Invasion of the Botnets

Millions and millions of PCs have been silently infiltrated with bot malware, creating massive bot armies, poised to steal and inflict maximum damage when triggered by their Bot Commander. There are several botnets each comprising millions of compromised PCs, such as Zeus, Conficker, Mariposa, ZeroAccess and BredoLab, waiting for the next command from their Bot Commander, so that they can spring into action and obediently carry out their strike orders like a well-disciplined and co-ordinated attack army. We never know when, where and how they will strike next. This may sound like the stuff of science fiction, however the reality of today’s IT landscape is that many millions of destructive secret agents are silently awaiting their next instruction.

Bot Commanders sell their botnet service to the highest bidder. Their customers are criminal gangs, hacktivist groups, perpetrators of industrial/commercial espionage, or politically motivated groups aiming to cause maximum disruption through a cyber warfare offensive. The botnet threat will certainly be a core component of the IT security landscape into the foreseeable future. Botnets are central in widely-distributed malware attacks and advanced persistent threats, and used for sending spam and malware, DDoS attacks, click fraud, the hosting of phishing attacks, distributing key loggers and identity theft.

In late 2012, the Zeus botnet distributed and controlled the Eurograbber malware which successfully stole $47m from bank customers by compromising TAN communications. Also in 2012, the Mariposa botnet distributed the Yahos malware that reportedly netted it’s controllers $850m by spreading through Facebook and stealing credit card and bank account data.

There is little incentive for most individual organisations to directly address the overall botnet problem. Individual computer users and organisations are primarily concerned with protecting themselves from threat, rather than committing resources to eliminate an entire botnet. Only those with wider perspectives such as government-related organisations, or those with global industry interests such as Microsoft, have the incentive to invest resources necessary to disable botnets. Bot Commanders thus operate, not quite with impunity, but with a degree of freedom from intense Bot Hunter attention.

Several factors lead to the bad guys gaining the upper hand in the battle between Bot Commander and Bot Hunter. It is one thing discovering and cleaning an individual bot – a PC contaminated with malware that has Command-and-Control (C&C) functionality – however it is another matter entirely to neutralise the whole botnet.

To disable a botnet, the Bot Hunter generally attempts to disrupt communication between the bot and it’s C&C by analysing the communication traffic to and from the bot. Communication is analysed either by dissecting the malware itself, or by examining network traffic. The botnet can be disarmed by disrupting the DNS hosting service or by shutting down the C&C server.

However Bot Commanders are fighting back and resisting these attempts, by employing various methods such as encrypting C&C communications. The Skynet botnet uses the Tor network to communicate with the C&C to keep the controller concealed by thwarting network analysis. Another technique is to utilise bot-to-bot communications rather than going through a centralised C&C server. There has also been a recent trend for Bot Commanders to decentralise their botnet into smaller, isolated divisions, in order to minimise overall disruption should an individual botnet division be disabled.

Android botnets (such as SpamSoldier, or this one) have now been discovered. SpamSoldier steals money by sending an SMS to premium numbers without the Android user knowing. The malware spreads by sending SMSs from the infected device to other mobile phones, enticing the user to install the malware. Android botnets can be used for similar attacks that PC-based botnets have been used, such as DDoS attacks. The next device to be targeted by Bot Commanders could be smart TVs. The surface area of devices is thus rapidly escalating, making botnets a much greater threat – along with the concomitant increase in the threat of malware, DDoS, identity theft, etc.

We have certainly been invaded and surrounded by an invisible army of secret agents, that have successfully infiltrated computer systems in our midst. Science fiction has become a reality that must inspire the IT security industry to develop effective, creative solutions, while a method of incentivising individual security organisations to invest the required resources must be found.

Leave a Reply

%d bloggers like this: