Symantec Global internet Security threat report
Bots allow for a wide range of functionality and most can be updated to assume increased functionality by downloading new code and features. Attackers can use bots to perform a variety of tasks, such as setting up denial-of-service (DoS) attacks against an organization’s website, distributing spam and phishing attacks, distributing spyware and adware, propagating malicious code, and harvesting confidential information that may be used in identity theft from compromised computers—all of which can lead to serious financial and legal consequences. Attackers favor bot-infected computers with a decentralized C&C model because they are difficult to disable and allow the attackers to hide in plain site among the massive amounts of unrelated traffic occurring over the same communication channels, such as p2p. Most importantly, botnet operations can be lucrative for their controllers because bots are also inexpensive and relatively easy to propagate.
in 2009, Symantec observed underground economy advertisements for as little as $0.03 per bot. this is similar to 2008, when $0.04 was the cheapest price advertised for bots. it should be noted that botnets generally consist of large numbers of bot-infected computers and despite the low cost per bot, they are typically sold in bulk lots ranging from hundreds to tens-of-thousands of bots per lot, meaning that the actual cost of a botnet is significantly higher than the per-bot price.
A bot-infected computer is considered active on a given day if it carries out at least one attack on that day. this does not have to be continuous; rather, a single such computer can be active on a number of different days. A distinct bot-infected computer is a distinct computer that was active at least once during the period. in 2009, Symantec observed an average of 46,541 active bot-infected computers per day (figure 6), which is a 38 percent decrease from 2008. Symantec also observed 6,798,338 distinct bot-infected computers during this period, which is a 28 percent decrease from 2008. this decrease is primarily considered the result of bots sending larger volumes of spam instead of propagating, as is discussed below. Another possible reason for this decrease is that some bots may be performing non-typical activity that is not being monitored.
Median daily active bots
Active bot-infected computers
4 per. moving average
0 Jan 5, 2008
Apr 5, 2008
Jul 5, 2008
Oct 4, 2008 Jan 3, 2009 Apr 4, 2009
Jul 4, 2009
Oct 3, 2009 Dec 31, 2009
Figure 6. Active bot-infected computers, by day Source: Symantec