Adylkuzz

Adylkuzz is a cryptocurrency-mining botnet discovered by security firm Proofpoint in May 2017 as the company's analysts were attempting to conduct research on the WannaCry ransomware campaign.

Read More
BotnetsNJCCICAdylkuzz
Persirai

Persirai, also labeled by Trend Micro as ELF_PERSIRAI.A, targets IP camera models based on various Original Equipment Manufacturer (OEM) products. Trend Micro researchers have determined that approximately 120,000 IP cameras are vulnerable to a Persirai infection.

Read More
Bondnet

Bondnet is a botnet currently used to mine cryptocurrencies, primarily Monero. It is comprised of thousands of infected Windows servers and its controller, operating under the alias "Bond007.01" and "leebond986," uses it to earn approximately one thousand USD worth of Monero per day.

Read More
Sathurbot

The Sathurbot botnet performs coordinated brute-force attacks on WordPress-powered websites. The Sathurbot trojan, the malware used to form the botnet, is distributed via malicious torrent files downloaded from previously compromised WordPress websites.

Read More
BotnetsNJCCICSathurbot
BrickerBot

BrickerBot is a type of malware that targets Linux-based IoT devices that run the BusyBox toolkit, especially Ubiquiti network devices. It conducts a brute force attack against open and exposed Telnet ports by using a list of known default credentials.

Read More
BotnetsNJCCICBrickerBot
Amnesia

Amnesia, a variant of the Tsunami IoT/Linux botnet, exploits an unpatched remote code execution vulnerability in DVR devices produced by China-based firm, TVT Digital Technology Co., Ltd.

Read More
BotnetsNJCCICAmnesia
Imeij

Imeij targets devices running Linux OS and specifically exploits a vulnerability present in AVTech video surveillance equipment.

Read More
BotnetsNJCCICImeij
Necurs

Originally observed in 2012, Necurs is a family of malware containing rootkit capabilities that was used to form one of the world’s largest criminal botnets. Necurs has both a user mode and kernel mode component used to access systems at the root level and dynamically load additional modules.

Read More
BotnetsNJCCICNecurs
Star Wars

In January 2017, the Star Wars Twitter botnet was accidentally discovered by two security researchers at University College London as they attempted to obtain a random sampling of English-language Twitter accounts for an unrelated research project. 

Read More
BotnetsNJCCICStar Wars
Linux.Proxy.10

Linux.Proxy.10, or Proxy, is a Trojan that targets Linux devices. It was first identified in late 2016 and by the end of January 2017, thousands of devices had been infected. Attackers use other Trojans to initially compromise the device and create a new user “mother” with the password “f***er.” They then login to the infected device via Secure Shell (SSH) and download the Proxy Trojan.

Read More
BotnetsNJCCICLinux.Proxy.10
MrBlack

MrBlack, first identified in May 2014 by Russian security firm Dr. Web, is a botnet that targets Linux OS and is designed to conduct distributed denial-of-service (DDoS) attacks. In May 2015, Incapsula clients suffered a large-scale DDoS attack which the company attributed to network traffic generated by tens of thousands of small office/home office (SOHO) routers infected with MrBlack. This massive botnet spans over 109 countries, especially in Thailand and Brazil.

Read More
BotnetsNJCCICMrBlack
SoakSoak

Discovered in late 2014, SoakSoak is a Russian-based malware variant designed to scan for vulnerabilities within WordPress-powered websites and exploits them in order to turn its targets into a malware-distribution botnet. 

Read More
BotnetsNJCCICSoakSoak
Leet

The Leet botnet was discovered on December 21, 2016 by cybersecurity firm, Imperva, that reported its Incapsula network suffering a DDoS attack beginning approximately 10:55 AM that day.

Read More
BotnetsNJCCICLeet
Tofsee

Discovered in May 2013, the Tofsee botnet targets Windows OS and, until June 2016, was distributed to vulnerable systems using the RIG exploit kit (EK). Tofsee is primarily used for spam distribution, click fraud, cryptocurrency mining, and DDoS attacks. 

Read More
BotnetsNJCCICTofsee
Kelihos

Discovered in December 2010, Kelihos, also known as Hlux, exploited the Windows OS to form a peer-to-peer botnet of 45,000 computer systems capable of sending approximately 4 billion spam emails per day. 

Read More
BotnetsNJCCICKelihos
Mirai Botnet

The Mirai Botnet is named after the Mirai Trojan, the malware that was used in its creation. Mirai was discovered by MalwareMustDie!, a white-hat security research group, in August 2016. After obtaining samples of the Mirai Trojan, they determined that it had evolved from a previously-created Trojan, known as Gafgyt, Lizkebab, Bashlite, Bash0day, Bashdoor, and Torlus.

Read More
BotnetsNJCCICMirai Botnet
Rakos

First detected in August 2016 by researchers at ESET, Rakos is a strain of malware that targets and infects Linux servers and Linux-based IoT devices. Rakos operates by performing brute-force attacks against Secure Shell (SSH) logins of targeted devices and adding them to its botnet to perform additional attacks.

Read More
BotnetsNJCCICRakos
Methbot

Reported in December 2016 by New York-based digital advertising security company, White Ops, Methbot is a botnet that has been labeled the largest and most profitable fraud operation impacting digital advertising to date.

Read More
BotnetsNJCCICMethbot
Cutwail

Discovered in 2007, Cutwail malware targets Windows OS and is distributed via the Pushdo Trojan, which spreads through malicious emails. Cutwail’s primary function is to turn infected systems into a spambot.

Read More
BotnetsNJCCICCutwail
TheMoon Botnet

Discovered as a worm in 2014, TheMoon was observed by a researcher at the SANS Internet Storm Center spreading itself to a large number of Linksys router models. Delivered in the form of a 2 MB ELF MIPS binary, it connects to port 8080 and then, after determining the versions of hardware and firmware, it sends an exploit to a vulnerable CGI script running on the targeted router.

Read More