Botnets Are Here To Stay

Botnets act as a force multiplier for individual attackers, cyber-criminal groups, and nation-states looking to disrupt or break into their targets’ systems. 

By definition, they are a collection of any type of Internet-connected device that an attacker has compromised. Commonly used in distributed denial of service (DDoS) attacks, botnets can also take advantage of their collective computing power to send large volumes of spam, steal credentials at scale, or spy on people and organisations.

Malicious actors build botnets by infecting connected devices with malware and then managing them using a command and control server. Once an attacker has compromised a device on a specific network, all the vulnerable devices on that network are at risk of being infected.

A botnet attack can be devastating. Last year, the Mirai botnet shut down major swathes of the Internet, including Twitter, Netflix, CNN, and other major sites, as well as major Russian banks and the entire country of Liberia. The botnet took advantage of unsecured internet of things (IoT) devices such as security cameras, installing malware that then attacked the DYN servers that route Internet traffic.

According to an Akamai Internet security report released recently, botnets are not only still alive and well, but getting more clever and more difficult to combat. For example, attackers are now using Fast Flux DNS, changing DNS information so rapidly that defenders have a hard time tracking and disrupting them.

While Akamai was part of the battle to control last year's Mirai attacks, Mirai itself is still around, with two DDoS attacks exceeding 100 Gbps this past quarter, Akamai reported. Plus, new botnets are popping up. Check Point researchers say they discovered a new botnet, variously known as "IoTroop" and "Reaper," that's compromising IoT devices at an even faster pace than Mirai did. It has the potential to take down the entire internet once the owners put it to work.

Mirai infected vulnerable devices that used default user names and passwords. Reaper goes beyond that, targeting at least nine different vulnerabilities from nearly a dozen different device makers, including major players like D-Link, Netgear and Linksys. It's also flexible, in that attackers can easily update the botnet code to make it more damaging.

Why we can’t stop Botnets
The challenges to shutting botnets down include the widespread availability and ongoing purchases of insecure devices, the near impossibility of simply locking infected machines out of the internet, and difficulty tracking down and prosecuting the botnet creators. 

When consumers go into a store to buy a security camera or other connected device, they look at features, they look for recognisable brands, and, most importantly, they look at the price. Security is rarely a top consideration. "Because IoT devices are so cheap, the likelihood of there being a good maintenance plan and fast updates is low," says Ryan Spanier, director of research at Kudelski Security.

Meanwhile, as people continue to buy low-cost, insecure devices, the number of vulnerable end points just keeps going up. Gartner estimates that there will be 8.4 billion connected devices in use by the end of this year, and that will more than double by 2020, to 20.4 billion.

There's not much motivation for manufacturers to change, Spanier says. Most manufacturers face no consequences at all for selling insecure devices. "Though that's starting to change in the past year," he says. "The US government has fined a couple of manufacturers." For example, in January, the Federal Trade Commission (FTC) sued D-Link for selling routers and IP cameras full of well-known and preventable security flaws such as hard-coded login credentials. Earlier this year, however, a US federal judge dismissed half of the FTC's complaints because the FTC couldn't identify any specific instances where consumers were actually harmed.

Botnet detection: Targeting traffic
Botnets are typically controlled by a central command server, so, in theory, taking down that server then following the traffic back to the infected devices to clean them up and secure them should be a straightforward job. But it's anything but easy.
When the botnet is so big that it impacts the internet, the ISPs may band together to try to figure out what's going on and curb the traffic. That was the case with the Mirai botnet, says Spanier. "When it's smaller, something like spam, I don't see the ISPs caring so much," he says. "Some ISPs, especially for home users, have ways to alert their users, but it's such a small scale that it's not going to affect a botnet. It's also really hard to detect botnet traffic. Mirai was easy because of how it was spreading, and security researchers were sharing information as fast as possible."

Compliance and privacy issues are also involved, says Jason Brvenik, CTO at NSS Labs., as well as operational aspects. A consumer might have several devices on their network sharing a single connection, while an enterprise might have thousands or more. "There's no way to isolate the thing that's impacted," Brvenik says.

Botnets will try to disguise their origins. For example, Akamai has been tracking a botnet that has IP addresses associated with Fortune 100 companies, addresses that Akamai suspects are probably spoofed.

