Monday, February 14, 2011

Where do all those bots come from?

Many studies periodically tell us where the worldwide spam comes from. One of the latest identified the United States as the country carrying out the most spam, followed by India and Brazil. What is not usually mentioned is whether differences exist between the country distribution of the bots belonging to the main botnets. During one of our recent research projects, we had the possibility to track some of the world's major botnets. We collected IPs belonging to these botnets for four months, from September to the beginning of February, so that we could have a good overview of the whole botnet populations. 
Interestingly, we found out that these populations are not uniform, but vary a lot from botnet to botnet. Below is the country distribution for Rustock:
For this botnet, the majority of the bots we tracked is located in the United States (7.9%), followed by Brazil (7.4%), Vietnam (6.4%) and Germany (6.2%). Rustock is considered to be the most active botnet at the time, and the fact that most of its bots are located in the US corroborates the general statistics we cited.
Other botnets have very different country distributions than Rustock. Here is the worldwide location of Lethic bots:

The country where most Lethic bots are located is Brazil (6.8%), followed by India (6.64%), Russia (6.2%) and Vietnam (5.9%). The United States only host 4.6% of the Lethic bots.
Another interesting country distribution to look at is the one of the Cutwail botnet:

For this botnet, 9.7% of the bots are in Brazil, 7% are in India, 6.7% are in Russia, and only 3.1% are in the US.
The last interesting botnet we tracked is the so-called Waledac 2.0, that started spamming again at the end of December 2010. Here is its country distribution:

For this botnet, the most bots are in Brazil (15%), while the US accounts only for 2.4% of them.
The reason for this big differences might be found in how malware is spread. A common case is a legitimate website that gets compromised, and tries to make user machines install the malicious software with a drive-by-download attack. Of course, if the legitimate site was, for example, a Brazilian site, the majority of the machines that will get infected by visiting it will be from Brazil.
Also, in the underground economy, bots located in different countries are sold at different prices. Those located in Europe or in the United States are the most expensive, mainly because they can ensure higher bandwidth and send out more spam messages.