There’s a common denominator between the surges of phishing email that continue to plague consumers, businesses and government agencies around the globe and the social media-fueled propaganda campaigns Russia has leveraged to undermine democratic elections in Europe and the United States.
Neither would be doable without botnets as they exist today. For most people, the power and complexity of botnets is not easily comprehensible. But now more than ever it’s vital for citizens and companies to fully grasp the role botnets play in not only the digital economy, but on a geo-political level.
1. What’s a Botnet?
A bot is a tiny piece of computer programming language implanted on a connected device by a hacker. That infected nodule’s sole purpose is to receive instructions from a command and control server. A botnet is a network of thousands of nodes, or “bots,” that answer to the same control server.
In today’s cyber environment, any company that fails to continually guard all of the computing devices on its network should expect to have some or all of them diverted into the service of a botnet at some point. When this happens, the affected company will begin donating electricity and computer processing power to whomever controls that botnet. Once control is ceded, that company should also count on the botnet operator moving laterally through the compromised network, turning other devices into bots and stealing any and all valuable data.
2. Classic Botnets
Botnets are comprised of infected PCs (they can also infect IoS machines), servers and virtual computing nodules. One of particular note – Necurs – has been around since 2012 and remains available for hire to anyone in need of distributed processing power on a grand scale. In any given attack, Necurs might wake up and deploy up to a million “bots,” or nodes; the total number of nodes under the controller’s command is believed to be as high as 6 million.
At its birth, Necurs delivered banking trojans, then moved on to ransomware, then to distributed denial of service (DDoS) attacks, then to securities pump-and-dump scams, then back to banking trojans, says Kevin Epstein, vice president of threat operations at messaging security company Proofpoint. “Necurs is being used by financially motivated actors who follow the money,” Epstein says.
3. IoT Botnets
IoT stands for Internet of Things, and it can refer to any connected device that is not a smartphone, tablet or computer. IoT botnets attained notoriety in late 2016 when the Mirai botnet, comprised of hundreds of thousands of infected web cams, video recorders and routers, carried out a massive DDoS attack against an Internet traffic routing service called Dyn. Twitter, Amazon, Paypal and several other big-name companies were knocked off line for the better part of a day.
IoT botnets are made up of comparatively low-powered IoT nodes that can be assembled by the millions. They are better suited to repetitive tasks, such as DDoS attacks and crypto mining, says Luke Somerville, head of special investigations at Forcepoint. “It’s organized crime so you’re dealing with evolution, most of the time, rather than revolution,” says Somerville.
Today Mirai variants continue to expand into new turf, including Mirari Okiru, which targets ARC processors (the chips embedded in cars, mobile devices, smart TVs, surveillance cameras and many more connected products) and Mirai Satori, which hijacks crypto currency mining operations,.
4. Botnet Crypto Mining
Crypto coins are “made” or mined when a complex mathematical equation is solved in the process of enabling behind-the-scenes cryptocurrency transactions. This requires tremendous computing power.
Operators of both classic and IoT botnets are well suited to crypto mining. Classic botnets, like Necurs, can crypto mine during lulls in spamming and IoT botnets, like Mirai, can direct vast numbers of devices to repetitive mining chores.
5. Botnet Stealth
Another area of criminal innovation targets the “sandboxing” defenses that some companies build to protect themselves against attack, says Jack Miller, CISO at startup SlashNext, which supplies systems to mitigate cyberthreats.
Sandboxes divert email carrying a suspicious attachment or link to a quarantined area where the payload is “clicked” to see if anything bad happens. If it does, the company gets a trace on the attacker. Criminals responded to the sandbox strategy by writing code designed to detect if a human using a mouse is clicking that payload. If the program detects sandboxing, the malware won’t execute, thus preserving the attacker’s identity.
Botnet-delivered email attacks won’t stop anytime soon, nor will the botnet-borne Russian propaganda that continues to inundate Twitter and Facebook. The situation is at a crisis level, and has been for a while. The only defense here is vigilance and a little luck. More than anything, make sure your company proactively creates a culture of good cyber hygiene, and that cybersecurity is always on the forefront of everyone’s mind–from the mailroom to the board room.