“Bots are an effective means to an end for the dark side of the internet community,” explained Distil Networks, in its annual “Bad Bot Landscape” report. “From legitimate businesses and governments, to organized criminal hackers and nefarious thrill-seekers, bots have become a reliable and ready weapon of choice. With returns high and the risk of retribution low, those who develop and deploy bots are continuing to do so with ever greater reach and efficiency.”
The biggest growth engine for bots is the wireless space. Over the past year, Distil has witnessed the aforementioned increase of over 1,000% in mobile bad bot traffic, and tracked bad bot traffic originating from every wireless provider operating in the US. With the exception of América Móvil, every one of the top 10 global wireless providers served bad bot traffic from their network.
Better LTE networks and more smart devices are underpinning the growth. “This trend increases in importance each month, as mobile throughput continues to increase,” said Distil. “Smartphones are the most vulnerable of all mobile devices, and by the end of 2014, estimates show that there will be more than 6 billion mobile devices in use. This represents massive incentive for bad bot operators to focus more on mobile.”
US mobile providers far outpaced foreign providers in terms of bad bot volumes served. The highest volume of bad bot traffic was identified across AT&T’s network, while internationally, Vodafone had the highest number of malicious bot requests.
“Not only is the number of mobile bots increasing, but so too are the number of bots spoofing their identity to portray themselves as mobile devices,” added the report. “Bad bot operators do this, because many web servers are programmed to give a different response, or set of data, to mobile users (versus desktop users). Often, bot makers are interested in this unique data and spoof their user agents to appear as a mobile browser, when in reality they are nothing more than a script.”
On the desktop front, the report found that the biggest bad bot of 2013 was Pushdo, impacting 4.2 million IP addresses and about 4 million computers. The purpose of Pushdo is to act as infrastructure for sending out spam or malicious trojans, including the financial thieves SpyEye and Zeus.
“Serving as the underlying infrastructure for bad bots, the organization that developed and runs Pushdo stands to earn significant revenue by offering the infrastructure to the highest bidder on a revolving basis,” the report noted.
Distil captured Pushdo traffic coming from 15,000 different ISPs, hosting providers and other organizations worldwide. Many companies, organizations and government agencies were infected, including US Government agency and military networks. Despite the fact that an Eastern European criminal organization runs Pushdo, our tracking showed that the top 10 countries of origin for the botnet’s traffic were located in either North America or Asia, one from Europe.
The report also pointed out that with bad bots representing nearly a quarter of all web traffic, organizations are paying hefty bandwidth cost premiums to support harmful traffic. Moreover, the nature of bots contributes to higher bandwidth usage.
“In launching their attacks during 2013, bad bots performed five times more ‘get’ requests than ‘post’ requests. To serve the ‘get’ requests, unprotected sites had to serve content and/or applications from their servers at their own expense. This also means allocating additional server infrastructure so that legitimate website users are not turned away or experiencing poor site performance.”