Peeling back the layers surrounding zombie computer botnets
May 3, 2017
What is a Botnet?
To understand a botnet, you first must begin with a bot. A bot is an automated malware program or roBOT that takes control of a computerized device.
That single, infected computer, or connected device, joins a larger roBOT NETwork–or BOTNET. Once hijacked, these devices transform into what is essentially a network of cyber-zombies. They do the bidding of their masters–cybercriminals–without the device owner’s knowledge.
The bot, either device or software program, can perform multiple actions: execute commands, reply to messages, and perform arbitrary tasks.
Some Botnets, because of their large numbers, can easily overwhelm strategic, data-laden equipment, like servers, through barrages of spam. They can be used to launch Distributed Denial of Service attacks, also known as DDoS.
Intended as smokescreens, some DDoS are used as a distraction while another targeted attack is being performed, which will allow attackers to inject malware without being detected because the targeted company is taking care of the DDoS.
How Computers Become Infected
The process is simple. Malware infiltrates a computer’s defenses stealthily.
Some common ways these intruders enter a computer’s system is through spam campaigns, unpatched vulnerabilities or outdated software. In some cases, the malware cycles through different stages to successfully infect the system.
The following is one example of an intrusion sequence: first, the malware installs an initial loader without the malicious payload. Once it connects to the Internet, the device is activated. It will actually complete the malware program installation by retrieving the malicious remaining code from compromised servers or any other source of attacker property.
Similarly, insecure software updates pushed over the Internet can be used to inject malware within the update.
As stated above, there are more techniques to infect, for example, social engineering. They do this by taking advantage of human error. A USB drive from another device, like an infected home computer, may be all that’s necessary to infect a network computer at a bank. An email from an unknown or counterfeit source with a compelling link may lure an unsuspecting end user to click. That link then sends the end user to a counterfeit site, where malware enters the system and does the rest.
All of this focus on getting Malware downloads into end user devices is critical to allowing criminals to seize control and strengthen their botnet.
How Hard Do Criminals Work to Gain Access to Computers?
In February 2017 alone, Malware and Point of Sales (PoS) Malware accounted for the largest volume of recorded cyber attacks at 23.7% that month, says Hackmageddon.
In January, Malware numbers were even higher, reaching 25.8%. It’s a significant threat and one plaguing public and private sectors alike.
Fighting against these attacks in any sort of meaningful way, however, requires an understanding of the mechanics of an attack.
An example of a 5-stage Malware infection:
An Exploit Kit is a programming tool that allows someone without coding experience to create, customize and distribute Malware. System infiltrations based on Exploit Kits follow these 5 stages:
It’s an unhappy reality in today’s cyber universe. The question that remains is this: once a machine is infected, how do these bots operate?
Varieties of Malware
Malware comes in the form of executable code, scripts, active content and other software. Common categorization of malware includes:
- Computer viruses – self-replicating programs that may also modify other programs existing within a computer
- Worms – self-replicating programs that spread to other computers
- Trojan horses – malicious programs pretending to be legitimate software
- Ransomware – a computer malware that installs covertly on a victim’s device–computer, smartphone, wearable device–and demands a ransom; until the ransom is paid, the bot herder holds the victim’s data hostage – for example: encrypting it, or threatening to publish sensitive data
- Spyware – software that gathers information unbeknownst to the victim then sends this information to another entity without the victim’s knowledge or consent
- Scareware – a software program tricks unsuspecting users into buying and downloading unnecessary and potentially dangerous software
Botnet infections cost businesses time and money while threatening servers, VIPs, and clients. Sensitive data is one of the most prized intellectual properties today.
How to Tell if a Computer is Infected
Criminals can mask or change malware signatures to make their delivery systems virtually undetectable.
If a computer slows down after downloading updates, opening an email or visiting a suspicious site, it may be infected. If it is not responding to commands, or it crashes for no reason, chances are it might be under the control of an external force.
How to Detect and Remove Infections
In some cases, to clean an infected computer without the proper tools can result in a blue screen or an “Access Denied” message from your local host. It all depends on the process by which malware has infiltrated the system.
The proper tools for IT administrators to both detect and understand how to remove infections must provide the following information:
- A list of affected host IPs
- A list of compromised credentials
- Data reports indicating the affected systems in a device
- Description of the internal behavior of the malware
- In-Depth understanding of the infection process
- Persistence method used to remain active once the system is rebooted
It is also helpful to know the type of attacks criminals are perpetrating within a geographic area. Forewarned is forearmed. By preventing the opportunity for the Entry phase of infiltration, administrators can proceed from a position of strength.
How to Prevent Malware Contamination
The following are steps an organization can take to enable success. They are not all inclusive but they are strong building blocks for enterprise security:
- Design relevant Internet policies to prevent exposure
- Train employees on safe Internet and email practices
- Stay informed through the use of threat intelligence reports and act on the insight they provide
- Install Antivirus and keep it updated
- Update the company software in regular basis
The Botnet landscape can seem bleak. There are, however, plenty of options for organizations to choose to keep their servers, their C-Suite, and their clients safe. By implementing relevant steps and strategies, businesses can guard their sensitive data.
Check out our Botnets and Command & Control Module and be alerted to:
- Detect and retrieve compromised credentials
- Track and block crime servers
- Receive geo-specific botnet alerts