The Power of the Botnet

Finjan TeamBlog, Cybersecurity

Finjan The Power of the Botnet

With the advances in digital technology and the quantum leap in connection speeds of recent years, we’ve become accustomed to logging into our accounts or visiting our favorite haunts on the web, with minimal fuss or incident. And if there’s a delay or hiccup in reaching these services, we’re more inclined to blame the software or the service provider, rather than looking for a more sinister explanation.

But what a lot of people don’t realize is that there’s a particular breed of sinister explanation which is occasionally responsible not only for sluggish web performance and unreachable websites, but one which can also leak out personal information, or act in a users’ names without their knowledge.

This phenomenon – which has been used for purposes as varied as sabotage, spying, fraud, and political campaigning – is the botnet.

What is a Botnet?

Derived from the words “bot” (which itself derives from “robot” to describe an automated mechanism or process) and “network”, a botnet is a collection or network of devices which have all been infected with the same type of malware (malicious software) – which also means that they can all be manipulated or controlled in the same manner.

The devices in question may be computers, mobile phones or other portable computing hardware, network servers, or devices such as appliance monitors, webcams, routers, Digital Video Recorders (DVRs), or other “smart” equipment that’s keyed into the Internet of Things or IoT.

Once compromised by malware, the infected devices making up a botnet may be used for any number of illicit purposes, depending on the malware strain. Typical applications include setting up an army of infected “zombie” systems to bombard and overload a targeted network with access or transaction requests in a Distributed Denial of Service (DDoS) attack or using a botnet to generate spam messages for a promotional campaign or email fraud scheme.

In all cases, stealth is the preferred tactic. The malware infecting the members of a botnet doesn’t announce its presence to the device or system owner – so the activities that it forces the infected system to perform aren’t even detected by the user. At least, not until the damage has been done.

Strength in Numbers

For maximum effectiveness, all components of a botnet are typically online or at least internet-capable – and because of the IoT connection, a botnet may consist of hundreds of thousands or even millions of individual elements.

This enables a botnet to increase its powers due to a multiplier effect similar to the concept of cloud computing: Lots of separate systems, working together for a common purpose.

That means vastly increased computing power or memory capacity, the ability to replicate actions and data transmissions thousands of times over, and the combined bandwidth demands of potentially millions of zombie systems for staging massive assaults on already over-stretched networks and web resources.

Gathering the Herd with Malware

Botnet malware enables the people who distribute it to marshal and direct the activities of all the devices it infects. The malware is usually designed to seek out devices and systems with a particular vulnerability, which the malicious software can exploit. This enables the individuals or cyber-criminal groups who are assembling the botnet to spread their net very wide, rather than having to target specific companies, industries, or people.

That’s for the infection part, mind you. Once a botnet is assembled, the perpetrators are free to turn it loose on whomever they choose.

Shepherding with Command and Control

Traditional botnet schemes have been directed via a Command & Control or C&C center – typically a master server accessible to the perpetrators in a remote jurisdiction, from which they can send automated commands to infected systems using a client-server communications protocol like IRC (Internet Relay Chat).

The malware is usually rigged so that infected botnet “clients” remain dormant until the C&C center calls them into action. Nevertheless, law enforcement agencies working in cooperation with Internet Service Providers (ISPs) and other online allies have had some success in shutting down the Command & Control aspects of many active botnets, forcing cyber-attackers to up their game, and use alternative methods.

Co-ordinating with P2P

More recent botnet activity has been governed via peer-to-peer or P2P networks. Rather than a single point of central control, there’s a degree of autonomy for the individual components, which may be assigned different tasks like worker bees, such as scanning the web for malicious websites, seeking out other devices on the same botnet, and exchanging information with other infected systems.

This approach is harder for law enforcement and cyber-security actors to pin down and provides the perpetrators with more room to maneuver.

The Power of Zeus

First identified in 2007, the Zeus malware takes a Trojan Horse approach in infecting vulnerable systems or devices, and one of its variants has in the past been responsible for the distribution of CryptoLocker ransomware.

The Zeus or Zbot botnet was initially used to accumulate financial information and banking credentials from its victims, with a sting in its tail whereby the infected devices were also hijacked to spread spam and phishing emails containing further instances of the Trojan.

Efforts to disrupt the Zeus botnet met with some success in 2010, with the closure of two ISPs which had been hosting its Command & Control centers. Over 100 arrests in Europe and the USA were also recorded by the FBI.

But variants of Zeus persist in force – most notably a peer-to-peer co-ordinated botnet known as Gameover Zeus. This uses a domain generation algorithm (DGA) to communicate between its component parts. There are two main versions – one that can generate 1,000 new internet domains each day, and another that’s capable of generating 10,000.

Despite an international effort to disrupt it in 2014 (dubbed Operation Tovar) and an FBI offer of a $3 million reward for its presumed mastermind (the Russian hacker Evgeniy Bogachev), new strains of Gameover Zeus have emerged in the years since then.

The Global Reach of Srizbi

Discovered in 2007 and the largest botnet in the world at the time, Srizbi was a spam factory capable of generating up to 60 billion messages a day. Like Zeus, the botnet used a Trojan to infect its targets, which at its peak included some 450,000 separate systems. It’s also referred to as the Ron Paul spam botnet because Srizbi was used to deliver spam emails endorsing the then-candidate for the US Presidency.

A hosting provider named McColo in San Jose, California provided a C&C platform for Srizbi, which was shut down when McColo was taken down by law enforcement in 2008.

The Promotional Gains of Methbot

Somewhere between $3 million and $5 million in fraudulent advertising revenue was being generated daily by a cyber-crime collective and ad fraud botnet known as Methot, which came to light in 2016.

Set up as a campus of 800-1,200 dedicated servers located in data centers in the USA and the Netherlands, Methbot cooked up a stream of fraudulent clicks for online ads and fake views of video advertisements. The collective boasts some 6,000 spoofed domains and over 850,000 dedicated IP addresses – many falsely registered with established ISPs in the United States.

It’s still active, and capable of forging social media account logins to pose as legitimate users and bypass conventional techniques for spotting advertising fraud – despite the release of a list of its spoofed domains and IP addresses.

Epic Denials of Service with Mirai

With its source code now released on the web as a free download for potential hackers, the Mirai botnet uses malware configured to scan the internet for vulnerable devices. It then gains access to these systems using a trial and error process based on a list it holds of manufacturers’ default passwords – or brute force if that fails.

Since vast numbers of Internet of Things (IoT) devices are hardwired with basic passwords like “password” or “admin”, Mirai was able to gain access to a huge botnet of wireless routers, CCTV cameras, and other devices. In two separate incidents in 2016, DDoS attacks staged with Mirai took down DNS provider Dyn and its associated websites including Twitter and The New York Times, and (for a brief period) the entire West African nation of Liberia.

The Botnet Economy

Given the mayhem-producing and profit-making potential of botnets, it’s no surprise that the so-called “Dark Web” has for some time been a platform for individuals and organizations offering “botnet for hire” services. A considerable money-spinner for the service providers, these outfits may cater to state actors and intelligence agencies, or other cyber-attackers alike.

Fighting Back

Efforts by law enforcement and security professionals to combat the effect of botnets have moved on from simply targeting Command & Control centers and shutting them down by closing their hosting or Internet Service Providers.

With the rise of peer-to-peer (P2P) botnet mechanisms, authorities have had to change tack. New methods include identifying and removing botnet malware found to be resident on infected devices, mirroring the P2P communication methods, and targeting the monetization procedures used by advertising fraudsters.

Website owners and network administrators are advised to keep current backups of everything, in case an attack requires them to produce a duplicate site or system in a hurry and to use different providers for their Primary and Secondary DNS servers.

At the consumer level and for IoT infrastructure managers, device owners are advised to keep an eye on product and vendor websites for the latest operating system patches and updates – and to apply them as soon as they’re available.

Zombie Wars

Ironically, much of the recent work of combating botnet activity has been done by the hackers themselves. This is largely because of the free availability and popularity of the Mirai source code. Its very popularity has created a run on infected devices, which are limited in number.

Once a device has been infected (by one hacker using Mirai), infecting it with another strain of Mirai (applied by another hacker) effectively neutralizes the first infection since Mirai is designed to attack any competing malware.

So there’s a tug of war going on, as rival hackers compete for a finite base of susceptible devices to infect. And with the ingenuity and potential for evolution on all sides of the cyber-security battle, the botnet power struggle looks set to continue for the foreseeable future.

Share this Post

Finjan The Power of the Botnet
Article Name
The Power of the Botnet | There is Strength in Numbers
Components of a botnet are typically online or internet-capable, and the IoT has increased the potential numbers of elements from thousands to millions.
Publisher Name
Publisher Logo