A botnet is a collection of internet-connected devices that an attacker has compromised. Botnets act as a force multiplier for individual attackers, cyber-criminal groups and nation-states looking to disrupt or break into their targets’ systems. Commonly used in distributed denial of service (DDoS) attacks, botnets can also take advantage of their collective computing power to send large volumes of spam, steal credentials at scale, or spy on people and organizations.
Malicious actors build botnets by infecting connected devices with malware and then managing them using a command and control server. Once an attacker has compromised a device on a specific network, all the vulnerable devices on that network are at risk of being infected.
A botnet attack can be devastating. In 2016, the Mirai botnet shut down a large portion of the internet, including Twitter, Netflix, CNN and other major sites, as well as major Russian banks and the entire country of Liberia. The botnet took advantage of unsecured internet of things (IoT) devices such as security cameras, installing malware that then attacked the DYN servers that route internet traffic. The graphic below from Distil Networks’ 2019 Bad Bot Report provides an overview of what the different types of bots can do.
The industry woke up, and device manufacturers, regulators, telecom companies and internet infrastructure providers worked together to isolate compromised devices, take them down or patch them, and make sure that a botnet like could never be built again.
Just kidding. None of that happened. Instead, the botnets just keep coming.
Examples of known botnets
Here are just some of the known active botnets.
Even the Mirai botnet is still up and running. According to a report released by Fortinet in August 2018, Mirai was one of the most active botnets in the second quarter of that year.
Since the release of its source code two years ago, Mirai botnets have even added new features, including the ability to turn infected devices into swarms of malware proxies and cryptominers. They’ve also continued to add exploits targeting both known and unknown vulnerabilities, according to Fortinet.
In fact, cryptomining is showing up as a significant change across the botnet universe, says Tony Giandomenico, Fortinet’s senior security strategist and researcher. It allows attackers to use the victim’s computer hardware and electricity to earn Bitcoin, Monero and other cryptocurrencies. “That’s the biggest thing that we’ve been experiencing over the past few months,” he says. “The bad guys are experimenting with how they can use IoT botnets to make money.”
Reaper (a.k.a. IoTroop)
Mirai is just the start. In fall 2017, Check Point researchers said they discovered a new botnet, variously known as “IoTroop” and “Reaper,” that’s compromising IoT devices at an even faster pace than Mirai did. It has the potential to take down the entire internet once the owners put it to work.
Mirai infected vulnerable devices that used default user names and passwords. Reaper goes beyond that, targeting at least nine different vulnerabilities from nearly a dozen different device makers, including major players like D-Link, Netgear and Linksys. It’s also flexible, in that attackers can easily update the botnet code to make it more damaging.
According to research by Recorded Future, Reaper was used in attacks on European banks this year, including ABN Amro, Rabobank and Ing.
Discovered in early 2019, Echobot is a Mirai variant that uses at least 26 exploits to propagate itself. Like many other botnets, it takes advantage of unpatched IoT devices, but also exploits vulnerabilities in enterprise applications such as Oracle WebLogic and VMware SD-WAN.
Echobot was discovered by Palo Alto Networks, and its report on the botnet concludes that it is an effort to form larger botnets to execute larger DDoS attacks.
Emotet, Gamut and Necurs
The main purpose of these three botnets is to spew spam at high volume to deliver a malicious payload or get victims to perform a certain action. Each seems to have its own specialty, according to Cisco’s Email: Click with Caution report.
Emotet can steal email from victims’ mailboxes, which allows the attackers to craft convincing yet malicious messages to fool recipients. Attackers can also use it to steal SMTP credentials, useful to take over email accounts.
Gamut seems to specialize in spam emails that try to establish a relationship with the victims. This might be in the form of a dating or romance guise, or a phony job offer.
Necurs is known to deliver ransomware and other digital extortion attacks. Although it hasn’t received as much attention recently since discovered in 2012, the Cisco report says it is still very much active and dangerous.
Why we can’t stop botnets
The challenges to shutting botnets down include the widespread availability and ongoing purchases of insecure devices, the near impossibility of simply locking infected machines out of the internet, and difficulty tracking down and prosecuting the botnet creators. When consumers go into a store to buy a security camera or other connected device, they look at features, they look for recognizable brands, and, most importantly, they look at the price.
Security is rarely a top consideration. “Because [IoT devices are] so cheap, the likelihood of there being a good maintenance plan and fast updates is low,” says Ryan Spanier, director of research at Kudelski Security.
Meanwhile, as people continue to buy low-cost, insecure devices, the number of vulnerable end points just keeps going up. Research firm IHS Markit estimates that the total number of connected devices will rise from nearly 27 billion in 2017 to 125 billion in 2030.
There’s not much motivation for manufacturers to change, Spanier says. Most manufacturers face no consequences at all for selling insecure devices. “Though that’s starting to change in the past year,” he says. “The US government has fined a couple of manufacturers.”
For example, the FTC sued D-Link in 2017 for selling routers and IP cameras full of well-known and preventable security flaws such as hard-coded login credentials. However, a federal judge dismissed half of the FTC’s complaints because the FTC couldn’t identify any specific instances where consumers were actually harmed.
