Web of woe: What you need to know about botnets
Welcome to Threat Intel’s #WednesdayWisdom column, which aims to help improve your cybersecurity knowledge and keep you informed on important developments.
You have probably heard the word botnet in recent months, with the Mirai botnet putting the term firmly on the map at the end of 2016.
However, while the word may be familiar, it is possible you are not familiar with what a botnet actually is. You also may not know that they are a far from new innovation on the part of cyber criminals, with botnets being used in various nefarious activities for many years.
What is a botnet?
A botnet is a network of internet-connected devices, called bots, which are infected with malicious software and controlled as a group, generally without the knowledge of the devices’ owners.
They are sometimes called “zombie armies” and can be used for various activities by cyber criminals, including sending spam and carrying out distributed denial of service (DDoS) attacks.
Any internet-connected device can be added to a botnet, including laptops, desktop computers, smartphones, DVR players, wireless routers, and other Internet of Things (IoT) devices.
Botnets are controlled by command and control (C&C) servers. C&C servers are computers under the control of a hacker or hacking group that can send commands to the bots in the botnet, and also receive information that the bots collect. The controller of a botnet is known as the bot herder or bot master.
The advent of IoT means there are now more devices than ever that can be turned into bots. Adding to this danger is the fact that many of these devices have inadequate security, and rely on default passwords and difficult-to-update firmware. This means the potential is there for the size of botnets to grow and grow.
Botnets can be controlled by the bot master in a couple of different manners.
Traditionally, botnets would have been controlled from a single C&C server, and some still are. In this case, the bots connect back to a single, predetermined location and await commands from the server. The bot herder sends the commands to the server, which then relays them to the bot network. Results or information gathered are then sent back by the bots to this centralized server.
However, having a centralized server makes the bot network more vulnerable to takedowns and disruption attempts. For this reason, many bot herders now use the peer-to-peer (P2P) model instead.
In a peer-to-peer botnet, the interconnected bots share information without the need to report back to a centralized server: infected bots both send and receive commands. These bots then probe random IP addresses to contact other infected computers. Once contacted, the bot replies with information such as its software version and a list of known bots. If the contacted bot has a newer software version then the other bot will automatically update itself to that version. This method allows the botnet to grow and remain updated without the need to contact a single centralized server, making it much more difficult for law enforcement or others to take down the botnet.
What are botnets used for?
The two most common uses of botnets are probably to carry out spam email campaigns, and to conduct distributed denial of service (DDoS) attacks.
Bots can also be used to send out email malware. Different types of malware can have different goals, including harvesting information from infected computers. This could include passwords, credit card information, and any other information that can be sold on the black market. If computers on a corporate network are turned into bots then sensitive corporate information could also be at risk of being stolen.
Bots are also commonly used for click fraud — visiting websites to create false traffic and generate money for those behind the bots. They have also been used in bitcoin mining.
6 botnets to remember
Many botnets have emerged over the years, but some are more impactful than others. Here are six notable botnets from the last decade and a half.
Bagle was one of the world’s first major botnets, and it was used to conduct massive spam campaigns. It appeared in 2004 and affected Microsoft Windows computers. Bagle was a worm that infected more than 200,000 computers and, in 2009, was estimated to be responsible for more than 10 percent of all the world’s spam.
Conficker is an infamous computer worm that first appeared at the end of 2008, and has been a presence on the cyber security scene ever since.
The first version of Conficker emerged in November 2008, and it quickly spread through network shares and infected USB drives. At its height it is thought to have infected as many as 11 million computers.
This made Conficker a huge botnet, with the potential to cause a lot of damage through a huge DDoS attack, if the attackers wished it. However, no attack ever came to pass, and even now the true intentions of the authors behind Conficker remain a mystery, and it has never been definitively attributed to any group.
The cost of cleaning up Conficker has been estimated as being as much as $9 billion and, amazingly, despite the fact that it is almost a decade since it was released into the wild, it is believed that computers infected with Conficker still exist.
The ZeroAccess botnet was one of the largest known botnets in existence in 2013, with an army of almost 2 million computers. It was a difficult botnet to take down due to its use of P2P C&C servers, but Symantec researchers did manage to sandbox almost half a million of its bots as part of an investigation into the botnet in 2013.
ZeroAccess was primarily used for click fraud and bitcoin mining and, given the size of the botnet, it is believed to have generated a lot of money for those behind it at the height of its activity.
Gameover Zeus was a massive botnet that was primarily used to steal people’s banking information. Peaking in activity from 2011 until a takedown in 2014, which Symantec was involved in, up to 1 million computers were thought to be part of the Zeus botnet at that time. It is estimated the botnet was used to steal more than $100 million.
Gameover Zeus was a variant of the Trojan.Zbot malware, which is still active and was one of the main financial malware families detected by Symantec in 2016.
Gameover Zeus was a sophisticated variant of the original malware and could facilitate large scale financial fraud by hijacking thousands of victims’ online banking sessions. Like so many current email malware campaigns, it was typically distributed through an email that posed as an invoice. Once an infected user visited their banking website the malware would intercept the session, obtain the victim’s information and steal their money.
While the Gameover Zeus takedown took place in 2014, there are many variants of the Zeus malware that are still active today, with one variant recently reported to have been targeting point-of-sale systems.
Necurs is one of the most notable botnets that is active at the moment. It was one of the biggest distributors of email malware in 2016, sending out massive campaigns spreading the Locky ransomware. However, it mysteriously ceased operation on December 24, 2016, and remained inactive for almost three months.
In that period the rate of email malware detected by Symantec dropped massively: in December the email malware rate was one in 98 emails, in January the rate was one in 772.
Necurs resumed activity on March 20, with Symantec blocking almost 2 million malicious emails on that day alone. However, since its return, Necurs has not been focused on sending email malware campaigns, but rather has been sending out ‘pump and dump’ stock spam campaigns. It had begun sending out these types of campaigns just before its disappearance in December and has continued to pursue them since its return.
Pump and dump spam campaigns aim to falsely inflate the price of shares, which the spammer has already bought in large quantity at a low price, by encouraging victims to buy shares in the same company. Once the price of the stock has been driven up by victims purchasing shares the spammers offload all their shares. This causes the price of the shares to drop dramatically and makes it unlikely the victims will make their cash back.
The botnet most people are likely to be familiar with, Mirai emerged to wreak havoc in the last few months of 2016, using an army of compromised IoT devices to launch DDoS attacks against a variety of targets around the world.
The initial targets of Mirai’s DDoS attacks in September were hosting provider OVH, and the website of security expert Brian Krebs. Both of these were massive DDoS attacks, among the biggest ever seen, peaking at 1 Tbps and 620 Gbps, respectively. At the end of September, the Mirai threat escalated when its source code was released on online hacking community HackForums. Three weeks later a massive DDoS attack against DNS provider Dyn, likely carried out by amateur hackers, blocked access to several high-profile websites, including Netflix, Twitter, and PayPal.
In late November, a variant of Mirai crippled internet access for nearly 1 million home internet users in Germany when it exploited a vulnerability in their routers; the same vulnerability also affected the routers of home internet users in Ireland.
The Mirai botnet was primarily composed of infected routers and security cameras, and this incident highlighted the lax security of many IoT devices.
Botnets have been around for a long time, and they have grown and evolved as technology and people’s use of technology has changed and developed. With the growth in IoT, and more devices than ever connected to the internet, it is likely that the story of botnets’ development is far from over.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.