A botnet is a collection of Internet-connected devices of any type that have been hacked by an intruder. Botnets act as a force multiplier for individual intruders, cybercrime groups or entire states seeking to disrupt the target system or crack it. Botnets that are commonly used in distributed denial of service (DDoS) attacks can also use their collective computing power to send large amounts of spam, steal credentials on a large scale, or spying on people or organizations.
Attackers create botnets, infecting connected devices with malware, and then controlling them using a C & C server. After an attacker has compromised a device on a particular network, all vulnerable devices on that network are at risk of infection.
A botnet attack can be devastating. In 2016, the Mirai botnet blocked the Internet networks of companies such as Twitter, Netflix, CNN and other major sites, as well as major Russian banks and the whole of Liberia. The botnet used unprotected Internet of Things (IoT) devices, such as security cameras, to install malware, which then attacked DYN servers routing Internet traffic.
The industry responded instantly: device manufacturers, regulators, telecommunications companies and Internet service providers worked together to isolate hacked devices, disable and fix them, and also make sure that such a botnet will never be constructed again.
Just kidding This did not happen. On the contrary, botnets are getting bigger.
Even the Mirai botnet is still alive. According to a report published by Fortinet in August 2018, Mirai was one of the most active botnets in the second quarter of this year.
Since the publication of the source code two years ago, the Mirai botnets even added new features, including the ability to turn infected devices into many malicious proxy servers and crypto-miners. According to Fortinet, they also continue to add exploits aimed at both known and unknown vulnerabilities.
According to Tony Jandomenico, a researcher and senior security strategist at Fortinet, crypto-mining shows a significant change in the botnet universe. This allows attackers to use the victim’s computer equipment and electricity to earn bitcoins, monero and other cryptocurrencies. “This is the most significant challenge in the past few months,” he says. “The bad guys are experimenting to figure out how they can use IoT botnets to make money.”
Mirai is just the beginning. In the fall of 2017, Check Point researchers said they discovered a new botnet, known as IoTroop or Reaper, that could harm IoT devices even faster than Mirai. It has the potential to destroy the entire Internet as soon as the creators launch it.
Mirai infected vulnerable devices that used standard logins and passwords. Reaper goes beyond this, targeting at least nine different vulnerabilities from nearly a dozen different device manufacturers, including major players like D-Link, Netgear and Linksys. In addition, it is quite flexible, since attackers can easily update the botnet code to make it more dangerous.
According to the Recorded Future study, Reaper was used in attacks on European banks this year, including ABN Amro, Rabobank and Ing.
Why can’t we stop botnets
Among the problems associated with stopping botnets, you can list the wide availability and constant purchases of unsafe devices, the practical impossibility of blocking infected devices and disconnecting them from the Internet, as well as difficulties in tracking and stalking the creators of botnets. When a customer comes to the store to purchase a surveillance camera or other device connected to the network, he looks at the functions, searches for recognizable brands and, most importantly, he looks at the price.
Security issues usually fade into the background. “Because [IoT devices] are very cheap, the likelihood of having good service and fast updates is low,” says Ryan Spanier, research director at Kudelski Security.
Meanwhile, as people continue to buy low-cost, insecure devices, the number of vulnerable endpoints continues to grow. The total number of connected devices will grow from nearly 27 billion in 2017 to 125 billion in 2030, according to estimates by research company IHS Markit.
Spanier says manufacturers lack the incentive to change. Most manufacturers face the consequences of selling unsafe devices. “Although the situation began to gradually improve since last year,” he says, “The US government has fined a couple of manufacturers.”
For example, the FTC sued D-Link in 2017 for selling routers and IP cameras because of their significant security flaws that the manufacturer was able to fix, for example, hard-coded login credentials. However, a federal judge rejected half of the FTC complaints, because the FTC was unable to present specific cases in which consumers actually suffered.
How to detect botnets: targeted traffic
Botnets are usually managed by a central command server. Theoretically, disabling this server and then tracking traffic back to infected devices to clean and protect them looks like a simple task, but this is not at all the case.
When a botnet is so large that it affects the World Wide Web, Internet service providers can team up to figure out what is going on and curb traffic. According to Spanier, this was the case with the Mirai botnet. “While the botnet is small, something like spam, Internet service providers do not particularly bother about it,” he says. “Some Internet providers, especially for home networks, have ways to alert their users, but they are so insignificant that they do not affect the botnet. In addition, tracking botnet traffic is quite difficult. Mirai was easy to see because of how quickly it spread, and security researchers tried to share information as quickly as possible. ”
According to Jason Brvenik, technical director of NSS Labs, Inc., confidentiality and operational aspects are addressed. A consumer may have several devices on their network sharing a single connection, while an enterprise may have thousands or more. “There is no way to isolate the device that affected it,” says Brvenik.
Botnets are trying to hide their origin. For example, Akamai tracks a botnet whose IP addresses are associated with Fortune 100 companies — addresses that Akamai suspects can be forged.
