As security companies and law enforcement take enhanced security measures to disrupt botnet activity, cybercrime organizations continue to improve command & control techniques to increase the ROI of their sophisticated botnets.
These large groups of compromised computers are managed from a centralized system to send spam, perform denial of service (DoS) and distributed denial of service (DDoS) attacks, and have been involved in the rise of ransomware. Why the efforts?
It’s all about the money
The latest figures from the FBI show that botnets have inflicted more than $9bn in losses on US citizens and more than $110bn globally, infecting more than 500 million computers per year, or roughly 18 systems per second.
Some 3,000 samples of malware per minute were released on the internet in average in 2015, causing 38% more incidents for companies than the previous year, from trivial to highly sophisticated attacks. Detection, removal and mitigation are significant obstacles posed by advanced threats, and are leveraged as advanced tools by those who orchestrate advanced attacks (i.e. incidents of DoS and DDoS, other harmful uses for botnets). Used as a commercial malware delivery platform, leasing a botnet for a short period allows immediate deployment of malware samples (commercial ransomware in particular) that may infect even more systems.
DoS and DDoS attacks have increased not because of ideological motivations, but because of financial motivation. Likewise, accessing critical company data and selling it to the highest bidder (or, in the case of ransomware, selling it back to the owner) offers far greater financial reward than other cybercriminal activities. In 2015, ransomware caused $350 million in damage, living up to its reputation as the most significant menace targeting Internet users and organizations to date. For more details, here’s Bitdefender’s report on: “Ransomware. A victim’s perspective”.
2015 saw some 1,500 DDoS attacks – a 180 percent increase from the previous. However, the average attack is shorter in length and lower in volume than in the past. The average DDoS attack lasted 18.86 hours, down from 22.36 hours in 2014, according to HOTforSecurity. The US and China are the sources of most attacks.
Botnet footprints in enterprises range from botnets that inadvertently infiltrate computers due to lack of company policies, to enterprise-targeted and state-sponsored attacks. Enterprise-targeted botnets usually rely on sophisticated multi-purpose Remote Access Trojans (RAT) with worming functions that can exploit standard network services. Typically, they include native proxy support and the capability of using the user’s credentials for navigating out of the network, to a command & control server.
Other types of botnets rely on off-the-shelf malware components, usually built from commercial DIY malware kits. This means the bot-master has a high degree of knowledge about the enterprise and already knows where to find the valuable information.
State-sponsored tools targeting specific industries and technologies vary in sophistication and functionality, and don’t usually follow any discernable pattern in infection vectors and payloads. The EU also noted in a 2015 report on governmental attacks that smaller and militarily less advanced countries appear to readily embrace such ‘patriotic’ hackers as they benefit from the tactical asymmetry – a sort of virtual guerrilla warfare – that cyberspace offers.
For example, automated bots cost advertisers an estimated $7.2 billion, according to a study by the Association of National Advertisers (ANA), cited by eWeek. Bots are automated and can help trigger non-human clicks and ad impressions that cost advertisers money and generate revenue for bot owners. In 2014, the ANA/White Ops study found that bot advertisers had fraud percentages of 2 to 22 percent, which grew to a range of 3 to 37 percent for 2015.
IoT development boosts botnet proliferations
The prevalence of Internet-connected devices makes it easy for a bot-master to seize and control thousands, if not hundreds of thousands, of “zombies”. Our own data shows that the vast majority of devices in a botnet are in Asia.
As with any network of endpoints, a degree of control must be maintained. The methods and infrastructure used to control a botnet have evolved significantly. Using Tor anonymization to command an entire network of “zombies”, along with multi-tier proxies, is a new trend that raises serious concerns about how these large infrastructures could be dismantled.
The classic botnet works by dialing back to a relatively static C&C server, making it straightforward for a security company to initiate a takedown and set up a black holing system. Today, we are seeing large botnets that have far more sophisticated C&C methods.
Bitdefender experts have previously explored two well-known botnets, CryptoLocker and Pushdo, and the techniques they have used.
CryptoLocker operates by gaining access to a computer; it contacts its command-and-control center, which, in turn, generates a 2048-bit RSA key pair. The public key is sent back to the computer and will be used to encrypt files with specific extensions. To give an idea how strong the key is, imagine that, if one victim would have started cracking the key on a regular computer right after the Big Bang, they would be 0.02% through decryption. Bitdefender’s research into Cryptolocker has revealed that the entire anonymization process is handled via multi-tier proxies that hide communication between bots and the bot master.
On the other side, Pushdo is a spam Trojan and a malware dropper that also uses private and public keys to protect communication between the bots and the C&C server. It is primarily used to send spam from infected machines, and it can also download other malicious files.
Final thoughts: Patch and protect
Enterprises need to maintain patch levels and run strong antimalware on all systems.
Centralized security management and highly capable staff should be considered baselines of protection. Identifying a small cluster of infected systems, perhaps by detecting an ‘over-the-counter’ piece of malware, may be exactly what it seems. However, it may be that the weakest link in a chain of attack has been discovered, and extra investigation and vigilance is needed to be sure that other parts of the attack do not persist.