We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

The most dangerous botnets of 2012

With the help of security firm Kindsight, join us as we review the top ten worst botnets this year

The most dangerous botnets of 2012

Botnets are networks of computers that have been compromised by malware. They’re difficult to detect because they are controlled remotely by cybercriminals. Victim computers are often referred to as “bots” or “zombies” because they’re carrying out a cybercriminal’s orders without the victim’s knowledge. In this slideshow, Kindsight Security Labs has identified the most dangerous botnets of 2012 based on their impacts this year.


Grum was responsible for sending 18 billion spam messages per day and 18 percent of the world’s spam. It used victim computers to distribute pharmaceutical spam email. The shutdown of Grum in July 2012 was considered a huge win for the security community. But even after its shutdown, spam levels quickly resurged to the same level, likely due to other spamming botnets.


Once shut down in early 2010, Lethic is alive and kicking again. Unlike other spamming botnets, Lethic proxies all traffic between the spammer and the destination mailserver. It also uses simple but effective encryption. Lethic is responsible for 28 percent of the world’s spam.


Festi is one of the world’s largest spam botnets. It’s distributed as an executable Trojan and infects older versions of Windows operating systems. After the takedown of the Grum spambot, Festi surged to infect at least 250,000 unique IP addresses.


Back in 2010, Cutwail-infected computers were used in distributed DoS attacks against hundreds of websites, including those for the CIA and FBI. Earlier this year, Trustwave (formerly M86 Labs) identified large-scale spamming campaigns with malicious HTML attachments, attributed to Cutwail.


Once called the “God of DIY botnets,” Zeus enables cybercriminals to steal banking information and other sensitive data. It includes a control panel and a builder to create executables and infect victim computers. Its malware typically spreads through email or drive-by infections. Earlier this year, a new version of Zeus emerged that uses peer-to-peer protocol to maintain contact with its command-and-control sites. There are an estimated 944 Zeus C&C servers in October 2012.


SpyEye is an established botnet designed to steal consumer banking information. It’s especially sneaky in that it steals money from victims while offering reassurance that the money is still sitting in their bank accounts. As a Trojan, it picks up login credentials for online accounts and initiates transactions. There are estimated 278 SpyEye C&C servers in early October 2012.


Based on Zeus’ original code, Citadel features new capabilities and has been called “Zeus on steroids.” But what makes Citadel highly unusual is how it’s been sold and marketed to criminals. Earlier this year, its developers created a social network to serve as technical support for Citadel, helping cybercriminals report any bugs, suggest new features and connect with other customers. In April 2012, RSA reported a 20% increase of Citadel in analyzed Trojan attacks.


ZeroAccess is currently the fastest-growing botnet. Over the past few months, ZeroAccess has grown from 1 million to more than 2 million super nodes globally. Its primary function is ad-click fraud. Victim computers receive instructions from a controller directing them to click on ads on specific websites. The website owner gets paid by the advertiser on a per-click basis, usually through the intermediary of an ad network. It circumvents safeguards by simulating normal human browsing behavior. In July 2012, Kindsight Security Labs reported that victims of ZeroAccess were downloading the bandwidth equivalent of 45 movies per month.

TDL-4 (TDSS or Alureon)

TDL-4, also known as TDSS or Alureon, is a sophisticated botnet that made major headlines this September. Once installed, it removes competing malware, hides itself from detection and installs a master boot record. A new variant of TDL-4 has infected approximately 250,000 unique victims and can generate "disposable" C&C domain names, making it especially difficult to track.


Signaling an end to Mac’s immunity to malware, Flashback infected hundreds of thousands of Mac computers last spring. Its current focus is to collect passwords to sites like Google and Paypal, so that cybercriminals can take over those accounts. Flashback topped Kindsight’s "home network infections list" for four straight weeks. Last April, it infected 10 percent of home networks with Mac computers.

  • The most dangerous botnets of 2012
  • Grum
  • Lethic
  • Festi
  • Cutwail
  • Zeus
  • SpyEye
  • Citadel
  • ZeroAccess
  • TDL-4 (TDSS or Alureon)
  • Flashback
  • Play
  • Play
  • Backward
  • Forward


Festi is one of the world’s largest spam botnets. It’s distributed as an executable Trojan and infects older versions of Windows operating systems. After the takedown of the Grum spambot, Festi surged to infect at least 250,000 unique IP addresses.

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

ComputerworldUK Knowledge Vault

* *