Some security firms are trying to work with infrastructure providers to identify the infected devices. "We work with the Comcasts, the Verizons, all the ISPs in the world, and tell them that these machines are talking to our sink hole and they have to find all the owners of those devices and remediate them," says Adam Meyers, VP of intelligence at CrowdStrike,
That can involve millions of devices, where someone has to go out and install patches. Often, there's no remote upgrade option. Many security cameras and other connected sensors are in remote locations. "It's a huge challenge to fix those things," Meyers says.

Plus, some devices might no longer be supported, or might be built in such a way that patching them is not even possible. The devices are usually still doing the jobs even after they're infected, so the owners aren't particularly motivated to throw them out and get new ones. "The quality of video doesn't go down so much that they need to replace it," Meyers says. Often, the owners of the devices never find out that they've been infected and are part of a botnet. "Consumers have no security controls to monitor botnet activity on their personal networks," says Chris Morales, head of security analytics at Vectra Networks.

Enterprises have more tools at their disposal, but spotting botnets is not usually a top priority, says Morales. "Security teams prioritize attacks targeting their own resources rather than attacks emanating from their network to external targets," he says.
Device manufacturers who discover a flaw in their IoT devices that they can't patch may, if sufficiently motivated, do a recall, but even then, it might not have much of an effect. "Very few people get a recall done unless there's a safety issue, even if there's a notice," says NSS Labs' Brvenik. "If there's a security alert on your security camera on your driveway, and you get a notice, you might think, 'So what, they can see my driveway?'"

Botnet Dragnets have some Success
There has been some progress in shutting down botnets and arresting their creators, says CrowdStrike's Meyers. For example, last spring, authorities arrested Peter “Severa” Levashov, the hacker behind the Waledac and Kelihos spam botnets. "He was arrested while on vacation in Spain," Meyers says. "It required coordination between the Department of Justice, the FBI, and Spanish police. 

There was a lot of international cooperation. Plus, there was technical expertise required to disrupt the botnet, which involved us sending some technical experts to Alaska to help the FBI with the takedown." Depending on how the botnet is set up, disrupting it may be more or less difficult. Researchers can take advantage of cryptographic or other flaws and shut it down. If the creators are still on the loose, however, they can fix it and get it up and running again. "With Kelihos, that was disrupted five times or so," Meyers says. "But because the author of that botnet was not apprehended, he was able to spin it back up, in some cases within hours of the disruption. After a couple of times, people realized that this wasn't going to go anywhere until we take this guy off the street."

In another sign of progress, law enforcement agencies working with ESET and Microsoft took down 464 botnets last week, associated with 1,214 command-and-control domains and 80 malware families. The take-down resulted in an arrest of a person in Belarus. According to ESET, this particular group has been around since 2011, with ready-to-go botnet kits sold on the dark web, variously known as Andromeda, Gamarue and Wauchos. These botnets were responsible for infecting more than 1.1 million systems per month.

The law enforcement groups began working to take them down in 2015, says Jean-Ian Boutin, senior malware researcher at ESET. "This type of operation takes time," he says. During that time, security teams analyzed thousands of Andromeda samples. "Based on this, we believe that this operation led to the disruption of all current Andromeda botnets." However, since the kit is sold on underground forums, someone else might start a new Andromeda botnet from scratch, he adds.

Another team of researchers, at Recorded Future is also pessimistic that the botnet is gone for good. "Several independent parties were involved in the distribution of Andromeda," says Recorded Future security analyst Alex Solad. "We believe that in the near term the botnet will remain operational, although the absence of ongoing support will significantly hinder its proliferation." Solad adds that even though Belarus maintains strong ties with Russia, it has recently increased participating in international criminal investigations. It also has the strictest sentences for computer crimes anywhere in the Commonwealth, which includes Russia and allied ex-Soviet republics.

Recorded Future also identified the man behind the botnet as Jarets Sergey Grigorevich, also known as “Ar3s." In addition to being the Andromeda mastermind, he is also a longstanding administrator of the DamageLab forum. ESET's Boutin says that his firm cannot confirm that it was Grigorevich who was arrested, and the law enforcement agencies involved have also not released the name.

A long way from a permanent solution to Botnets
The problem is that there haven't been that many arrests, Meyers says. "Russian hacker Evgeniy Bogachev was fingered in June 2014 in the Gameover Zeus attacks, and he's still at large in Russia someplace," he says. 

