back to article US is the world's botnet mothership, says Level 3

Level 3 Communications says America is home to more botnet command and control servers, edging out the Ukraine, with Russia only managing third place. Command and control servers, used to maintain vast botnet scourges, are active for about 30 days before being taken down by operators located all over the world or by local …

  1. Destroy All Monsters Silver badge
    Windows

    I want to go back to the "phear the two Kevins!" era. It was sweet.

    Unusual communications to these countries should be automatic red flags for IT and security organisations.

    .... there is no need to involve China into this!

  2. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Yes, but that would require actual knowledge.

      1. Danny 14 Silver badge

        I wonder how much the hosting/providers get paid for the traffic.

  3. John Smith 19 Gold badge
    Unhappy

    As a sysadmin should you not *know* what apps are calling outside?

    If you do, good.

    Now do they have a legitimate reason for doing so?

    If you don't know it why are are you allowing it?

    If you don't know what apps are calling out perhaps you should find out.

    Curiosity may be the best weapon.

    1. Anonymous Coward
      Anonymous Coward

      Re: As a sysadmin should you not *know* what apps are calling outside?

      "As a sysadmin should you not *know* what apps are calling outside?"

      That's a very 20th-century attitude.

      Apparently things are done differently now. The IT Department don't need to *know* anything, they just need to be able to persuade the Board of Directors to pay for someone else to know stuff and make that knowledge available. E.g in this scenario the BoD need to pay for this year's equivalent of an intrusion detection package. Doesn't matter whether it works or not as long as its expensive and produces shiny reports that can be shown to the BoD. Y'know, like the Yanks and their Einstein fail.

    2. Anonymous Coward
      Anonymous Coward

      Re: As a sysadmin should you not *know* what apps are calling outside?

      "As a sysadmin should you not *know* what apps are calling outside? "

      The vast majority of these botnet C&C servers are on *nix boxes. Lots of people still run unprotected Linux servers under the illusion that they are in some way secure, and often don't worry about locking down ports.

      In a complementary trend to the way that Windows boxes tend to be commonly targeted for local exploits involving end users, Linux boxes are commonly targeted with remote exploits that don't require end user involvement...this type of attack is also unlikely to be noticed, making such compromised hosts ideal for building your own c&c infrastructure.

  4. Khaptain Silver badge

    Who owns the botnets

    Whether or not they are in the US or elsewhere is not half as important as is "who is controlling/governing these botnets".

    Some suggestions

    The NSA playing havoc with the world.

    The Mafia etc

    The Chinese/Russian/Bulgarians/Syrians.

    The Farc Rebels

    The British ( they are a bunch of sneaky bastards) ?

    The Mossad or Shin Bet ?

    The Illumunati ? ( ooooohhhhhh, I can hear than damned music in the background, I think it was one of those Apple Garageband tunes))

    So many possibilities ....so many stories

    1. Anonymous Coward
      Anonymous Coward

      Re: Who owns the botnets

      Don't forget the little guy sitting in his bedroom trying to find out what the government/military covered up about UFOs and ET visits.

      Indeed so many stories.

  5. Anonymous Coward
    Anonymous Coward

    Sure we have a handle on this, maybe.

    The really sneaky stuff is probably using blended communications, port knocking, timed and coded TCP+UDP requests, cloaked comms in audio/video streaming. Recognising the standard stuff is a start but we will probably never really know what underlying codes are moving in the era we are looking. Ever pulled those purchase URLs apart? checked them one day to the next? I bet once we began to understand we'd see sigs like "data ready, - in hibernate file from address...".

    Sure the botnets are good for obvious things like phishing and credit card numbers but I'd bet a months wages there are other things running on them, cuckoo comms.

    Some of the bad guys are going to be bad in more then one field, why worry about credit card numbers when you are provided with a budget by some government back door. It's too simple to box up these things as "funded by and controlled by group Y" when they are platforms, once a platform has been erected you can be sure it will be in demand for plays, lynchings and politics.

  6. Annihilator
    Headmaster

    Continent vs country

    "US the world's botnet mothership"

    Actually it says "An average of 20 percent of the command and control servers we tracked were based in North America". This includes Canada and Mexico among others. Might not be statistically relevant though, I don't know.

    1. Khaptain Silver badge

      Re: Continent vs country

      @Anhilator

      Page 6 of that report definitely cites the "United States" as the greatest generator of C2 traffic.

      Although on page 7 things become a little bit more confusing

      "While nations around the world are represented in the top 10 global offenders list,

      the regions generating the highest levels of C2 traffic are Europe and the United

      States. An average of 20 percent of the C2s we tracked were based in North America

      with a nearly equal amount launching from the Ukraine and Russia combined.

      Western Europe1 and the United Kingdom contributed another 12 percent of C2

      traffic. Latin America was the source of only 2 percent of the overall C2 traffic."

  7. Shane Kent

    I recall a few years back....

    that the US (or more so a US Co.) was claiming Canada becoming "the" hot bed for hackers. Was absolute BS of course, but the waste of tax money CBC carried the story. And so did CTV. Quite the journalists we have here in Canada, Google'n their stories from BS Americans, lol. CBC is as useful as the CRTC, both should be shutdown and replaced, everyone fired!

    P.S. My comment is not to imply "all" Americans are BSers. But the media in Canada sure does suck!

  8. Fehu
    Black Helicopters

    Level 3? Seriously?

    Consider the source. No pun intended.

    1. Wzrd1

      Re: Level 3? Seriously?

      L3 is rather good, actually. We use threat intelligence from them, the government and pretty much the spectrum of organizations that contribute to threat intelligence.

      We get intelligence on everything from hash values of known malware, TTP's of threat actors, emerging threat intelligence and traffic pattern values for our IPS.

      As for C3 servers in the US and North America in general, one can get a virtual host for anything from $10 - 20 per month that is more than adequate for C3 operations and jump point for exfiltrated data. Other hotspots have similar availability and inexpensive solutions available.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019