2013 CHECK POINT ANNUAL SECURITY REPORT
02
_ THREATS TO YOUR ORGANIZATION
010
including Internet Relay Chat (IRC), HTTP, ICMP,
DNS, SMTP, SSL, and in some cases custom protocols
created by the botnet software creators.
Command & Control Activity
Bots come in many different shapes and forms, and can
execute a large variety of activities. In many cases, a single
bot can create multiple threats. Once under control of the
Command & Control server, the botnet can be directed
by the bot herder to conduct illegal activities without the
user’s knowledge. These activities include: infecting more
machines in order to add them to the botnet, mass spam
emailing, DDoS attacks and theft of personal, financial,
and enterprise-confidential data from bots in the botnet.
Bots are also often used as tools in APT attacks where cyber
criminals pinpoint individuals or organizations for attack.
Chart 2-B presents the frequency of bots’ communication
with their Command & Control center. 70% of the
bots detected during the research communicated with
their Command & Control center at least once every 2
hours. The majority of Command & Control activity is
found in the USA, followed by Germany, Netherlands
and France, as shown in chart 2-C.
The various types of bot communication to its Command
& Control center include: reports of new hosts it has
infected, keep-alive messages, and data collected from
the host system. Our research shows that on average,
a bot is communicating with its Command & Control
Center once every 21 minutes.
Which Botnets Should We Watch Out For?
Thousands of botnets exist in the wild today.
The following table presents the top infamous and
prominent botnets found during our research. To get a better
understanding of these stealthy threats, more information on
each threat has been compiled on Appendix A.
Botnet Family Malicious Activity
Zeus
Steal online banking credentials
Zwangi
Present the user with unwanted
advertising messages
Sality
Self-spread virus
Kuluoz
Remote execution of malicious files
Juasek
Remote malicious actions: open
a command shell, search/create/
delete files, and more
Papras
Steal financial information and
gain remote access
See additional details in Appendix A
ONCE EVERY 21 MINUTES
A BOT IS COMMUNICATING
WITH ITS COMMAND &
CONTROL CENTER
Chart 2-B
Source: Check Point Software Technologies
Frequency of Bots’ Communication with
Their Command & Control Center
25
%
Up to 1 hour
45
%
1-2 hour
6
%
2-4 hour
24
%
More than 4 hours