U.S. Reigns As Most Bot-Infected Country

The U.S. has by far the highest number of bot-infected computers of any country in the world, with nearly four times as many infected PCs as the country in second place, Brazil, according to a new report by Microsoft. The quarterly report on malicious software and Internet attacks shows that while some of the major botnets have been curtailed in recent months, the networks of infected PCs still represent a huge threat.

The U.S. has by far the highest number of bot-infected computers of any country in the world, with nearly four times as many infected PCs as the country in second place, Brazil, according to a new report by Microsoft. The quarterly report on malicious software and Internet attacks shows that while some of the major botnets have been curtailed in recent months, the networks of infected PCs still represent a huge threat.

The data on botnets, published in Microsoft’s Security Intelligence Report for the first half of 2010, paints a somewhat bleak picture of the botnet landscape. Between January and June of this year, Microsoft cleaned more than 6.5 million machines worldwide of bot infections, which represents a 100 percent increase in bot infections from the same period in 2009. This increase comes at a time when there is more attention than ever focused on the botnet problem, both by security researchers and law-enforcement agencies around the world.

Microsoft measures botnet infections by counting the number of machines
that are cleaned of bots by using the company’s Malicious Software
Removal Tool. The Microsoft data obviously does not show a complete picture of bot infections across the entire Internet, but gives a snapshot of the infection problem on the machines the company monitors.

In the last year or so, several major spam botnets have been either completely crippled or in some way damaged by takedown efforts that target the command and control servers that run the botnets. Pushdo and Waledac are the two most prominent examples of this effort, and Microsoft officials were deeply involved in the takedown of Waledac, eventually going to court in September to get legal ownership of hundreds of IP addresses used by the botnet.

The company worked with researchers in Germany and Austria, as well as law-enforcement agencies, to gain control of the Waledac C&C servers. However, while the takedown was something of a coup, Waledac was not the top spam botnet and Microsoft’s data shows that there are still a number of large botnets, many of which are far less well-known than Waledac, Pushdo and Zeus, that are wreaking havoc online.

The most commonly detected bot client in the new SIR is Rimecud, the main piece of malware that is responsible for the Mariposa botnet. In the first half of 2010, Microsoft cleaned more than 3.5 million PCs infected with Rimecud. Some of the more famous botnets, including Rustock, Nuwar and Zbot are pretty far down the list of the most active botnets.

“Rimecud is a ‘kit’ family: different people working independently use a malware creation
kit to create their own Rimecud botnets. Rimecud is the primary malware family behind the
so-called Mariposa botnet, which infected millions of computers around the world in 2009 and 2010. In July of 2010, the Slovenian Criminal Police arrested a 23-year-old Slovenian citizen suspected of writing the malware code, following the February 2010 arrests of three suspected Mariposa botnet operators by the Spanish Guardia Civil,” Microsoft said in the report. “Rimecud is a backdoor worm that spreads via fixed and removable drives, and by sending malicious hyperlinks to a victim’s contacts via several popular instant messaging programs. Rimecud can be commanded to take a number of typical botnet actions, including spreading itself via removable drives, downloading and executing additional malware, and stealing passwords.”

Rimecud is unlike many other botnets as it has its own network protocol, based on UDP, that it uses for communications between the bots and the C&C servers. A number of other botnets use modified, or somewhat customized, protocols for communication, making it more difficult for researchers to analyze the botnet’s behavior. The attackers behind these botnets have become increasingly intelligent and sophisticated in recent years, and they have learned from their past mistakes, as well as the actions of researchers and law-enforcement agencies.

One of the key methods attackers have adopted to make life more difficult for researchers is to not use off-the-shelf bot software, but instead buy kits that can create custom bots.

“These kits are collections of tools, sold and shared within the malware underground, that enable aspiring bot-herders to assemble their own botnet by creating and spreading customized malware variants. Several malware kits are freely available for downloading and sharing; some have been published as open source code, which enables malware developers to create modified versions of the kits.3 Other kits are developed by individual groups and sold like
legitimate commercial software products, sometimes even including support agreements,” Microsoft said in the report.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.


  • Anonymous on

    It's both interesting and disturbing that the author of the article failed to mention the lack of malware on both Macintosh (Unix) and Linux platforms.

  • Anonymous on

    But Mac and Linux OSes do get viruses. It has been in the news plenty of times. Jeez, Mac people just seem immune to reality.

  • Anonymous on

    Its kinda silly to post such a story without giving a way for readers to "scan" their computer to see if they are part of the botnet.. I have seen several stories about the botnets, and NONE of them even come close to telling how to tell if you are infected or are part of the botnet.. Someone please POST A LINK FOR BLEEPING SAKE..

  • Kisai on

    It doesn't surprise me. The root (hehe) of all malware problems is the lack of care or education by the people using computers. 

    Case in point:

    No version of Windows, Linux or MacOS come with any form of anti-virus or anti-malware. They should come with, by default something. The user can then optionally replace it.

    You need to look no further than how people treat their commodity electronics, they unbox it, plug it in using the fastest/cheapest method (traditionally the RF cable, later the composite cable, some new systems with HDMI-only are forcing this to change) and then never do anything to it again (many people don't even configure the screen aspect ratios or surround sound.) With PC's it's much the same way, they plop the box down, never change the settings, install their MS Word or a few games, but never touch the OS settings.


    Some people are so foolish to believe that physically having it not plugged into the internet is safe. It's not, how do you think viruses spread before the internet? Floppy disks. USB drives, Cameras/Camcorders, ipods, phones, etc all connect via USB and all have storage. It takes only a single connection to have the virus copied to the device. Should you plug that device into an unprotected system, even if it's not plugged in, that system may still execute it. (remember AUTORUN?)


