Botnets Are Here To Stay

Botnets act as a force multiplier for individual attackers, cyber-criminal groups, and nation-states looking to disrupt or break into their targets’ systems. 

By definition, they are a collection of any type of Internet-connected device that an attacker has compromised. Commonly used in distributed denial of service (DDoS) attacks, botnets can also take advantage of their collective computing power to send large volumes of spam, steal credentials at scale, or spy on people and organisations.

Malicious actors build botnets by infecting connected devices with malware and then managing them using a command and control server. Once an attacker has compromised a device on a specific network, all the vulnerable devices on that network are at risk of being infected.

A botnet attack can be devastating. Last year, the Mirai botnet shut down major swathes of the Internet, including Twitter, Netflix, CNN, and other major sites, as well as major Russian banks and the entire country of Liberia. The botnet took advantage of unsecured internet of things (IoT) devices such as security cameras, installing malware that then attacked the DYN servers that route Internet traffic.

According to an Akamai Internet security report released recently, botnets are not only still alive and well, but getting more clever and more difficult to combat. For example, attackers are now using Fast Flux DNS, changing DNS information so rapidly that defenders have a hard time tracking and disrupting them.

While Akamai was part of the battle to control last year's Mirai attacks, Mirai itself is still around, with two DDoS attacks exceeding 100 Gbps this past quarter, Akamai reported. Plus, new botnets are popping up. Check Point researchers say they discovered a new botnet, variously known as "IoTroop" and "Reaper," that's compromising IoT devices at an even faster pace than Mirai did. It has the potential to take down the entire internet once the owners put it to work.

Mirai infected vulnerable devices that used default user names and passwords. Reaper goes beyond that, targeting at least nine different vulnerabilities from nearly a dozen different device makers, including major players like D-Link, Netgear and Linksys. It's also flexible, in that attackers can easily update the botnet code to make it more damaging.

Why we can’t stop Botnets
The challenges to shutting botnets down include the widespread availability and ongoing purchases of insecure devices, the near impossibility of simply locking infected machines out of the internet, and difficulty tracking down and prosecuting the botnet creators. 

When consumers go into a store to buy a security camera or other connected device, they look at features, they look for recognisable brands, and, most importantly, they look at the price. Security is rarely a top consideration. "Because IoT devices are so cheap, the likelihood of there being a good maintenance plan and fast updates is low," says Ryan Spanier, director of research at Kudelski Security.

Meanwhile, as people continue to buy low-cost, insecure devices, the number of vulnerable end points just keeps going up. Gartner estimates that there will be 8.4 billion connected devices in use by the end of this year, and that will more than double by 2020, to 20.4 billion.

There's not much motivation for manufacturers to change, Spanier says. Most manufacturers face no consequences at all for selling insecure devices. "Though that's starting to change in the past year," he says. "The US government has fined a couple of manufacturers." For example, in January, the Federal Trade Commission (FTC) sued D-Link for selling routers and IP cameras full of well-known and preventable security flaws such as hard-coded login credentials. Earlier this year, however, a US federal judge dismissed half of the FTC's complaints because the FTC couldn't identify any specific instances where consumers were actually harmed.

Botnet detection: Targeting traffic
Botnets are typically controlled by a central command server, so, in theory, taking down that server then following the traffic back to the infected devices to clean them up and secure them should be a straightforward job. But it's anything but easy.
When the botnet is so big that it impacts the internet, the ISPs may band together to try to figure out what's going on and curb the traffic. That was the case with the Mirai botnet, says Spanier. "When it's smaller, something like spam, I don't see the ISPs caring so much," he says. "Some ISPs, especially for home users, have ways to alert their users, but it's such a small scale that it's not going to affect a botnet. It's also really hard to detect botnet traffic. Mirai was easy because of how it was spreading, and security researchers were sharing information as fast as possible."

Compliance and privacy issues are also involved, says Jason Brvenik, CTO at NSS Labs., as well as operational aspects. A consumer might have several devices on their network sharing a single connection, while an enterprise might have thousands or more. "There's no way to isolate the thing that's impacted," Brvenik says.

Botnets will try to disguise their origins. For example, Akamai has been tracking a botnet that has IP addresses associated with Fortune 100 companies, addresses that Akamai suspects are probably spoofed.

