Is Your Company’s

Network Part of a Botnet?

How a Botnet is Formed

1
The botmaster
sends out
2
malware to take
control of other
If the malware
is executed, the 3
computers. computer is The computer
compromised and is now a zombie
joins the botnet. and can be
command server. controlled from
the botmaster’s
command server.

83% 2.2X
of organizations more data breaches
had existing bot infections by companies slow to react to
in 2014 botnet threats

Methods of Infection

Spam email Malicious websites Files distributed

by social media

Causes of Infection

No protection Infrequent updates Lack of user

on device education

Zeus 51,848,194
Steals banking
credentials

Graftor 21,673,764
Downloads
malicious files

Ramnit 12,978,788
Steals banking
credentials

Conflicker 12,357,794
Disables system security
services, attacker gains
remote access

Sality 11,791,594
Steals sensitive
information

Smokeloader 9,417,333
Installs malware

Ramdo 5,771,478
Performs click-fraud

Gamarue 3,329,930
Opens a backdoor for
attacks

Hackers Use Zombie Computers For

os DDos
DDos DD DDos
s DD os
DDo
os DDos
DDos DD DDos
os
DDos DD

DDoS Attacks Sending Spam Click Fraud

10010010
10010100 101100
0 0 1 00
01001
0 0 1 0 0 1 0 01010010
1
10010010
01001010

Data Theft Identity Theft Attacks for Hire

Botnet Example:
CryptoWall Spread by Click Fraud Botnet

"RuthlessTreeMafia"
botnet infects a large
number of computers

Botnet operators use

zombie computers to
Botnet operators run click fraud
recognize flash
vulnerability

Install CryptoWall on
zombie computers

Encrypt user data and

demand ransom

Cryptowall is a type of “ransomware,” malware that installs itself

on a computer, encrypts files rendering them useless to users,
and demands a ransom payment to decrypt the data.
In June 2015, a botnet known as "RuthlessTreeMafia" changed
its focus. The botnet was originally used for click fraud—it would
open hidden browser windows on users’ computers and use
them to generate fake clicks on advertising banners.
The botnet’s operators leveraged their hold on large numbers of
user machines and, instead of just click fraud, started installing
CryptoWall on those machines.3 They were probably exploiting
a “zero day vulnerability” in Adobe Flash, which allowed an
attacker to install files on a user’s computer. 4

The end result was large numbers of machines infected by

dangerous ransomware and damages estimated in millions of
dollars.

Botnet Infections in Company Networks

Comparison of Gamarue
botnet infections Vawtrack
Bedep
200 CryptoWall
Spike due to
zero day exploit Miuref

100

0
Apr May Jun Jul Aug Sep Oct

Source: Cisco Security Research

Cisco analyzed the networks of 121 companies from April to

October 2015 for evidence of one or more of eight commonly
seen botnets.5
This graph represents the number of users on these networks
infected with different botnet malware.

Do you already
have an infected machine
in your network?

Find out if you are vulnerable to botnet:

https://www.ixiacom.com/products/breakingpoint

Block connections to botnet controllers:

https://www.ixiacom.com/products/threatarmor

WE MAKE NETWORKS STRONGER

1 Check Point Security Report, 2015

2 BitSight Insights Report, “Beware the botnets” April 2015
3 Gracie Roberts, Avast, “CryptoWall joins forces with click fraud botnet to infect
individuals and businesses alike” July 3 2015
4 Michael Mimoso, ThreatPost, “Magnitude Kit Exploiting Flash Zero Day,
Dropping Cryptowall” June 29 2015
5 Cisco 2016 Annual Security Report

© Keysight Technologies, 2017 . Ixia and the Ixia logo, are

trademarks or registered trademarks of Ixia in the United States
and other jurisdictions. All other trademarks used herein are the
property of their respective owners

915-7000-7061 Rev A