    Want the botnets to stop? Then OS vendors need to put a "free" antivirus/antimalware/antispyware product in the system, and have it update for free. All operating system patches should be released, with a "rollup" reinstall set made available. Or even go one step further and take a point from the Linux and FreeBSD crowd and make the OS "installed from the net", thereby bypassing installing insecure versions of the operating system files in the first place. 

    That leads me to the second point, cost.

    People are cheap, we know that. Better, more user friendly can be purchased, or the existing version can be kept. The botnets exist because of poorly configured "out of the box" solutions. I remember with the pre-SP1 version of windows XP, it took no less than 10 minutes for it to be infected with malware, and the ONLY thing the system did was boot up once. Nothing was installed, it was left to "reinstall the OS" unattended, and came back to "Service will shutdown in X seconds" The only way to update this (at the time) so it wouldn't be infected as soon as it was turned on was to unplug it from the internet and download the updates manually from another system.

    At some point I had every windows XP update on a USB drive, "just in case" I had to reinstall the OS. Having a router act as a firewall partially solved the problem (as the incoming traffic could no longer reach the system in question by default. Guess what, not all ISP's give their users routers, so people, to save money, are still plugging their PC's directly into their cable modems.)


  • Anonymous on

    I run windows, mac, linux,  and solaris.  While windows is a bloated piece of shat, it's not really to blame for all those compromised machines.

    The reality is, it's the people.  Windows has a way of attracting the lowest common denominator of people.  Let's call them sheeple.  Let's call them total dumbazzes.  Call them whatever you want, we're talking the masses.

    It is true that for the masses, it doesn't matter what OS they use, if it becomes popular they will get infected.   But for the tiny minority of people who know how to use a computer, and not treat it like an appliance, they will find it easier to secure linux or mac, then windows.  Especially linux.  Windows hides all the underpinnings.

    Microsoft really has become a Public Utility.   And it shows.  It shows in the company, the people who work there, the people who use the software, the government's position, and the slow gradual errosion of quality and service.

    Microsoft felt the slug hit them in the chest during the dot.com boom/bust, then they released some great products, a result of the pinnacle of their efforts.

    But now the giant is dying...  it just takes a long time for it to realize that it's heart has stopped beating.

  • Anonymous on

    I can't believe the misinformation and misunderstandings of everyone involved in the above comment thread. 

    1.  The problem is that Microsoft long ago felt that they didn't need to include the same security model as what's present in Unix and now Linux and Mac OS because it would get in the way of the lowest common denominator user, the one who wants to simply plop his box down and have it 'just work.' There is no good system in place on Windows to prevent any arbitrary process from writing to the OS files. On the other hand, only one user on a Linux, Unix or Mac OS box has those rights -- the superuser or root account. To MS, security is a stumbling block, not a feature. The lack of market share doesn't matter -- there are plenty of Unix and Linux servers out there to try to root. However, most of those machines are being run by people competent in computer security, behind firewalls, only exposing those ports needed to get a certain job done or a certain service presented to the public, and those services are properly root jailed or secured in such a fashion as to be impenetrable by some skript kiddie.

    2.  Microsoft would fix the above problem were it not for the lucrative protection racket that's popped up around the whole antivirus industry. "Pay us or the computer gets it," is how that business works, and many companies would stand to lose big profits if MS were to ever do a complete code audit and fix every possible security hole in all of their software. They haven't the manpower to do that kind of audit work anyway. Add to that the fact that MS gets significant kickbacks from the antivirus companies and you can see why they won't bite the hand that feeds them. 

    3.  The comment about USB drives and cameras, etc., being major sources of infection before the Internet? Stunningly inaccurate. USB drives and cameras have only been popular since about 2003. I was running a shell on a Linux PC hooked up to the Internet via a multiline BBS system in 1994, way before the World Wide Web was popular, when no one had heard of even Netscape's Navigator browser. Most of you have never seen or heard about Usenet or gopher, and none of you can remember a time when spam didn't exist. Floppies might carry a boot sector infector, but not the viruses you see today. Again, the problem comes back to Microsoft's refusal to implement something a bit more professional and robust as far as a security model. The biggest problem is MS's ActiveX set of API calls built into the Internet Explorer browser that allows arbitrary code to execute with full system rights, thus allowing drive-by infections from simply visiting a website.  See my first and second paragraphs above as to why this will never be fixed.

  • Jeffrey A. Williams on

    What this report doesn't articulate at all is that the US is ranked 3rd in the origination of bot's ect.  As such it is not surprising that due to the lack of proper network administration in many incidences, the problem keeps growing. 

  • Dave on

    To the anonymous person asking for a link to scan his computer for botnets:  that's how most people GET botnets.  Go get yourself a decent antivirus/antimalware solution, even if it's free AVG or Avira or something; don't even do those online scans....

    If you live in the eastern U.S. and still have questions, visit http://gyvernetworks.com and contact us for more information.

  • Anonymous on

    Even if they do close all the security holes there will always be people out there who will install a cracked version of some expensive yet desirable software that happens to be infected.  I think we sometimes forget why they're called trojans.  And it's not because people are inherently stupid either, it's just that we're not always aware of the real risks involved.  It's comforting to think that "I'm obviously not the sucker here", but it all reminds me of a quote I heard recently: "Each uneventful day that passes reinforces a steadily growing false sense of confidence that everything is all right - that I, we, my group must be OK because the way we did things today resulted in no adverse consequences".  We all get complacent with ourselves at some point, and then somebody/something comes along that takes advantage of that.

  • Anonymous on

    There's hardly any 'malware', 'virus' or any of that childish shit for Linux and BSD... none of them are in the wild.

    A properly configured Linux/BSD can easily avoid such attacks.

    This's however not possible with Microsoft products -- which're an inhereted flaw.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.