Everything You Need to Know About BOTNETS

Daniel Tobok
E: daniel@cytelligence.com
Posted on: January 25, 2018

BOTNETS are one of the most serious security threats on the internet.

With the rapid adoption of cloud computing and the Internet of Things (IoT), there is more data online than ever before (and more devices capable of being hijacked and used for nefarious purposes). There are, however, ways you can minimize the risks of a BOTNET attack and fix any problems that might occur.

What Is A BOTNET?

When you think BOTNET, think “robot network” – a network of internet-connected devices that have been hijacked and used for hacking purposes. Computers, smartphones or IoT devices that have been compromised by malware allows BOTNET hackers to direct the activities of these devices.

BOTNETs are typically built one machine at a time, targeted by malware. In many cases, a “Trojan Horse” virus is embedded into a machine, which provides access and sends software to the machine. The malware then goes to work, infecting that machine and, in many cases, scans for connected devices on which the virus can replicate itself across a number of networks.

Opening up an email attachment might seem harmless enough, but it could be embedded with malware and infect your machine. Another way BOTNETs get into systems include software vulnerabilities, such as outdated browsers, or IT folks failing to apply software patches, or even what’s called a “drive-by download,” such as visiting a website that’s running a malicious code.

Personal, business, and government machines are all vulnerable to BOTNET attacks. Attackers don’t usually care what machine they take control of, although targeting computers on government or business networks will provide them with easier access to a larger number of machines more efficiently. Once a single machine is infected, it can spread and infect others easily.

How Do BOTNETs Communicate?

The people that control the BOTNETS are known as Botmasters. Using a process called Command and Control (C&C), Botmasters deploy a variety of ways to connect with computers, such as:

  • TelnetIRC (Internet Relay Chat)servers send low-bandwidth data and reports, which are less likely to draw scrutiny. Botmasters can issue new commands and easily switch channels to avoid detection.
  • HTTPS traffic looks like regular web traffic, so it’s difficult to distinguish Bot traffic.
  • Domains have been used, where a BOTNET communicates with a web page, which serves up the controlling commands.
  • TCP network packets can be altered to send encoded messages back and forth and may pass through basic egress filtering.

lInstead of direct communication between a bot and a server, peer-to-peer (P2P) networks are used, in which bots are sent commands and then locate other machines on the P2P network and pass it on.

lSocial networks have even been used to communicate. The Botmaster might set up a social media feed and post encoded commands. Infected machines are directed to routinely access the feed and act on the commands.

What Can Hackers Do With BOTNETs?

Internet-connected computers that have been compromised are sometimes called “zombie computers.” They’re considered one of the biggest cybersecurity threats on the internet. Consider a recent report from Check Point Researchers, which discovered a new BOTNET (dubbed “Reaper”) that had infected an estimated one million computers, including IoT devices, such as wireless cameras.

One of the more well-known attacks was the Conflicker computer worm, which targeted Windows computers, infecting millions of machines across 190 countries, blocking DNS lookups, disabling functions, and destroying anti-malware software and patches. Taking control of your computers without your knowledge, BOTNETs have been used to attack other computers and networks in a variety of malicious ways, such as sending sending phishing or spam emails.

DDoS (Distributed Denial of Service) attacks

These attacks send an extraordinary number of requests to a website, rendering its servers unable to process the amount of traffic. In 2016, a self-propagating malware called Mirai was responsible for attacks on major DNS provider Dyn, which blocked DNS infrastructure. It was also used for DDoS attacked on websites and cloud providers. A BOTNET attack, using internet-connected cameras shut down a popular cyber journalist’s website.

Click Fraud

By sending fake traffic to sites and clicks, hackers can generate income from hosting sites with ads that are bought on a PPC (pay-per-click) basis. US Senator Mark Warner, a Democrat from Virginia, said that by 2025, the digital ad market could be the second largest source of revenue for organized crime, second to drug trafficking. In a letter to the Federal Trade Commission, the Senator noted a recent study of Google, Yahoo, Facebook, and LinkedIn conducted over a 7-day period shows that as much as 98% of all ad clicks were done by BOTENETS.

Keylogging

By recording keystrokes, scammers have been able to capture personal information, credit card data, and passwords. Experts estimate crooks have stolen hundreds of millions of dollars from bank accounts by stealing identities and passwords. Stolen login credentials were used to defraud StubHub, the online ticketing service, of more than $1.5 million dollars.

What Steps Can You Take To Protect Against BOTNETs?

The best way to protect yourself against BOTNETs is not to let the malware hit your systems in the first place. In businesses with multiple users, especially in remote locations with access to physical machines, it’s a difficult task. One person clicking on the wrong link can start the malware process going across your network.

Blocking Communication

Once discovered, one of the more effective techniques involve isolating the C&C server and blocking its ability to communicate with individual Bots. It might be as simple as closing the affected port or blocking connections.

Sinkholing

In a technique known as “sinkholding,” you would isolate the connection to the C&C server and set up your own server to send and receive commands. If malware has been activated, but the hacker hasn’t set up his command control server, you may be able to block it by rerouting the traffic to your server and analyzing the data. When the BOTNET tries to connect the servers, it goes to the ones you control and doesn’t receive any commands. After enough data has been collected through the sinkhole, the server’s taken offline.

Kill Switches

Reverse engineering data may reveal triggers or “kill switches” within the software that can render the BOTNET inoperable. Hackers will often build in shut down mechanisms to prevent someone else from hijacking their BOTNET. Once discovered, by impersonating the Command and Control server, you can tell the malware to knock it off!

Resetting Devices

While the Conflicker virus replicated itself even after being removed, some BOTNETs can be stopped by simply resetting routers and wireless equipment, changing passwords, and adding proactive monitoring.

Better Passwords & Proxy Servers

According to SplashData, the most popular passwords are still “123456” and “Password.” Regularly changing passwords, using two- step authentication, and requiring stronger authentication can make it harder for hackers to get into networks. Forcing outgoing traffic through proxy servers can also help.

Stay On Top Of Patches

Many of the viruses and malware exploits vulnerabilities in software. Hackers were able to extract sensitive credit data from more than 140 million people through a software vulnerability at Equifax, even though a patch to fix the problem had been available two months before the attack.

The number of data breaches, whether brute force or BOTNET attacks, exceeds 100,000 a year. The proper response and management is critical. Consider offensive measures, such as penetration testing, vulnerability assessments, and security audits. If an attack happens, you need professionals with deep resources and experience in breach response, forensic investigations, and proactive methods.