The vast majority of botnet malware infections last under a day, according to a Fortinet report released last week —the Q1 2018 Threat Landscape Report.
The Fortinet data includes information from all types of botnets, targeting desktop, mobile, server, IoT, and networking devices alike.
According to the report, the vast majority of botnet infections —58%— last under a day; 17.6% of botnets persist for two days in a row; 7.3% last three days; and so on — while only 5% persist for more than a week.
The botnet that has the longer persistence rate per bot is Mirai, a botnet that infects IoT devices, which it mainly uses for DDoS and traffic proxy services.
The average lifetime of a Mirai bot is 5.5 days. Mirai is followed by other botnets, such as Sality (spam & proxy), Ramnit (banking trojan), H-worm (downloader), Necurs (spam), and others (see chart below).
But according to Fortinet, despite its increased persistence, Mirai is not the most prevalent botnet. For the first quarter of 2018, that distinction goes to the botnet created by infected victims of the Gh0st malware, a relatively new "malware downloader" that infects victims and then rents out infected PCs to other crooks.
In Q1 2018, Gh0st was by far the most widespread botnet malware version around, being ranked #1 across all continents, followed by the Pushdo spam botnet, and the Andromeda botnet, which despite being the target of a law enforcement takedown, has come back to life.
The reason is that the Andromeda source code had been leaked online a few years back, and while the original botnet has been taken down, other crooks installed and got running new Andromeda botnets within days.
Overall, botnets have been on a declining trajectory in the first quarter of 2018, most of them losing bots, shutting down, or having less activity than the previous quarter (notice the abundance of red arrows in the chart below).
Other botnet specific stats from the Fortinet report include:
The same Fortinet Q1 2018 Threat Landscape Report offers more insights into botnet activity, along with overviews of the general malware and exploit kit landscape.