Our team at Nominum recently looked at the biggest threats to fixed networks at the DNS layer. Why the DNS layer? Because it is ubiquitous -- every network runs on it -- and it is the best option for protecting critical infrastructure.
We have broad insight at this layer because we provide DNS engines to more than 140 of the world's top service providers and process about 30% of the world's global traffic -- about 1 trillion DNS queries per day. All of these queries and clicks lead to data being produced, A LOT of data. The Nominum security lab analyzed that data across the globe to identify the top 10 bots of 2012. (A few month ago we did the same thing for mobile networks.)
Along with the bots, we saw that 2012 was marked by the continuous growth of sophisticated attacks in both fixed and mobile networks and most of these attacks were carried by malicious bots that were empowered with zero-day malware infection capability (previously unknown computer virus or other malware for which specific antivirus software signatures are not yet available). Furthermore, most modern bots are DNS-enabled and enjoy the Internet scalability.
The first table below shows the top 10 bots ranked by the degree of infection around the world. The top 10 global bots are a mix of modern bots and legacy bots. One modern bot, Ngrbot (a.k.a. Dorkbot), can hide its presence and hook to some system APIs as a rootkit. It's a multi-function bot, capable to perform a variety of malicious activities, such as collecting and stealing sensitive info (like usernames and passwords), disabling installed antivirus services and launching DDoS attacks.
We also found the top 10 regional bots and these lists are different from each other, the second table showing the top 10 regional bots for the geographic areas of Asia/Pacific, Europe/Middle East/Africa, and Latin America, respectively.
Some top regional bots did not make the global top bot list. For example, SpyEye was a top threat with higher infection rates than its competitor Zeus in the EMEA region, but Zeus was more popular in APAC and LATAM regions.
There were several high-profile bots not included in the regional top 10 bots lists, but widely spread in specific countries, such as Flamer, Shylock, TDSS, and DNSChanger. For Flamer, Iran was the main target of infection, but there were some significant outbreaks in Egypt and Saudi Arabia with a few victims in Thailand.
Sign up for Computerworld eNewsletters.