The vast majority of botnet malware infections last under a day, according to a Fortinet report released last week —the Q1 2018 Threat Landscape Report.

The Fortinet data includes information from all types of botnets, targeting desktop, mobile, server, IoT, and networking devices alike.

According to the report, the vast majority of botnet infections —58%— last under a day; 17.6% of botnets persist for two days in a row; 7.3% last three days; and so on — while only 5% persist for more than a week.

Botnet persistence

The botnet that has the longer persistence rate per bot is Mirai, a botnet that infects IoT devices, which it mainly uses for DDoS and traffic proxy services.

The average lifetime of a Mirai bot is 5.5 days. Mirai is followed by other botnets, such as Sality (spam & proxy), Ramnit (banking trojan), H-worm (downloader), Necurs (spam), and others (see chart below).

Persistence per botnet

But according to Fortinet, despite its increased persistence, Mirai is not the most prevalent botnet. For the first quarter of 2018, that distinction goes to the botnet created by infected victims of the Gh0st malware, a relatively new "malware downloader" that infects victims and then rents out infected PCs to other crooks.

In Q1 2018, Gh0st was by far the most widespread botnet malware version around, being ranked #1 across all continents, followed by the Pushdo spam botnet, and the Andromeda botnet, which despite being the target of a law enforcement takedown, has come back to life.

The reason is that the Andromeda source code had been leaked online a few years back, and while the original botnet has been taken down, other crooks installed and got running new Andromeda botnets within days.

Most active botnets

Overall, botnets have been on a declining trajectory in the first quarter of 2018, most of them losing bots, shutting down, or having less activity than the previous quarter (notice the abundance of red arrows in the chart below).

Botnet trends

Other botnet specific stats from the Fortinet report include:

â‹™  268 unique botnets detected
â‹™  6.6 infection days per firm
â‹™  1.8 active botnets per firm
â‹™  2.8% saw ≥10 botnets

The same Fortinet Q1 2018 Threat Landscape Report offers more insights into botnet activity, along with overviews of the general malware and exploit kit landscape.

Related Articles:

HNS Evolves From IoT to Cross-Platform Botnet

Malware Author Building "Death" Botnet Using Old AVTech Flaw

Passwords for Tens of Thousands of Dahua Devices Cached in IoT Search Engine

NSA Exploit "DoublePulsar" Patched to Work on Windows IoT Systems

Necurs Botnet Pushing New Marap Malware