2013 CHECK POINT ANNUAL SECURITY REPORT
02
_ THREATS TO YOUR ORGANIZATION
010
Command & Control Activity
Bots come in many shapes and forms and can execute a wide
variety of activities. In many cases, a single bot can create
multiple threats. Once under control of the Command &
Control server, the botnet can be directed by the bot herder
to conduct illegal activities without the user’s knowledge.
These activities include: infecting more machines in order
to add them to the botnet, mass spam emailing, DDoS
attacks and theft of personal, financial, and enterprise-
confidential data from bots in the botnet. Bots are also
often used as tools in APT attacks where cybercriminals
pinpoint individuals or organizations as specific targets for
attack.
Chart 2-B presents the frequency of bots’ communication
with their Command & Control center. 70% of the bots
detected during the research communicated with their
Command & Control center at least once every two hours.
The majority of Command &Control activity was found in
the USA, followed by Germany, Netherlands and France, as
shown in Chart 2-C.
The various types of bot communication with its Command
& Control center include: reports of newly infected hosts,
keep-alive messages and relaying of data collected from
the host system. Our research shows that on average, a bot
communicated with its Command & Control center once
every 21 minutes.
Which Botnets Should We Watch Out For?
Thousands of botnets exist in the world today.
The following table presents the most prominent botnets
found during our research. To gain a better understanding
of these stealthy threats, additional information is available
at Appendix A.
How Your Organization can be
Infected with Malware
Botnet Family Malicious Activity
Zeus
Steals online banking credentials
Zwangi
Presents the user with unwanted
advertising messages
Sality
Self-spreads viruses
Kuluoz
Remotely executes malicious files
Juasek
Conducts malicious actions
remotely such as opening a
command shell, searching/
creating/deleting files and more
Papras
Steals financial information and
gains remote access
See additional details in Appendix A
ONCE EVERY 21 MINUTES
A BOT IS COMMUNICATING
WITH ITS COMMAND &
CONTROL CENTER
Chart 2-B
Source: Check Point Software Technologies
Frequency of Bots’ Communication with
Their Command & Control Center
25
%
Up to 1 hour
45
%
1-2 hour
6
%
2-4 hour
24
%
More than 4 hours