How to detect botnets: Target traffic
Botnets are typically controlled by a central command server. In theory, taking down that server and then following the traffic back to the infected devices to clean them up and secure them should be a straightforward job, but it’s anything but easy.
When the botnet is so big that it impacts the internet, the ISPs might band together to figure out what’s going on and curb the traffic. That was the case with the Mirai botnet, says Spanier. “When it’s smaller, something like spam, I don’t see the ISPs caring so much,” he says. “Some ISPs, especially for home users, have ways to alert their users, but it’s such a small scale that it’s not going to affect a botnet. It’s also really hard to detect botnet traffic. Mirai was easy because of how it was spreading, and security researchers were sharing information as fast as possible.”
Compliance and privacy issues are also involved, says Jason Brvenik, CTO at NSS Labs, Inc., as well as operational aspects. A consumer might have several devices on their network sharing a single connection, while an enterprise might have thousands or more. “There’s no way to isolate the thing that’s impacted,” Brvenik says.
Botnets will try to disguise their origins. For example, Akamai has been tracking a botnet that has IP addresses associated with Fortune 100 companies — addresses that Akamai suspects are probably spoofed.
Some security firms are trying to work with infrastructure providers to identify the infected devices. “We work with the Comcasts, the Verizons, all the ISPs in the world, and tell them that these machines are talking to our sink hole and they have to find all the owners of those devices and remediate them,” says Adam Meyers, VP of intelligence at CrowdStrike, Inc.
That can involve millions of devices, where someone has to go out and install patches. Often, there’s no remote upgrade option. Many security cameras and other connected sensors are in remote locations. “It’s a huge challenge to fix those things,” Meyers says.
Plus, some devices might no longer be supported, or might be built in such a way that patching them is not even possible. The devices are usually still doing the jobs even after they’re infected, so the owners aren’t particularly motivated to throw them out and get new ones. “The quality of video doesn’t go down so much that they need to replace it,” Meyers says.
Often, the owners of the devices never find out that they’ve been infected and are part of a botnet. “Consumers have no security controls to monitor botnet activity on their personal networks,” says Chris Morales, head of security analytics at Vectra Networks, Inc.
Enterprises have more tools at their disposal, but spotting botnets is not usually a top priority, says Morales. “Security teams prioritize attacks targeting their own resources rather than attacks emanating from their network to external targets,” he says.
Device manufacturers who discover a flaw in their IoT devices that they can’t patch may, if sufficiently motivated, do a recall, but even then, it might not have much of an effect. “Very few people get a recall done unless there’s a safety issue, even if there’s a notice,” says NSS Labs’ Brvenik. “If there’s a security alert on your security camera on your driveway, and you get a notice, you might think, ‘So what, they can see my driveway?'”
How to prevent botnet attacks
The Council to Secure the Digital Economy (CSDE), in cooperation with the Information Technology Industry Council, USTelecom and other organizations, recently released a very comprehensive guide to defending enterprises against botnets. Here are the top recommendations.
Update, update, update
Botnets use unpatched vulnerabilities to spread from machine to machine so that they can cause maximum damage in an enterprise. The first line of defense should be to keep all systems updated. The CSDE recommends that enterprises install updates as soon as they become available, and automatic updates are preferable.
Some enterprises prefer to delay updates until they’ve had time to check for compatibility and other problems. That can result in significant delays, while some systems may be completely forgotten about and never even make it to the update list.
Enterprises that don’t use automatic updates might want to reconsider their policies. “Vendors are getting good at testing for stability and functionality,” says Craig Williams, security outreach manager for Talos at Cisco Systems, Inc.
Cisco is one of the founding partners of the CSDE, and contributed to the anti-botnet guide. “The risk that used to be there has been diminished,” he says.
It’s not just applications and operating systems that need automatic updates. “Make sure that your hardware devices are set to update automatically as well,” he says.
Legacy products, both hardware and software, may no longer be updated, and the anti-botnet guide recommends that enterprises discontinue their use. Vendors are also extremely unlikely to provide support for pirated products.
Lock down access
The guide recommends that enterprises deploy multi-factor and risk-based authentication, least privilege, and other best practices for access controls. After infecting one machine, botnets also spread by leveraging credentials, says Williams. By locking down access, the botnets can be contained in one place, where they’re do less damage and are easier to eradicate.
One of the most effective steps that companies can take is to use physical keys for authentication. Google, for example, began requiring all its employees to use physical security keys in 2017. Since then, not a single employee’s work account has been phished, according to the guide.
“Unfortunately, a lot of business can’t afford that,” says Williams.In addition to the upfront costs of the technology, the risks that employees will lose keys are high.
Smartphone-based second-factor authentication helps bridge that gap. According to Wiliams, this is cost effective and adds a significant layer of security. “Attackers would have to physically compromise a person’s phone,” he says. “It’s possible to get code execution on the phone to intercept an SMS, but those types of issues are extraordinarily rare.”
Don’t go it alone
The anti-bot guide recommends several areas in which enterprises can benefit by looking to external partners for help. For example, there are many channels in which enterprises can share threat information, such as CERTs, industry groups, government and law enforcement information sharing activities, and via vendor-sponsored platforms.