Some information security firms are trying to work with infrastructure providers to detect infected devices. “We’re working with Comcast, Verizon, all of the world’s Internet service providers and telling them to find all owners of infected devices and cure these devices,” said Adam Meyers, vice president of intelligence at CrowdStrike, Inc.
Such networks, where someone has to go out and install patches, can include millions of devices. Often there is no possibility of a remote update. Many surveillance cameras and other connected sensors are located in remote locations. “It’s incredibly difficult to fix these devices,” says Meyers.
In addition, some devices may no longer be supported or may be built in such a way that their correction is not possible. Devices usually continue to do work even after infection, so the owners have no special motivation to throw them out and buy new ones. “Video quality does not deteriorate to the point that it can be replaced,” says Meyers.
Often, owners never know that their devices are part of a botnet. “Consumers do not have the means to monitor botnet activity on their personal networks,” said Chris Morales, head of security analytics at Vectra Networks, Inc.
According to Morales, enterprises have more tools at their disposal, but the search for botnets is usually not their top priority. “Security groups prioritize attacks targeting their own resources, rather than attacks from their network to outside targets,” he says.
Device manufacturers who have discovered a flaw in their IoT devices that they are unable to correct may, in case of sufficient motivation, withdraw them, but even such actions may not have much effect. “Very few people return devices until they directly threaten their safety, even if alerts appear,” says Brvenik of NSS Labs. “If a security warning pops up on your surveillance camera aimed at the driveway, and you get a notification, you might think,“ So what do they see my path? ”
How to prevent botnet attacks
The Digital Economy Protection Council (CSDE), in collaboration with the Information Technology Industry Council, USTelecom and other organizations, recently released a comprehensive guide to protecting businesses from botnets.
Below are the main recommendations.
Update, update, and update again
Botnets use unclosed vulnerabilities to propagate from device to device to cause maximum damage to the enterprise. The first line of defense should be an update of all systems. CSDE recommends that businesses install updates as soon as they are released. Automatic updates will be the perfect option.
Some enterprises prefer to postpone updates until they have time to check compatibility and other problems. This can lead to significant delays, and some systems can be completely forgotten and even do not fall into the list of updates.
Businesses that do not use automatic updates may want to review their policies. “Manufacturers successfully test products for stability and functionality,” said Craig Williams, Talos customer manager at Cisco Systems, Inc.
Cisco is one of the founders of CSDE and has made a significant contribution to the creation of a guide on how to combat botnets. “The risks that existed initially decreased significantly,” says Williams.
Not only applications and operating systems need automatic updates. “Make sure your hardware devices are also set to update automatically,” he says.
Legacy products, both hardware and software, may no longer be updated, and the anti-botnet guide recommends that businesses stop using them. Manufacturers also do not provide support for pirated products.
Management recommends that enterprises use a multi-factor authentication and risk-based verification system, as well as minimal privileges and other advanced access control methods. According to Williams, after infecting a single device, the botnets are distributed, among other things, using credentials. By blocking access, botnets can be localized in one place, where they cause less damage and where they are easier to destroy.
One of the most effective steps companies can take is to use physical keys for authentication. For example, Google began to require all its employees to use physical security keys in 2017. Since then, according to the manual, no work account has been phishing.
“Unfortunately, many companies cannot afford this,” says Williams. In addition to the initial costs of technology, employees are at high risk of losing their keys.
Smartphone-based authentication helps bridge this gap. According to Williams, it is cost effective and adds a significant level of security. “Malefactors will have to physically compromise a person’s phone,” he says. “You can run the code on the employee’s phone to intercept SMS, but this happens quite rarely.”
Do not try to cope alone
The anti-bots guide draws attention to several areas in which it would be beneficial for businesses to seek help from external partners. For example, there are many channels, such as CERT, through which businesses can share threat information, industry groups, government and law enforcement agencies, as well as sponsored platform providers.
Another area in which companies should not rely solely on their own internal resources is protection against DDoS attacks. “Generally speaking, you probably want to block the DDoS attack before it reaches you,” says Williams. “Many believe that if you have an intrusion protection system or a firewall, this will prevent a DDoS attack. In fact, it is not. ”
Deepen your defense
Today it is not enough to protect only your perimeter or end devices. “Nowadays, intruders are really creative,” says Williams. “They can penetrate your network from different vendors.” According to him, the presence of several security systems is similar to the presence of several locks on the door. If attackers figure out how to break one lock, the other locks will stop them.
The Anti-Botnet Guide recommends that businesses consider using advanced analytics to protect users, data and networks, ensure that security controls are properly configured, and use network segmentation and network architectures that reliably manage traffic flows. For example, according to Williams, IoT devices must be located in a separate, isolated part of the network.
For example, the Mirai botnet used insecure connected devices. “When you have IoT devices that cannot be connected to the same network to which the rest of the enterprise is connected, this is fraught with a significant level of risk that you don’t need at all,” he says.
Botnet dragons have achieved some success
At the end of 2017, the Andromeda botnet was destroyed by the FBI together with law enforcement in Europe. During the previous six months, the botnet has been detected on average in more than a million blocked devices every month.