What is a botnet? When armies of infected IoT devices attack

Controlling thousands or even millions of devices gives cyber attackers the upper hand to deliver malware or conduct a DDoS attack.

1 2 Page 2
Page 2 of 2

It's no longer enough to secure the perimeter, or endpoint devices. "Attackers are really creative these days," says Williams. "They can add stress to your network from a number of different vendors." Having multiple defensive systems in place is like having several locks on a door, he says. If the attackers figure out how to get past one lock, the other locks will stop them.

The anti-botnet guide recommends that enterprises consider using advanced analytics to secure users, data, and networks, to ensure that security controls are correctly set, and to use network segmentation and network architectures that securely manage traffic flows. For example, IoT devices should be on a separate, isolated part of the network, says Williams.

The Mirai botnet, for example, took advantage of insecure connected devices. "When you have IoT devices that can't be patched on the same network as the rest of the enterprise, it adds a significant level of risk that doesn't need to be there," he says.

Botnet dragnets have some success

In late 2017, the Andromeda botnet was taken down by the FBI working together with law enforcement in Europe. Over the previous six months, the botnet was detected on blocked on an average of more than a million machines every month.

According to Fortinet, however, the Andromeda botnet was still active in the second quarter of this year -- in fact, it was the second biggest by volume, infecting devices on more than 20 percent of companies. It's hard to take them down, says Fortinet's Giandomenico. "Who is responsible? Is it the government that's responsible for going out there and cleaning it up?"

And it's about to get even harder, he adds.

With a botnet controlled by central servers, once the servers are removed, the botnet becomes inactive. But botnets are starting to operate in mesh fashion, with peer-to-peer communications that can make the botnets extremely resilient, Giandomenico says. It's not just a theoretical problem, he adds, with a few botnets already known to be running in decentralized, mesh mode. "It is a slow but growing trend," he says. "Some of the more famous ones are Hajime, Hide N’ Seek and TheMoon.”

In addition to taking down command and control servers, authorities can also attack botnets by going after their customers. DDoS-as-a-service providers, for example, use botnets to launch massive attacks on behalf of anyone with some spare cash in their PayPal or Bitcoin wallets.

This spring, authorities from the UK and the Netherlands teamed up in Operation Power Off to take down one of the largest DDoS-as-a-service operators, webstresser.org, and arrested platform admins located in the UK, Croatia, Canada and Serbia. The service had 136,000 registered users and was responsible for 4 million attacks, according to Europol, with services running for as little as 15 euros a month.

Webstresser.org is only one of many such sites, according to a report Akamai released this summer. So far, there's been no sign of a drop in DDoS attacks as a result.

Authorities also go after the creators who build the botnets in the first place, according to Adam Meyers, VP of intelligence at CrowdStrike, Inc. For example, in 2017, authorities arrested Peter “Severa” Levashov, the hacker behind the Waledac and Kelihos spam botnets. "He was arrested while on vacation in Spain," Meyers says. "It required coordination between the Department of Justice, the FBI, and Spanish police. There was a lot of international cooperation. Plus, there was technical expertise required to disrupt the botnet, which involved us sending some technical experts to Alaska to help the FBI with the takedown."

Shutting down a botnet's servers isn't enough to solve the problem if the creators are still out there. "With Kelihos, that was disrupted five times or so," Meyers says. "But because the author of that botnet was not apprehended, he was able to spin it back up, in some cases within hours of the disruption. After a couple of times, people realized that this wasn't going to go anywhere until we take this guy off the street."

In the case of the Andromeda botnet, even arresting the creator wasn't enough. It took a massive cooperative effort by international law enforcement agencies and technology and security vendors to take down the network, which involved 464 botnets, 1,214 command-and-control domains, and 80 malware families.

Andromeda has been around since 2011, with ready-to-go botnet kits sold on the dark web, also known as Gamarue and Wauchos. It was responsible for infecting more than 1.1 million systems per month. The law enforcement groups began working to take them down in 2015, says Jean-Ian Boutin, senior malware researcher at ESET, LLC, one of the groups working on the takedown. "This type of operation takes time," he says. During that time, security teams analyzed thousands of Andromeda samples. "Based on this, we believe that this operation led to the disruption of all current Andromeda botnets."

However, not only is Andromeda still there, and still big, but the creator who was arrested in the takedown is also back on the street. Sergei Yarets was released this summer by Belarus authorities after six months in prison and a relatively small fine -- the equivalent of about $5,500.

"This case is another example of a double standard toward prosecuting cybercriminals in post-Soviet countries, where they treat their own cybercriminals differently, allowing them to avoid fair punishment and then using them in the interests of the state, neutralizing the efforts of the international community to combat cybercrimes," says Alexandr Solad, a researcher with Recorded Future, in a report in August 2018.

A long way from a permanent solution to botnets

Even arresting the hackers in the first place is difficult. The problem is that there haven't been that many arrests, Meyers says. "[Russian hacker Evgeniy] Bogachev was fingered in June 2014 in the Gameover Zeus attacks, and he's still at large in Russia someplace," he says. "A lot of these guys don't have to worry about arrests. If they work in Russia, and don't target Russian systems, they can pretty much operate with impunity." Bogachev is currently on the FBI's Cyber's most wanted list.

Permanently solving the botnet problem requires a global solution to cybercrime, on top of the technical challenges, says Daniel Miessler, director of advisory services at IOActive, Inc. That's not happening in the foreseeable future. "Botnets are an emergent malady that exist because of the vulnerabilities and incentives that exist within society," he says. "Until we fix those, we should expect botnets and other emergent intersections between malice and vulnerability, to be permanent co-passengers."

In addition to creating a common, worldwide cybercrime enforcement system, there also needs to be standard regulations for manufacturers, requiring a certain level of minimal security in IoT devices. "Any regulation must also apply to all manufacturers, as many markets tend to be flooded with very cheap devices produced in regions where internet laws are very lax or non-existent," says Rod Soto, director of security research at Jask, an AI cybersecurity startup.

It's hard to imagine all the world's nations and affected industries coming together and agreeing on a common approach, and then enforcing it, says Igal Zeifman, product evangelist at Incapsula, Inc. "All initiatives to combat the growth of botnets through industry standards and legislation will likely continue to occur only on a regional or country level," he says.

That means that even if individual countries can slow down the growth of botnets in their regions, there will still be plenty of other places where they can grow. "Considering the global nature of the internet, this means that botnet attacks will continue to pose a threat to the digital businesses and the online community for many years to come," Zeifman says.

Copyright © 2019 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies