Are Botnets Dying? Don’t Bet on it!
Oscar Marquez
In the past two years there has been a rise in botnet activity. This seems like a strange occurrence when in 2013, collaboration between law enforcement and the private sector took down two of the biggest botnet threats of the decade, the Game over Zeus and Shylock Botnets.
Malicious attackers learn/adjust to our defenses and end up hitting us 2 times harder with something just as bad, if not worse than before. Dyre and Bugat v5 were babies spawned of the Zeus and Shylock botnets. They move and evolve fast, using hidden network services like Tor and the black market to navigate the web in complete secrecy.
Over 90 percent of these botnet attacks have happened to US banking institutions, but the population is quickly spreading to other countries that haven’t quite adapted to the rapidly growing botnet industry. More than 1400 financial institutions have been affected worldwide. These are essential facts that must be understood in order to protect yourself from this impending botnet apocalypse.
What is a Botnet and where do they come from?
A bot is a type of malware that an attacker uses to take control of an infected machine in order to further spread malware. A group of bots controlled by the same host is called a botnet. You may be asking how are these little annoyances are installed and sustained over a long period of time. A bot can be installed on a machine in several different ways.
Visiting malicious sites and downloading untrusted files online are the most popular ways a bot will get into your system. Once in, the bot tries to connect back out to its home server for instructions from the bot-herder (bot-master), or the human host of the home server. Now this attacker has access into your system possibly without you even knowing it. With this access the bot can grab sensitive information, files and system configurations from your machine to send back to its bot-herder.
They Live In the Cloud Too
This newly developed vulnerability could take these never dying bots to a new level. Before tools that scan for bots living on your network could search for certain signatures or programs needed to transmit communication back to the bot-herder. It is relatively easy to detect an outgoing connection to the bot-herders home server (it would be very suspicious looking). Now, these attackers have found a way to host the “home” server in the cloud, so in turn it is a lot harder to detect on your systems because it will just show an outgoing connection from the Command and Control software to a trusted cloud provider, such as Amazon Web Services (AWS) for example. There are some companies working on blocking solutions by monitoring for the amount of data being sent and the frequency to better help distinguish between actual cloud provider data and malicious data.
Attackers utilizing the cloud as an attack vector have a mass amount of options to circumvent the cloud pricing set up. Actually, by writing a single script, attackers can sign up for as many free accounts as needed using a randomized email generator script. This literally gives the bot master as many hosts in his army that they will need for as long as the free trial period lasts. Zombie armies of this size located in the cloud can do some real damage. Things like cracking passwords, mining bitcoin and hijacking single user accounts become a breeze with all the processing power made available. Companies like Google, Amazon and Heroku have provide fuel to the fire for any bot-master that wants a free trial to an untraceable super computer. In order for these companies to prevent this malicious advantage from taking place, they need to add a clause to their freeware policy that will incriminate anyone who tries to automate the free version of the cloud provider’s service.
It Is Alive….Again
Botnets are not only getting smarter but larger as well. In years past, a bot-herder or bot-master might have compromised one thousand machines with their bots, but it takes a lot of processing power to command all these bots at once. The bot-masters current infrastructure only allows them to control 10 percent of these bots at a time.
A new technique attackers are using to work around this problem is grouping these large amounts of controlled computers into platoons and assigning a “lieutenant” to each platoon. This way the command and control center sends out a request or update and it goes only to the lieutenant of each platoon. Then they have each of the members within the platoon randomly configured to check-in with the lieutenant to receive the updated information. This eliminates the need to directly control of all 1000 machines by only sending the message out to the 10 percent to spread the word.
In case of a situation where one of the lieutenants is compromised, discovered or cleaned up by a security professional, there is a script that runs through that platoon to quickly nominate and determine the new lieutenant. This decision is usually based on connection speed and relay time of each infected computer for the decided promotion. Essentially this has made this 1000 machine army look only like maybe 10 strong, which in turn makes it very difficult for tracking down these zombie army’s. When most of the botnet fleet remains dormant, only pinging out once in a while to gather updates, it would take luck to really catch and track down a whole platoon.
