Cloud Information and Distribution

Botnets! Danger, Will Robinson!

In September 2016, we witnessed one of the most destructive Distributed Denial of Service (DDoS) attacks in history – one which temporarily crashed high-profile services, and disabled enterprises and organizations for several hours all around the world. Was this a sophisticated major attack from a nation-state? Not quite. It was a relatively simple piece of code that utilized well-known default passwords found on home gateways, video surveillance cameras, and digital video recorders. It was the work of the now infamous Mirai botnet.

Even four years later, Mirai is still “in the wild.” Various cyber-players and criminals have gotten their hands on the code to ‘improve’ it, and there are now several variants of the Mirai code. But Mirai is just one example of a broader trend – botnets have been a dangerous threat for years and continue to plague enterprises.  

But what is a botnet exactly?

A botnet is a piece of code that does a few basic tasks. First, the code has methods and processes to infect hosts within a network environment. Second, it can replicate and hence propagate to neighboring hosts. Third, communication is critical for the proper functioning of a botnet. This is known as Command and Control, or C2 to the “botnet master,” where an attacker can send commands to compromised systems. Fourth, it performs some sort of function. This can be rather benign such as web scraping, or it can be a malicious action such as mounting a DDoS or ransomware attack.    

A Recent History

The first known recorded botnet was a spammer called EarthLink designed to support phishing campaigns in 2000. The botnet sent 1.25 million emails and lasted more than a year in its duration. The code was built with the intention of gathering credit card information and other personal data for identity theft.

In 2007, two other prominent botnets appeared. Storm was the first peer-to-peer botnet. In earlier botnet versions, there was typically a centralized control point, but as time moved on it became obvious that in order to avoid discovery and mapping, attackers would need a more dynamic method of command and control. This novel behavior made Storm very impactful, and it was moved into the Dark Web marketplace to be sold and supported. As a result, Storm was involved in many criminal activities, ranging from DDoS to identity theft. Fortunately, Storm has since been shut down. Cutwail made a major global impact in the same time frame, with its peak in 2009. However, despite efforts of international law enforcement, the code is still active and remains available on the Dark Web.

2008 was a banner year with the appearance of three new botnets: Grum, Kraken, and Mariposa. Grum targeted the pharmaceutical and medical space. By 2009, it became one of the largest spam generators in the world. In 2012, international law enforcement identified Grum command and control centers across the globe and was able to successfully shut it down. Kraken grew to a network of almost half a million bots and affected many Fortune 500 companies. Yet Kraken was rather elusive because it was the first botnet to utilize evasion techniques against antivirus malware identification. Kraken is not active today, but traces of it are still showing up in security systems, so it could rear its head again in the future. Mariposa was of Spanish origin, and while no longer active, it was the second-largest botnet to date at the time.

Flash forward to 2016. Aside from Mirai, Methbot emerged as a dangerous threat. Methbot was able to obtain access to global IP address registries and then associate them with US ISPs. The botnets’ operators then created thousands of domains and hundreds of thousands of URLs, which it used to run its scam. It was successfully shut down in 2015, but still runs the risk of resurfacing.

In my next blog, I will discuss botnets through the lens of the four base tasks that we listed out earlier: infection, propagation, command, and control, and botnet function. I will outline how botnet activity has evolved over time, and then offer advice on how to address this significant and growing threat.