Analysis finds 1&1 to be popular host for bot herders - Update
An analysis by anti-botnet specialist Damballa has found that most command and control (C&C) servers for botnets are located in the US, Germany and France. It reports that half of all C&C servers observed in the first six months of 2010 are located in these three countries, which, as Damballa Vice President for Research Gunter Ollmann notes, are not normally associated with online criminal activity.
Bot herders like to use commercial hosting companies, an area in which they appear to show clear preferences – almost 11% of C&C servers can be traced back to networks operated by German ISP 1&1. Why 1&1, which also operates in the UK, should be so popular is a matter for speculation, but it may be due to its good connectivity and the high availability of its networks and servers. 1&1 has not yet responded to an enquiry from The H's associates at heise Security.
Ollmann advises ISPs, such as 1&1, and hosting companies to consider taking countermeasures to reduce their attraction for bot herders. It is to be hoped that this would not be by reducing connectivity and availability.
The numbers are unlikely to strike joy into the heart of 1&1, in particular in view of its involvement in an anti-botnet initiative. The initiative involves ISPs informing domestic and business customers who appear to be hosting bot infections, identified, for example, on the basis of a high level of spam originating from their internet connection. The initiative clearly does not involve monitoring communications between botnets and C&C servers, as otherwise 1&1 would have been bound to notice that this involved their own networks.
Update - After being severely criticised for flaws in its analysis, Damballa has deleted its blog post containing the statistics referred to above.