The past 10 years have seen a number of highly visible and highly damaging botnets, spewing spam, knocking companies or even entire countries offline, and sometimes even extorting victims through Cryptolocker malware. Others have mined for and stolen Bitcoins, or quietly sniffed credentials to banking and credit card sites to steal funds and identities. While there have been several botnets over the years, many as variants of others, some stand out both for their damage and the number of systems compromised. While most of these are currently offline, and will hopefully stay so, others are still alive and well. Here’s a rundown of the Dirty Dozen from the past decade.
Rustock
Year discovered: 2006
Origin: Possibly Russia
Estimated number of infected machines: Between 150,000 and 2,400,000.
Type of Botnet: Spammer
Current disposition: Taken down by US Law Enforcement in cooperation with Microsoft, FireEye, and the University of Washington.
Rustock propagated as a Trojan horse, infecting files downloaded from the Internet or sent as attachments in email. Infected machines could send up to 25,000 spam emails per hour when active.
Storm
Year discovered: 2007
Origin: Unknown, though many suspect Russian cyber-criminals based on Russian words in the source code.
Estimated number of infected machines: Between 1,000,000 and 50,000,000.
Type of Botnet: Multiple attacks, including backdoor access, SMTP relay, email address harvesting, spamming and DDoS.
Current disposition: Essentially offline.
Storm was the largest botnet with the widest propagation to date. It had the added notoriety of being available for sale or lease to others, particularly for its DDoS capabilities. Social engineering and spam helped propagate it, but its attackers also dropped it into downloads on popular websites that were compromised, making downloads a major infection vector.
Cutwail
Year discovered: 2007
Origin: Possibly Russian, based on the current incarnations being offered by members of the Russian underground.
Estimated number of infected machines: Between 1,500,000 and 2,000,000
Type of Botnet: Spammer and DDoS
Current disposition: Still active.
At its height, Cutwail was responsible for almost half of all spam on the Internet, sending 74 billion spam messages per day. Today, it is still active and available for rent.
Grum
Year discovered: 2008
Origin: Unknown
Estimated number of infected machines: Between 560,000 and 840,000.
Type of Botnet: Spammer, primarily of pharmaceutical emails.
Current disposition: Offline, through the takedown of various Command & Control systems in the Netherlands, Panama, Russia and the Ukraine.
Conficker
Year discovered: 2008
Origin: Either Germany, based on name, or the Ukraine, based on primary server.
Estimated number of infected machines: Between 9,000,000 and 15,000,000.
Type of Botnet: DoS and spammer
Current disposition: Largely offline, but infected machines still exist.
Conficker is unique in that it downloads updates of itself, using signed and encrypted binaries to help avoid any disinfection action taking advantage of this behaviour. Once the E version is active, it downloads and installs Waledac to send spam, SpyProtect 2009 to try to entice victims to pay for (fake) antivirus software, and initiates a series of local network DoS through ARP flooding, account lockouts, disabling automatic updates and antivirus updates and more.
Kraken
Year discovered: 2008
Origin: Unknown
Estimated number of infected machines: Up to 495,000.
Type of Botnet: Spammer
Current disposition: Currently inactive, but it has resurfaced before and may yet again.
Kraken was particularly interesting in that it exhibited anti-malware evasion techniques and auto-update capabilities. It was estimated to have infected up to 10% of the Fortune 500.
Mariposa
Year discovered: 2008
Origin: Spain
Estimated number of infected machines: Between 1,000,000 and 12,000,000.
Type of Botnet: Cyberscamming and DDoS.
Current disposition: Offline, due to cooperative efforts between Spanish law enforcement, Defense Intelligence, Georgia Tech and Panda Security.
Mariposa performs keyboard logging for credentials to financial sites, sends spam, and participates in DDoS attacks. The Mariposa botnet was available for rent.
Waledac
Year discovered: 2008
Origin: Unknown
Estimated number of infected machines: Over 1,000,000
Type of Botnet: Spammer, with password sniffing, denial of service, and network proxy.
Current disposition: Taken down by US Law Enforcement and Microsoft in 2010
Waledac propagated as a computer worm and used both botnet and peer-to-peer communications to control victim machines. At the time of takedown, an estimated 70 to 90K machines were actively in the botnet but up to 1,000,000 are estimated to have been infected at some point during this malware’s active period.
Kelihos
Year discovered: 2010
Origin: Russia
Estimated number of infected machines: Up to 150,000 systems.
Type of Botnet: Spammer and DDoS, with the later version able to mine for and steal bitcoins.
Current disposition: Offline, due to cooperative effort between Microsoft and US Law Enforcement.
Kelihos included both peer-to-peer at central Command and Control elements and could spread through links to infected files and through social networking site Facebook.
ZeroAccess
Year discovered: 2011
Origin: Unknown
Estimated number of infected machines: 9,000,000.
Type of Botnet: Bitcoin mining and click-fraud.
Current disposition: Inactive, but capable of coming back. Microsoft and Law Enforcement attempted to take down ZeroAccess by seizing the Command and Control systems, but missed some and the peer-to-peer elements could launch new attacks in the future.
ZeroAccess can compromise an operating system by infecting both the MBR and key drivers, and can disable both the Windows firewall and antivirus software.
Metulji
Year discovered: 2011
Origin: Bosnia and Slovenia|
Estimated number of infected machines: 12,000,000.
Type of Botnet: Cyberscamming and DDoS.
Current disposition: Offline thanks to joint effort between the FBI and Interpol.
Metulji leveraged aspects of other botnets, was offered as a kit to other cybercriminals and actually incorporated licensing into its resale capabilities. In addition to participating in DDoS attacks, it sniffed for credentials to financial services, monitoring victims’ keyboard entries.
Gameover Zeus
Year discovered: 2012
Origin: Russia
Estimated number of infected machines: 500,000 to 1,000,000
Type of Botnet: Cyberscamming and extortion through propagation of the Cryptolocker malware.
Current disposition: Largely offline, thanks to international law enforcement and leading technology corporations including Microsoft, Symantec and McAffee.
GameOver Zeus used encrypted communications to establish a botnet with both a central Command and Control network and a peer-to-peer aspect, making it much more resilient and harder to take down.
These botnets teach us a very important lesson – that a layered defense on their networks is critical. Antivirus software on every system, hygiene treatment of all email, filtering all Internet access, outbound egress filtering at the firewall, intrusion detection systems to spot infected machines, limiting administrative rights, regular vulnerability scanning and patch management are a must today. End user training will help employees avoid, or at least identify, suspect links or sites and, if compromised, what they need to do. At home, antimalware software, using a reputable personal email service and adopting a ‘think before you click’ mentality will great improve the security of your machine.
Get your free 30-day 
trial
Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.