Botnets used in banking credential theft and other criminal enterprises made huge gains in 2010, claiming more than seven times as many victims as the previous year, according to a report issued by a security firm that follows the large networks of infected machines.

The dramatic increase was fueled by improvements in DIY botnet construction kits, which allowed internet-based fraudsters to construct new networks that quickly gained traction, the report from Damballa said. As a result, six of the 10 biggest botnets of 2010 weren't in existence the previous year. New infection technology that targets a hard drive's targets a hard drive's master boot record and changes the machine's boot options also played role.

“Throughout the year, the Top 10 largest botnets increased their total share of all bot infected victims,” the report (PDF) states. “At the beginning of the year approximately 22% of observed botnet victims were infected with malware attributed to just ten botnet operators. By the end of the year, this proportion had grown to nearly 57% - more than doubling their share of global botnet victims.”

In the run-up to Christmas week, the total number of unique botnet victims was 654 percent higher than the same population was at the beginning of the year. The average incremental growth throughout the year was 8 percent.

In addition to the release of refurbished Zeus crimeware kit, other DIY kits available in underground forums are marketed under names such as Phoenix, Darkness, BlackEnergy, and Eleonore. The packages allow criminals to quickly build botnets without having to write the code from scratch.

Damballa's report contrasted with the findings of anther Atlanta-based security firm, Secure Works, which was recently purchased by Dell. Secure Works' Spambot Evolution 2011 said botnets that specialize in sending spam largely marked time last year, with fewer new families emerging and only incremental changes in existing ones.

Like the botnets observed by Damballa, many of the spambots described by Secure Works researcher Joe Stewart made vast improvements in concealing the infections. For instance, Rustock, the biggest spam network with an estimated 250,000 zombies, waits as long as five days after taking hold of a system before it begins sending junk messages. Rustock control servers also run a TOR exit node, “likely in an attempt to avoid disconnection by network administrations who might think the abuse is originating elsewhere,” Stewart writes. ®

Related stories

• Huffy BlackEnergy vxers cry: 'f*ck U Kaspersky', thank Cisco for 0-days (5 November 2014)

  https://www.theregister.com/2014/11/05/huffy_blackenergy_vxers_cry_fck_u_kaspersky_thank_cisco_for_0days/

• Feds declare victory over notorious Coreflood botnet (23 June 2011)

  https://www.theregister.com/2011/06/23/coreflood_botnet_eradicated/

• Microsoft goes bot herder hunting in streets of Russia (7 June 2011)

  https://www.theregister.com/2011/06/07/microsoft_rustock_newspaper_ads/

• Feds move to uninstall bot that hit banks, airports, cops (27 April 2011)

  https://www.theregister.com/2011/04/27/coreflood_mass_uninstall/

• Perverted Justice vigilante sentenced for DDoS attacks (15 April 2011)

  https://www.theregister.com/2011/04/15/bruce_raisley_sentencing/

• Malware baddies crank up Trojan production (6 April 2011)

  https://www.theregister.com/2011/04/06/malware_trends/

• Junk mail down 1/3 since Rustock botnet takedown (29 March 2011)

  https://www.theregister.com/2011/03/29/rustock_takedown_spam_stats/

• Security agency calls time on botnet FUD (8 March 2011)

  https://www.theregister.com/2011/03/08/enisa_botnet_study/

• ZeuS trojan attacks bank's 2-factor authentication (22 February 2011)

  https://www.theregister.com/2011/02/22/zeus_2_factor_authentication_attack/

• UK biz bled dry by cybercrime (17 February 2011)

  https://www.theregister.com/2011/02/17/cyber_crime_total/

• Researchers pry open Waledac, find 500,000 email passwords (2 February 2011)

  https://www.theregister.com/2011/02/02/waledac_account_compromise/

• Bot attacks Linux and Mac but can't lock down its booty (19 January 2011)

  https://www.theregister.com/2011/01/19/mac_linux_bot_vulnerabilities/

• Whitehats peer into new botnet's heart of 'Darkness' (7 December 2010)

  https://www.theregister.com/2010/12/07/darkness_botnet/

• Microsoft confirms Russian pill-pusher attack on its network (14 October 2010)

  https://www.theregister.com/2010/10/14/microsoft_confirms_ip_hijack/

• 5 botnet kingpins busted in $70m fraud ring (1 October 2010)

  https://www.theregister.com/2010/10/01/zeus_kingpin_arrest/

• Zeus botnets' Achilles' Heel makes infiltration easy (27 September 2010)

  https://www.theregister.com/2010/09/27/zeus_botnet_hijacking/

• Microsoft wins court order crushing mighty spam botnet (8 September 2010)

  https://www.theregister.com/2010/09/08/waledac_takedown_success/

• Notorious Kraken botnet rises from the ashes (29 June 2010)

  https://www.theregister.com/2010/06/29/kraken_botnet_resurgence/

• Twitter-controlled botnets come to the unwashed masses (13 May 2010)

  https://www.theregister.com/2010/05/13/diy_twitter_botnets/

• Infamous Storm botnet rises from the grave (27 April 2010)

  https://www.theregister.com/2010/04/27/storm_botnet_returns/