Mobile Botnets on the Rise
With all the advanced technology occurring in the market today, we as a society are just increasing the attack vector for these bot masters to discover new ways to spread and infect. With mobile and wearable devices becoming more popular, there has been an increased demand for more without properly protecting these devices.
Although the wearable device area is not a common device for a botnet to take over, it could be great starting point or lead to a massive spread out army of computers that are located in random locations. Most of the wearable devices (Fitbit, apple watch, etc.) have an unsecured Bluetooth connection port that almost anyone with the know-how can connect to. With a simple Bluetooth connection and a transfer of an infected contact card to the wearable device, this person has become a walking infected host. Whichever computer, phone or tablet they connect to will transfers the botnet commands onto the machine with literally no trace.
The scary thing about this vulnerability is that once the wearable device is infected, it often cannot get rid of it, even with a factory reset it is hard coded to the device. This is a very tough vector to guard because anyone that walks by you with a simple exciter and write device in their bag could transfer an infected file to your Fitbit within minutes. This could happen on an elevator or a bus without knowledge that it is happening.
Another rising vulnerability is where bot-masters will send out mass text messages with an executable link with the botnet code on it. Once this message is received and you open it, your phone will automatically try to download the code without you knowing. The only way to prevent this is to turn off the automatic download option within your phones settings. With this option off it will limit your device from automatically downloading, text messages, pictures and video files sent to you without user consent. These bot-masters take advantage of all the things that make technology awesome and use them for criminal purposes.
Putting an End to the Botnet
If you were looking for an exact solution to the internet’s Botnet problem, there really isn’t one. However, the steps below will help ensure the best possible odds against beating the botnet in the long run. Overall, it requires disabling everything that makes computing easy. If it is easy for you to use, then it is even easier for a botnet to learn and adapt to.
- Disable the auto-run function- whether you are receiving group messages on your cellphone or when you download a new software on your computer, the ease of having everything automatically install and run has been something we have taken for granted. This function is a botnet’s meat and potatoes when trying to infiltrate a system.
- Provide the least privileges- taking away admin rights on all computers is a smart idea, even making a guest account on your home computer is not a bad idea. This way it prompts the user for admin credentials every time something needs to be downloaded. This gives password security for most general users or will at least make you think twice about downloading something by having to type in another set of credentials.
- Do not allow password trusts- allowing computers to talk and exchange user credentials over a network is an ultimate convenience, but it can be a nightmare if a bot finds its way in that network. By disabling this feature you will be able to isolate and stop attacks from spreading.
- Firewall- this should be a no brainer at this point, but for those who do not know, a firewall is necessary in today’s word. Whether it be a windows firewall, server level or network level, having that extra layer of authentication in place will make a world of a difference.
- IDS and IPS- installing an “Intrusion Detection System” and then an “Intrusion Prevention System” will help ensure that your company can detect and further prevent certain types of bots from taking root within your network. This is a solution that is the bandage over the wound solution. The way these bots are getting in is wide open somewhere, but this way you will have awareness around what is coming in and how to plug it temporarily until the problem can be truly fixed.
- Monitoring- having as much around the clock monitoring as possible is never a bad mistake. Knowing when performance spikes happen and what activities happen during the late hours of the night will help regulate what is acting on your network.
- Filter data going out of the network- protecting your company from leaking sensitive information by using an egress solution or proxy is a huge step in controlling what external bot-masters have access to.
- Using Proxy Servers- utilizing a proxy service or an F5 filtering agent, you can ensure that a majority of outbound traffic is correctly content filtered and security controls are followed correctly.
- Reputation based tools- Several companies offer great tools that scan specific locations for anomalies based on reputation type that has been seen before throughout the industry. These tools also work specifically on the email level to block to and from requests that may contain botnet reputations.
Botnets can show up in many shapes and sizes. Determining what you are really dealing with can be tricky because the bot-masters are constantly growing and evolving with every step forward we take as a security community. Once a botnet becomes large enough, malicious activities like spamming, stealing info and denial of service attacks become more likely and harder to track down.
The best way to protect your systems currently is to keep your security software updated, increase security settings on your internet browser, limit user rights online, always verify download sources and keep your patches up to date. By following these general security practices you will have a better of awareness as to what is coming in and going out of your systems thus providing yourself with reasonable protection against botnet infection.