Some security firms are trying to work with infrastructure providers to identify the infected devices. "We work with the Comcasts, the Verizons, all the ISPs in the world, and tell them that these machines are talking to our sink hole and they have to find all the owners of those devices and remediate them," says Adam Meyers, VP of intelligence at CrowdStrike,
That can involve millions of devices, where someone has to go out and install patches. Often, there's no remote upgrade option. Many security cameras and other connected sensors are in remote locations. "It's a huge challenge to fix those things," Meyers says.

Plus, some devices might no longer be supported, or might be built in such a way that patching them is not even possible. The devices are usually still doing the jobs even after they're infected, so the owners aren't particularly motivated to throw them out and get new ones. "The quality of video doesn't go down so much that they need to replace it," Meyers says. Often, the owners of the devices never find out that they've been infected and are part of a botnet. "Consumers have no security controls to monitor botnet activity on their personal networks," says Chris Morales, head of security analytics at Vectra Networks.

Enterprises have more tools at their disposal, but spotting botnets is not usually a top priority, says Morales. "Security teams prioritize attacks targeting their own resources rather than attacks emanating from their network to external targets," he says.
Device manufacturers who discover a flaw in their IoT devices that they can't patch may, if sufficiently motivated, do a recall, but even then, it might not have much of an effect. "Very few people get a recall done unless there's a safety issue, even if there's a notice," says NSS Labs' Brvenik. "If there's a security alert on your security camera on your driveway, and you get a notice, you might think, 'So what, they can see my driveway?'"

Botnet Dragnets have some Success
There has been some progress in shutting down botnets and arresting their creators, says CrowdStrike's Meyers. For example, last spring, authorities arrested Peter “Severa” Levashov, the hacker behind the Waledac and Kelihos spam botnets. "He was arrested while on vacation in Spain," Meyers says. "It required coordination between the Department of Justice, the FBI, and Spanish police. 

There was a lot of international cooperation. Plus, there was technical expertise required to disrupt the botnet, which involved us sending some technical experts to Alaska to help the FBI with the takedown." Depending on how the botnet is set up, disrupting it may be more or less difficult. Researchers can take advantage of cryptographic or other flaws and shut it down. If the creators are still on the loose, however, they can fix it and get it up and running again. "With Kelihos, that was disrupted five times or so," Meyers says. "But because the author of that botnet was not apprehended, he was able to spin it back up, in some cases within hours of the disruption. After a couple of times, people realized that this wasn't going to go anywhere until we take this guy off the street."

In another sign of progress, law enforcement agencies working with ESET and Microsoft took down 464 botnets last week, associated with 1,214 command-and-control domains and 80 malware families. The take-down resulted in an arrest of a person in Belarus. According to ESET, this particular group has been around since 2011, with ready-to-go botnet kits sold on the dark web, variously known as Andromeda, Gamarue and Wauchos. These botnets were responsible for infecting more than 1.1 million systems per month.

The law enforcement groups began working to take them down in 2015, says Jean-Ian Boutin, senior malware researcher at ESET. "This type of operation takes time," he says. During that time, security teams analyzed thousands of Andromeda samples. "Based on this, we believe that this operation led to the disruption of all current Andromeda botnets." However, since the kit is sold on underground forums, someone else might start a new Andromeda botnet from scratch, he adds.

Another team of researchers, at Recorded Future is also pessimistic that the botnet is gone for good. "Several independent parties were involved in the distribution of Andromeda," says Recorded Future security analyst Alex Solad. "We believe that in the near term the botnet will remain operational, although the absence of ongoing support will significantly hinder its proliferation." Solad adds that even though Belarus maintains strong ties with Russia, it has recently increased participating in international criminal investigations. It also has the strictest sentences for computer crimes anywhere in the Commonwealth, which includes Russia and allied ex-Soviet republics.

Recorded Future also identified the man behind the botnet as Jarets Sergey Grigorevich, also known as “Ar3s." In addition to being the Andromeda mastermind, he is also a longstanding administrator of the DamageLab forum. ESET's Boutin says that his firm cannot confirm that it was Grigorevich who was arrested, and the law enforcement agencies involved have also not released the name.

A long way from a permanent solution to Botnets
The problem is that there haven't been that many arrests, Meyers says. "Russian hacker Evgeniy Bogachev was fingered in June 2014 in the Gameover Zeus attacks, and he's still at large in Russia someplace," he says. 

