The smart connected devices of the modern era are way ahead from traditional internet as they do not rely on human intervention to function. Sensors attached to them collect, communicate, analyze, and act on information, offering new ways for technology, media and telecommunications businesses to create value. However, such efficiency at times creates new opportunities for all that information to be compromised. Not only is more data being shared through the connected network, among many more participants, but more sensitive data is being shared. As a result, the risks are exponentially greater, noted Deloitte. Among all the security risks that hang over the head of the connected network, botnet attacks is one quite dangerous and chilling nightmare for techies. To understand this, lets first understand what is botnet and botnet attacks.
According to Norton, “Botnets are the workhorses of the Internet. They’re connected computers performing a number of repetitive tasks to keep websites going. It’s most often used in connection with Internet Relay Chat. These types of botnets are entirely legal and even beneficial to maintaining a smooth user experience on the Internet.”
Moreover, Kaspersky explains botnet attacks as “Cybercriminals use special Trojan viruses to breach the security of several users’ computers, take control of each computer and organize all of the infected machines into a network of ‘bots’ that the criminal can remotely manage.”
It further explains that often, the cybercriminal will seek to infect and control thousands, tens of thousands or even millions of computers – so that they can act as the master of a large ‘zombie network’ – or ‘bot-network’ – that is capable of delivering a Distributed Denial of Service (DDoS) attack, a large-scale spam campaign or other types of cyberattack. Moreover, in some cases, cybercriminals will establish a large network of zombie machines and then sell access to the zombie network to other criminals – either on a rental basis or as an outright sale. Spammers may rent or buy a network in order to operate a large-scale spam campaign.
How can one protect against Malicious Bots?
As it is a constantly evolving threat, according to experts, it requires constant vigilance and paying attention to the rapidly evolving bot landscape. Bruce Beam, CIO of the (ISC)² IT security professional non-profit group suggests to start with the basics. He says, “That means making sure you’re always up to date on patches because botnets explode when they hit unpatched networks. You also need to have a defense in depth, which starts with training your workforce about what to look for. And you should have rules-based access with firewalls inside your environment both east and west so that if bots get in, they can’t spread throughout your entire network.”
To this Kenneth Wilder, a cybersecurity expert working for the healthcare industry, and vice president of ISACA’s Austin chapter, adds, “Enterprises need to look where they’ve most vulnerable, including in automation, mobility and cloud computing. API security is also extremely important for closing out bots. With APIs, you have applications talking to other applications directly, so you have to make sure you have the proper authentication and security monitoring controls.”
As noted by Symantec, Wilder further says that the DevOps continuous delivery model of constant updates and application development, if done improperly, can lead to an increase in security holes through which bots can crawl. He says that security needs to be built directly into the DevOps process, rather than being handled separately after development is done.
Finally, Wilder suggests to “ensure you have a strong security training and awareness program. Human interaction with software is not going away any time soon, and humans are the weakest link in the chain. So, we have to do better in making sure that employees are aware of bot threats and know how to protect themselves and the enterprise.”
Most Dangerous Botnet Attacks of 21st Century
As noted by EC-Council Blog, here are the most dangerous botnet attacks of the last 20 years.
EarthLink Spammer (2000) – It is the first botnet to be recognized by the public in 2000. EarthLink Spammer was created to send phishing emails in large numbers, masked as communications from legitimate websites. Over 1.25 million malicious emails were sent to collect sensitive information, such as credit card details, in the span of a year.
Cutwail (2007) – It is a malware that targets Windows OS through malicious emails that were discovered in 2007. Cutwail was distributed via the Pushdo Trojan to turn the infected system into a spambot. Message Labs, a security organization, identified that Cutwail had compromised 1.5–2 million infected systems and was capable of sending 74 billion spam emails per day.
Storm (2007) – It may not be the most malicious piece of malware in the history of a botnet, but it is on track to be the most successful, with the number of systems infected at more than 1 million. The storm is one of the first peer-to-peer botnets that can be controlled from several different servers. The storm is activated in victims’ systems by sending messages that encourage them to visit a malicious website where the malware downloads on the system.
Grum (2008) – It is a massive pharmaceutical spammer bot that was identified in 2008. Grum appeared to be more complex and larger beyond the imagination of the experts. During Grum’s demise in July 2012, it was able to send 18 billion email spams per day. Law enforcement discovered 136,000 internet addresses that were sending spam for Grum.
Kraken (2008) – It is twice as powerful as Storm. Damballa which is an internet security company was the first to report Kraken. Unlike, peer-to-peer techniques, Kraken uses command and control servers located in different parts of the world. The botnet infected 50 of 500 Fortune companies’ infrastructures. Damballa claimed that botnet infected machines were sending over 500,000 spam messages per day.
Mariposa (2008) – Mariposa was originated in Spain in 2008 and it hijacked around 12.7 million computers around the world in 2 years duration. The word “Mariposa” stands for butterfly in French. The botnet got its name because it was created with a software called Butterfly Flooder, which was written by Skorjanc illegally. Mariposa infected computers in more than 190 countries via various methods, such as instant messages, file sharing, hard disc devices, and more.
Methbot (2016) – It is the biggest ever digital ad malware that acquired thousands of IP addresses with US-based ISPs. The operators first created more than 6,000 domains and 250,267 distinct URLs that appeared to be from premium publishers, such as ESPN and Vogue.
Mirai (2016) – It infects digital smart devices that run on ARC processors and turns them into a botnet, which is often used to launch DDoS attacks. If the default name and password of the device are not changed then, Mirai can log into the device and infect it. In 2016, the authors of Mirai software launched a DDoS attack on a website that belonged to the security service providing company. Soon after a week, they published the source code to hide the origins of the attack, which was then replicated by other cybercriminals who believed to attack the domain registration service provider, Dyn, in the same year.
3ve (2018) – It gave rise to three different yet interconnected sub-operations, each of which was able to evade investigation after perpetrating ad fraud skillfully. Google, White Ops, and other tech companies together coordinated to shut down 3ve’s operations. It infected around 1.7 million computers and a large number of servers that could generate fake traffic with bots. The malware also counterfeits 5,000 websites to impersonate legitimate web publishers along with 60,000 accounts of digital advertising companies so that fraudsters can earn from the ads received.
What Happened in 2019?
The notable events in space of botnet attacks that took place in the past year are as follows.
• The Ecuadorian government claims it suffered 40 million cyber-attacks a day as a result of its action to evict Julian Assange.
• Finland suffered a Distributed Denial of Service attack targeting Parliamentary Election results services used by the government to communicate the outcome of the elections with the general population.
• The Muhstik Botnet exploited CVE-2019-2725, an Oracle WebLogic Server.
• AESDDoS Botnet exploited the Atlassian Confluence Server via CVE-2019-3396. The botnet was also seen exploiting an API misconfiguration found in Docker Engine-Community.
• A hacker was able to brute-force the back end and hijack 29 IoT botnets.
• The Telegram suffered from a large-scale DDoS attack that they claim originated from China and related to the protests in Hong Kong.
• South African ISP Cool Ideas struggled to stay online amid an advanced persistent DDoS attack where criminals targeted random IP addresses on the network and used multiple amplification vectors.
• Gaming companies began to take legal action last year against DDoS’ers. Blizzard announced that the attacker they believe that was behind the recent World of Warcraft Classic DDoS had been arrested while Ubisoft begins to ban players suspected of attacking Rainbow Six Siege with DDoS attacks.