A large percentage of the bots are located in Taiwan, Brazil and Colombia.
Press Release -- August 29th, 2016 Level 3 Threat Research Labs Releases New Malware Research
BROOMFIELD, Colo., Aug. 29, 2016 /PRNewswire/ -- The Level 3 Threat Research Labs, Level 3 Communications' (LVLT) threat intelligence and research arm, unveiled new research about the botnet size and behavior for the malware commonly referred to as Lizkebab, BASHLITE, Torlus or gafgyt, including botnet size and victim stats.
Almost 96 percent of the infected devices were Internet of Things (IoT) items of which 95 percent were cameras and DVRs, roughly 4 percent were home routers and less than 1 percent were compromised Linux servers.
The team observed a second behavior of some of the bots. These bots don't scan for open ports; they wait until they are instructed by the command-and-control (C2) servers before taking any action.
75 percent of attacks are shorter than 5 minutes.
Some C2s exceeded 100 attacks a day; median active time for a C2 is around 13 days and often not contiguous.
Advice to IoT Users:
Buyer Beware: A lot of IoT products provided by well-known companies have detailed IoT security instructions. Buy from a trusted source or research and read consumer feedback. Ensure it is encrypted.
Passwords: Change the factory setting password to a "pass phrase." Pick a strong password and use a different one for every IoT device.
Updates: Update devices to take advantage of the latest security patches.