 "A lot of these guys don't have to worry about arrests. If they work in Russia, and don't target Russian systems, they can pretty much operate with impunity."

Permanently solving the botnet problem requires a global solution to cybercrime, on top of the technical challenges, says Daniel Miessler, director of advisory services at IOActive. That's not happening in the foreseeable future. "Botnets are an emergent malady that exist because of the vulnerabilities and incentives that exist within society," he says. "Until we fix those, we should expect botnets and other emergent intersections between malice and vulnerability, to be permanent co-passengers."

In addition to creating a common, worldwide cybercrime enforcement system, there also needs to be standard regulations for manufacturers, requiring a certain level of minimal security in IoT devices. "Any regulation must also apply to all manufacturers, as many markets tend to be flooded with very cheap devices produced in regions where Internet laws are very lax or non-existent," says Roy Soto, director of security research at Jask, an AI cybersecurity startup.

It's hard to imagine all the world's nations and affected industries coming together and agreeing on a common approach, and then enforcing it, says Igal Zeifman, product evangelist at Incapsula, "All initiatives to combat the growth of botnets through industry standards and legislation will likely continue to occur only on a regional or country level," he says.

That means that even if individual countries can slow down the growth of botnets in their regions, there will still be plenty of other places where they can grow. 

"Considering the global nature of the Internet, this means that botnet attacks will continue to pose a threat to the digital businesses and the online community for many years to come," Zeifman says.

CSO Online:

You Might Also Read: 

Internet of Insecure Things:

A New IoT Botnet Storm Is Coming:

« Bitcoin Exchanges Under Siege
The GDPR Advisory Board Offers Expert Advice »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IASME Consortium

IASME Consortium

IASME is one of five companies appointed as Accreditation Bodies for assessing and certifying against the UK Government's Cyber Essentials Scheme.

Defense Advanced Research Projects Agency (DARPA)

Defense Advanced Research Projects Agency (DARPA)

DARPA's mission is to develop breakthrough technologies for national security. The Information Innovation Office undertakes cyber security activities.

Meiya Pico Information Co

Meiya Pico Information Co

Meiya Pico is the leading digital forensics and information security products and service provider in China.

Cybersprint

Cybersprint

Cybersprint's Digital Risk Protection platform continuously monitors your digital footprint so you can make informed decisions on exposure to online threats, identify vulnerabilities and take action.

Assystem

Assystem

Assystem delivers a comprehensive security approach for the industrial and service sectors that integrates physical security systems, industrial cyber-security, functional safety and dependability.

Jenson Knight

Jenson Knight

Jenson Knight is a global cyber security, cloud and IT infrastructure staffing specialist.

Accel

Accel

Accel is a leading venture capital firm that invests in people and their companies from the earliest days through all phases of private company growth. Areas of focus include cybersecurity.

Fastcomcorp

Fastcomcorp

Fastcomcorp offers a world-class proactive cyber security defense and risk management consulting. Including Darkweb monitoring and posture assessments.

Crypto International

Crypto International

Crypto International offers comprehensive services for the operation of our customers’ IT and communication infrastructure, with a focus on cybersecurity and encryption solutions.

Corsica Technologies

Corsica Technologies

Corsica Technologies is recognized as one of the top managed IT and cybersecurity service providers. Our integrated IT and cybersecurity services protect companies and enable them to succeed.

DoQubiz Technology

DoQubiz Technology

DoQubiz is using the idea of security through obscurity to develop their proprietary Fractal Security Engine that implements a highly resilient data protection protocol.

Alpha Omega Integration

Alpha Omega Integration

Alpha Omega creates new possibilities through intelligent end-to-end mission-focused government IT solutions.

Rootshell Security

Rootshell Security

Rootshell Security is transforming vulnerability management with its vendor-agnostic Prism Platform and industry-leading offensive security assessments.

Obsidian Security

Obsidian Security

Protect your business-critical applications by mitigating threats and reducing risk with Obsidian, the first truly comprehensive security solution for SaaS.

ASPIA InfoTech

ASPIA InfoTech

ASPIA Infotech is a leading Information and cybersecurity organization focused on innovative approaches to avert targeted attacks.

Exodata

Exodata

Exodata is a French digital services company specializing in the outsourcing of IT Systems and solutions.