Once the most common form of malicious computer network, botnets that use the IRC (Internet Relay Chat) protocol are going the way of the Brontosaurus, according to a report from Internet security monitoring firm Team Cymru.
Under fire from better monitoring of IRC command and control (C&C) traffic and replaced by harder to block HTTP-based botnets, the number of active IRC botnets is dwindling, even as the number of active botnets, overall, is increasing at a rapid pace, Cymru said.
Botnets are loose, global networks of compromised computers that are controlled centrally and used by cybercriminals for a variety of purposes, including spam e-mail distribution, denial of service attacks, malware distribution and advertising. Recent take-downs of large botnet command and control systems, including those of Bredolab, Waldec and Pushdo, is attributed to a brief drop in spam volumes in August and September. However, cyber criminals have, more often than not, simply harnessed infected computers to new command and control servers and resumed operations.
Cymru said the number of botnet command and control servers is doubling every 18 months, led by HTTP-based botnets that are harder to detect and block than their IRC-based predecessors. In fact, HTTP based command and control servers outnumber IRC based C&Cs by 10 to 1, Cymru said.
While IRC botnets are in sharp decline from their heyday in the late 1990s and early Millennial period, they’re not gone for good. “The reality is IRC based botnets must still be making some cash from somebody,” said Steve Santorelli, director of research at Team Cymru in a YouTube video released by the firm.
He blamed loose monitoring on the part of enterprises for their continued existence.