 "A lot of these guys don't have to worry about arrests. If they work in Russia, and don't target Russian systems, they can pretty much operate with impunity."

Permanently solving the botnet problem requires a global solution to cybercrime, on top of the technical challenges, says Daniel Miessler, director of advisory services at IOActive. That's not happening in the foreseeable future. "Botnets are an emergent malady that exist because of the vulnerabilities and incentives that exist within society," he says. "Until we fix those, we should expect botnets and other emergent intersections between malice and vulnerability, to be permanent co-passengers."

In addition to creating a common, worldwide cybercrime enforcement system, there also needs to be standard regulations for manufacturers, requiring a certain level of minimal security in IoT devices. "Any regulation must also apply to all manufacturers, as many markets tend to be flooded with very cheap devices produced in regions where Internet laws are very lax or non-existent," says Roy Soto, director of security research at Jask, an AI cybersecurity startup.

It's hard to imagine all the world's nations and affected industries coming together and agreeing on a common approach, and then enforcing it, says Igal Zeifman, product evangelist at Incapsula, "All initiatives to combat the growth of botnets through industry standards and legislation will likely continue to occur only on a regional or country level," he says.

That means that even if individual countries can slow down the growth of botnets in their regions, there will still be plenty of other places where they can grow. 

"Considering the global nature of the Internet, this means that botnet attacks will continue to pose a threat to the digital businesses and the online community for many years to come," Zeifman says.

CSO Online:

You Might Also Read: 

Internet of Insecure Things:

A New IoT Botnet Storm Is Coming:

« Bitcoin Exchanges Under Siege
The GDPR Advisory Board Offers Expert Advice »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Chatham House

Chatham House

Chatham House is an independent policy institute based in London. Topics cover foreign affairs and defence including cyber security.

Atlantic Council

Atlantic Council

The Atlantic Council's Cyber Statecraft Initiative focuses on international cooperation, competition, and conflict in cyberspace.

IntSights

IntSights

IntSights is an intelligence driven security provider offering rapid, accurate cyberthreat intelligence and incident mitigation in real time

Berwick Partners

Berwick Partners

Berwick Partners’ Cyber Security Practice is a leading recruiter of senior management positions in this field; we have an exceptional understanding of the constantly changing Cyber landscape.

Absolute IT Asset Disposals

Absolute IT Asset Disposals

Absolute IT Asset Disposals is an IT asset disposal (ITAD) company providing safe and secure recycling of IT assets.

Digital Fingerprints

Digital Fingerprints

Digital Fingerprints provides continuous authentication with behavioural biometrics. Protection against account takeover and session takeover. Compliant with GDPR and PSD2.

BotGuard

BotGuard

BotGuard provides a service to protect your website from malicious bots, crawlers, scrapers, and hacker attacks.

Ridge Global

Ridge Global

Ridge Global works with C-suite executives and corporate directors to build more resilient organizations through innovative preparedness, protection, response and education capabilities.

Trianz

Trianz

Trianz Cybersecurity Services are Powered by One of the World’s Largest Databases on Digital Transformation. We Understand Evolving Risks, Technologies and Best Practices.

SecureStream Technologies

SecureStream Technologies

SecureStream Technologies have built the IoT SafetyNet - the Network Security Analytics platform to Eliminate Security Threats, Guarantee Privacy, Ensure Compliance, Simply & Easily.

Fenix24

Fenix24

Fenix24 is an industry leader in the incident-response space. We ensure the fastest response, leading to the full restoration of critical infrastructure, data, and systems.

BetterWorld Technology

BetterWorld Technology

BetterWorld Technology provides cloud solutions, managed services, SaaS, cybersecurity and virtual CIO, all customized to meet your needs.

Blackwell Security

Blackwell Security

Blackwell is a driving force in healthcare cybersecurity, transforming how security operations are conducted within this critical sector.

SPYROS Information & Technology Consulting

SPYROS Information & Technology Consulting

SPYROS specializes in providing highly qualified professionals in Computer Network Operations, Signals Intelligence, Technical Training and Certifications, Network Administration and Security.

Infosec Ventures

Infosec Ventures

Infosec Ventures incubates and scales cyber security innovators that solve inefficiencies in cyber security.

Xcede

Xcede

Xcede are global technology recruitment specialists. We connect companies with exceptional professionals who empower growth.