McAfee: US hosts more botnet servers than any other country, more than Russia and China combined

McAfee: US hosts more botnet servers than any other country, more than Russia and China combined

We often hear about botnets being taken down in third-world countries thanks to coordinated operations by international police forces, especially in recent months. The story usually plays out in the East, where it’s easier to launder money and the laws aren’t as strict. Yet it turns out that many botnets have hosts in the West, including in the good old United States of America.

Before we dig into the list, here’s some background for those who want it. The term botnet for our purposes refers to a group of computers (sometimes called zombies) that have been infected with malware to perform tasks for whomever distributed said threat. This individual, or organization, controls the botnet by sending instructions to the zombies from a Command & Control (C&C) server, or sometimes more than one.

Now, here’s a map of C&C servers, courtesy of McAfee:


The security firm has also provided a top 10 list of countries to put things more in order:

  1. United States – 631.
  2. British Virgin Islands – 237.
  3. Netherlands – 154.
  4. Russia – 125.
  5. Germany – 95.
  6. Korea – 81.
  7. Switzerland – 77.
  8. Australia – 63.
  9. China – 48.
  10. Canada – 38.

If I had to put a list together, I would have placed Russia, as well as other countries in Eastern Europe, much higher. Many criminals there have made an absolute killing from their malware operations, and using botnets is the most efficient way to do it.

The same goes for China: I would have placed the country at least in the top five. Speaking of Asia, it’s also odd not to see India on the list at all, especially given that the country is the king of sending spam.

Naturally, it’s important to remember that this is just one source of information. Furthermore, many C&C servers have multiple levels of security and disguise to make them appear as if they are actually in another country, and the US is understandably a favorite choice. Yet seeing British Virgin Islands and the Netherlands in second and third, respectively, is difficult to explain.

If you want an interactive real-time map instead of the static one above, Trend Micro released one just last week over here. The screenshot below doesn’t do it justice:


Active C&C servers are highlighted by red dots and victim bots (usually more than one) are the blue dots. You can mouse over any of the servers to get a pop-up message that shows the server location, when it was first observed, most affected countries, and the total number of victims Trend Micro has associated with that server.

Image credit: Darren Deans

Read next: Sony fined $400k by UK authorities over data breach from 2011 PlayStation hack [Update: It will appeal]