus Botnet Threat Report

The 2019 Spamhaus Botnet Threat Report is out! If you’re not a report person, don’t worry, we’ve got you covered! Keep reading to find out everything you need to know about the report, how botnet threats changed in 2019 and what Spamhaus experts suggest you look out for and monitor in 2020. 

What is Spamhaus? 

Spamhaus is a non-profit organization that focuses on threat intelligence data in an effort to make the Internet a better place for everyone. The organization works to identify and expose bad online behavior by producing datasets to inform users of potential malicious internet infrastructures. By partnering with other industry experts and organizations, Spamhaus has been producing this data for more than two decades, which in turn has protected 3 billion users from cybercriminals. 


What is a Botnet C&C?

A ‘botnet controller’, ‘botnet C2’, and “botnet command & control’ servers are used by cyber criminals to control infected machines or devices and to extract data from them.


Now that you understand the terminology, let’s dive right in and take a look at the 2019 numbers. 


Botnet C&Cs Are On the Rise

The number of observed botnet C&Cs increased in 2019 by a drastic 71.5% increase since 2018. In fact, the number of botnet C&Cs has almost doubled from that of 2017. 



To better understand this increase, the Spamhaus experts reviewed the Spamhaus Block List (SBL) to determine the percentage of botnet C&Cs on the list. As it turns out, the popularity of botnet C&Cs also increased to 41%, making botnet C&Cs almost half of the SBL listings in 2019. 


So where are these botnet C&Cs? Well, the numbers are in and they don’t lie. 



Where in the World Are the Botnet C&Cs?

Although the US spent the past few years in first place for number of C&Cs, Russia took that title in 2019 with a 143% spike in botnet C&C activity. China also experienced a massive increase of 390% in 2019 which moved them into fourth place, but Switzerland had the largest spike in 2019 with an enormous increase of 1,119%. 



A few other changes to note are the drop offs and additions from the Top Twenty list. Chile, Italy, Malaysia, Poland, South Africa, and Turkey all dropped off of this list in 2019. However, Argentina, Greece, India, Luxemburg, Serbia, and Sweden were all new additions. 


Now you know where the botnet C&Cs are located, but do you know which Malware Families are associated with them? Keep reading to find out. 


Beware of These Malware Families

Malware Families associated with botnet C&Cs experienced changes in 2019 as well. Over half of newly-detected botnets in 2019 were associated with Credential Stealers. Due to this, it is no surprise that Lokibot stayed in first place by increasing the number of associated botnet C&Cs by 74%. AZORult, another Credential Stealer, took second place on the Top Twenty list. 



Remote Access Tools (RATs) accounted for 19% of botnet C&Cs in 2019 making them the second highest malware family. NanoCore, top RATs in 2019 took third place on the Top Twenty list.  


New to the Malware Top Twenty list are Predator Stealer, KPOTStealer, HawkEye, QuasarRAT, Dridex, and IcediD. 


Why Did the Number of Domain Name Registrations for Botnet C&C Hosting Drop in 2019? 

In 2019, the number of domain name registrations for botnet C&C hosting dropped 71%. Spamhaus experts have given us two reasons for this: 


The first reason is due to domain name generation algorithms (DGAs) decreasing by 42% in 2019. DGAs are commonly used by cybercriminals to protect botnet C&C infrastructure from government takedowns and seizures. The decrease is believed to be caused by a lack of interest and reliability. The second is due to the large supply of compromised websites. This does not include hijacked domain names or domains from free sub-domain service providers. 


Most Abused Domain Lists

From top-level domains (TLDs) to domain registrars this report lists the most abused in 2019 and shows the change from previous years. 


There are different types of TLDs, including Generic, Country Code and Decentralized. Generic TLDs can be used by anyone, Country Code TLDs use are sometimes restricted within a specific country, and Decentralized TLDs are independent and not controlled by ICANN (Internet Corporation for Assigned Names and Numbers). 


In 2019, the most abused TLDs were .com and .net, which isn’t surprising since they made up about half of the botnet C&Cs. New additions to the Top Twenty list are .net, .cm, .org, .eu, icu, site and name. However, six TLDs managed by Global Registry Services, Ltd. and .bit, dropped off of the list. 


Being a cybercriminal can be hard work, especially when one is trying to locate a sponsoring registrar for their botnet C&C registration. Because of this, it makes sense there would be a Top Twenty list for abused domain registrars.  


US-based registrar, Namecheap, was first for the third straight year while Alpnames was shut down by ICANN. Key-Systems is on the rise for fast flux hosting and Hosting Concepts is a newly identified registrar used for bulletproof hosting. 


Like the other Top Twenty lists there were, of course, list additions and drop offs. Key Systems, WebNic.cc, Hosting Concepts, 55hl.com, Hostinger and GMO were all new additions. However, aside from Alpnames, Enom, Network Solutions (aka web.com), Register.com and Tucows all dropped off the list in 2019. 


