12 million new IP addresses have been hijacked by botnets

Today the McAfee first quarter threat report revealed that cybercriminals have taken control of almost 12 million new IP addresses since January, a 50 percent increase since 2008.

The United States is now home to the largest percentage of botnet-infected computers, hosting 18 percent of all zombie machines. Cybercriminals are building an army of infected, “zombie” computers to recover from last November’s takedown of a central spam-hosting ISP, according to the new report from Avert Labs.

The November 2008 takedown of McColo Corp. dropped spam levels by an estimated 60 percent, but spam quantities are rising as cybercriminals create new ways to send bulk e-mails.

The quick expansion of botnets threatens to boost spam levels back up. In fact, spam volumes have already recovered about 70 percent since McColo Corp. went offline. Compared with the same quarter a year ago, spam volumes are 20 percent lower in 2009 and 30 percent below the third quarter of 2008, which had the highest quarterly volumes recorded to date.

“The massive expansion of these botnets provides cybercriminals with the infrastructure they need to flood the Web with malware,” said Jeff Green, senior vice president of McAfee Avert Labs. “Essentially, this is cybercrime enablement.”

• The Koobface virus has made a resurgence, and more than 800 new variants of the virus were discovered in March alone
• Servers hosting legitimate content have increased in popularity with malware writers to distribute malicious and illegal content
• Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their location
• Compared to the overall landscape, the Conficker worm represents a small subset of all threat reports. Autorun malware, a vector used by certain Conficker variants, represented only 10% of all detections reported during the first quarter.

We continue to see widespread use of legitimate Web 2.0 and business-related URLs for spreading malware. Ten or more years ago, it seemed you could remain safe by simply staying away from certain content, but today threats seem to find us regardless of where we browse. Any website that can be exploited (via any of numerous vulnerabilities) will be. Administrators routinely see scans looking to exploit their servers. What is interesting is the high prevalence of these scans coming from sites and servers associated with everything from illegal software to malicious sites to anonymizers. If a high-traffic website is vulnerable, then it is not a matter of whether it will be exploited, but when.

To view the full report go here.