Bulletproof Hosting and Fraudulent Sign-ups

Hosting Concepts is a Dutch registrar that a bulletproof hosting outfit has been using to register botnet C&C domains for their customers. Spamuhaus experts believe this caused the increase in fraudulent sign-ups from 61% in 2018 to 77% in 2019. 


In fact, the experts also believe the extreme spike in BCL (Spamhaus Botnet C&C List) listings from 530 per month in 2018 to 1,130 per month in 2019 can also be attributed to the issue mentioned above, and this is something that will continue to rise in 2020. 


ISPs and Botnet Prevention 

How can you prevent botnet C&Cs on a compromised server or website? This can be difficult. It is typically controlled by the customer and most likely running outdated software which makes systems even more vulnerable to attacks from cybercriminals. Using newer or updated software and blocking traffic to known botnet C&Cs is a good start to prevention.


So how can you prevent botnet C&Cs on servers that are only used to host botnet C&Cs? The process for this is actually easy since ISPs have much more control. Seems simple enough, so why are there some ISPs that still have a high number of BCL listings? Spamhaus experts suggested this typically points to one of three issues: 


  1. Best practices for customer verification are not being followed
  2. The ISPs resellers are not following best practices for customer verification (this could also be due to lack of accountability on the ISPs part)
  3. An employee or owner of the ISPs is benefiting from the fraudulent sign-ups. Of course the larger the ISPs, the more fraudulent activity there will be. 


Of course it’s not complete without the Top Twenty list rundown. Take a look at the highlights, additions and drop offs on the Top Twenty list for ISPs: 


Cloudflare took first place for hosting botnet C&Cs, and due to the unique hosting circumstances it was placed on both the SBL and CBL. Unfortunately, almost all of the ISPs on the 2018 and 2019 Top Twenty lists had significant increases in botnet C&C activity on their networks in 2019. 


New to the list were simplecloud.ru, ovh.net, reg.ru, fos-vpn.org, stajazk.ru, marosnet.ru, m247.ro, spacenet.ru, itos.biz, netangles.ru, and greenvps.net, 73% of which are Russian-based. Data suggests that all the sign-ups on greenvps.net and netangles.ru were fraudulent. Gerber-edv.net and anmaxx.net both dropped off the 2019 Top Twenty list, however, and Spamhaus experts believe both of these have been rebranded. Furthermore, Swiftway.net completely disappeared in 2019 and iliad.fr, morene.host, neohost.com.ua, dataclub.biz, hostsailor.com, eksenbilisim.com.tr, digitalocean.com, choopa.com, melbicom.net, zare.com, and tencent.com all seem to have dealt with their botnet C&C issues as they were operating normally in 2019. 


What did We Learn from this Report?

What did we learn from the 2019 Spamhaus Botnet Threat Report? Keep reading and we’ll give you the cliffnotes version. 

First, we noticed that the West is leaps and bounds ahead of the East in terms of customer verification processes and law enforcement endeavors to diminish the activities of cybercriminals. 


Next, Spamhaus experts noticed a significant increase in activity from Emotet and Trickbot, both of which are malware families to watch in 2020. The experts also noticed a change in their malspam campaigns. Whereas traditionally these families were used to commit ebanking fraud, in 2018 cybercriminals began moving away from this model and started to use a Pay-Per-Install (PPI) model with these malware families instead. Because the characteristics of these families are ever-changing, Spamhaus experts warn this makes them especially dangerous. 


On a positive note, DGA activity has decreased which experts believe can be attributed to loss of interest and reliability. However, with that being said, the two things to watch in 2020 are the new bulletproof hosting outfit, making things easier for cybercriminal activity, and how cybercriminals have switched from buying their own domains to using already compromised domains. Due to this, it is becoming harder for law enforcement groups to catch these cybercriminals. Moreover, it is our job to ensure our site is as secure as possible. 

The Dos and Don’ts of Keeping Your Site Secure

You might think you know how to keep your site secure, however, it doesn’t hurt to take some advice from industry experts. The following are just a few things Spamhaus experts suggest doing to keep yourself safe from cyber attacks: 


  • Don’t rely on price when choosing your infrastructure providers. While ‘cheap’ is definitely not the way to go, the most expensive choice does not necessarily mean it is a better option either. Do your research to ensure you are picking the best and most secure option for your business. 
  • Don’t allow authentication to a network through multiple points. However, do monitor your authentication logs to become familiar with what your regular traffic looks like. This will help you identify issues more easily. 
  • Do block access to IP addresses that are associated with botnet C&Cs. 
  • Do ensure your OS and installed CMS is always up-to-date.
  • Do block access and traffic to cryptocurrency mining pools and anonymization services by default and provide users with the ability to ‘opt-in’ if they require access. 
  • Do require SSH key authentication or two-factor authentication to keep your server from being compromised on a daily basis.