Botnets act as a force multiplier for individual attackers, cyber-criminal groups, and nation-states looking to disrupt or break into their targets’ systems. By definition, they are a collection of any type of internet-connected device that an attacker has compromised. Commonly used in distributed denial of service (DDoS) attacks, botnets can also take advantage of their collective computing power to send large volumes of spam, steal credentials at scale, or spy on people and organizations.
Malicious actors build botnets by infecting connected devices with malware and then managing them using a command and control server. Once an attacker has compromised a device on a specific network, all the vulnerable devices on that network are at risk of being infected.
A botnet attack can be devastating. Last year, the Mirai botnet shut down major swathes of the internet, including Twitter, Netflix, CNN, and other major sites, as well as major Russian banks and the entire country of Liberia. The botnet took advantage of unsecured internet of things (IoT) devices such as security cameras, installing malware that then attacked the DYN servers that route internet traffic.
The industry woke up, and device manufacturers, regulators, telecom companies, and internet infrastructure providers worked together to isolate compromised devices, take them down or patch them, and make sure that a botnet like could never be built again.
Just kidding. None of that happened. Instead, the botnets just keep coming.
According to an Akamai internet security report released this week, botnets are not only still alive and well, but getting more clever and more difficult to combat. For example, attackers are now using Fast Flux DNS, changing DNS information so rapidly that defenders have a hard time tracking and disrupting them.
While Akamai was part of the battle to control last year's Mirai attacks, Mirai itself is still around, with two DDoS attacks exceeding 100 Gbps this past quarter, Akamai reported. Plus, new botnets are popping up.
This fall, Check Point researchers say they discovered a new botnet, variously known as "IoTroop" and "Reaper," that's compromising IoT devices at an even faster pace than Mirai did. It has the potential to take down the entire internet once the owners put it to work.
Mirai infected vulnerable devices that used default user names and passwords. Reaper goes beyond that, targeting at least nine different vulnerabilities from nearly a dozen different device makers, including major players like D-Link, Netgear and Linksys. It's also flexible, in that attackers can easily update the botnet code to make it more damaging.
Why we can’t stop botnets
The challenges to shutting botnets down include the widespread availability and ongoing purchases of insecure devices, the near impossibility of simply locking infected machines out of the internet, and difficulty tracking down and prosecuting the botnet creators. When consumers go into a store to buy a security camera or other connected device, they look at features, they look for recognizable brands, and, most importantly, they look at the price.
Security is rarely a top consideration. "Because [IoT devices are] so cheap, the likelihood of there being a good maintenance plan and fast updates is low," says Ryan Spanier, director of research at Kudelski Security.
Meanwhile, as people continue to buy low-cost, insecure devices, the number of vulnerable end points just keeps going up. Gartner estimates that there will be 8.4 billion connected devices in use by the end of this year, and that will more than double by 2020, to 20.4 billion.
There's not much motivation for manufacturers to change, Spanier says. Most manufacturers face no consequences at all for selling insecure devices. "Though that's starting to change in the past year," he says. "The US government has fined a couple of manufacturers."
For example, in January, the FTC sued D-Link for selling routers and IP cameras full of well-known and preventable security flaws such as hard-coded login credentials. Earlier this fall, however, a federal judge dismissed half of the FTC's complaints because the FTC couldn't identify any specific instances where consumers were actually harmed.
Botnet detection: Targeting traffic
Botnets are typically controlled by a central command server, so, in theory, taking down that server then following the traffic back to the infected devices to clean them up and secure them should be a straightforward job. But it's anything but easy.
When the botnet is so big that it impacts the internet, the ISPs may band together to try to figure out what's going on and curb the traffic. That was the case with the Mirai botnet, says Spanier. "When it's smaller, something like spam, I don't see the ISPs caring so much," he says. "Some ISPs, especially for home users, have ways to alert their users, but it's such a small scale that it's not going to affect a botnet. It's also really hard to detect botnet traffic. Mirai was easy because of how it was spreading, and security researchers were sharing information as fast as possible."
Compliance and privacy issues are also involved, says Jason Brvenik, CTO at NSS Labs, Inc., as well as operational aspects. A consumer might have several devices on their network sharing a single connection, while an enterprise might have thousands or more. "There's no way to isolate the thing that's impacted," Brvenik says.
Botnets will try to disguise their origins. For example, Akamai has been tracking a botnet that has IP addresses associated with Fortune 100 companies — addresses that Akamai suspects are probably spoofed.
Some security firms are trying to work with infrastructure providers to identify the infected devices. "We work with the Comcasts, the Verizons, all the ISPs in the world, and tell them that these machines are talking to our sink hole and they have to find all the owners of those devices and remediate them," says Adam Meyers, VP of intelligence at CrowdStrike, Inc.
That can involve millions of devices, where someone has to go out and install patches. Often, there's no remote upgrade option. Many security cameras and other connected sensors are in remote locations. "It's a huge challenge to fix those things," Meyers says.
Plus, some devices might no longer be supported, or might be built in such a way that patching them is not even possible. The devices are usually still doing the jobs even after they're infected, so the owners aren't particularly motivated to throw them out and get new ones. "The quality of video doesn't go down so much that they need to replace it," Meyers says.
Often, the owners of the devices never find out that they've been infected and are part of a botnet. "Consumers have no security controls to monitor botnet activity on their personal networks," says Chris Morales, head of security analytics at Vectra Networks, Inc.
Enterprises have more tools at their disposal, but spotting botnets is not usually a top priority, says Morales. "Security teams prioritize attacks targeting their own resources rather than attacks emanating from their network to external targets," he says.
Device manufacturers who discover a flaw in their IoT devices that they can't patch may, if sufficiently motivated, do a recall, but even then, it might not have much of an effect. "Very few people get a recall done unless there's a safety issue, even if there's a notice," says NSS Labs' Brvenik. "If there's a security alert on your security camera on your driveway, and you get a notice, you might think, 'So what, they can see my driveway?'"
Botnet dragnets have some success
There has been some progress in shutting down botnets and arresting their creators, says CrowdStrike's Meyers. For example, last spring, authorities arrested Peter “Severa” Levashov, the hacker behind the Waledac and Kelihos spam botnets. "He was arrested while on vacation in Spain," Meyers says. "It required coordination between the Department of Justice, the FBI, and Spanish police. There was a lot of international cooperation. Plus, there was technical expertise required to disrupt the botnet, which involved us sending some technical experts to Alaska to help the FBI with the takedown."
Depending on how the botnet is set up, disrupting it may be more or less difficult. Researchers can take advantage of cryptographic or other flaws and shut it down. If the creators are still on the loose, however, they can fix it and get it up and running again.
"With Kelihos, that was disrupted five times or so," Meyers says. "But because the author of that botnet was not apprehended, he was able to spin it back up, in some cases within hours of the disruption. After a couple of times, people realized that this wasn't going to go anywhere until we take this guy off the street."
In another sign of progress, law enforcement agencies working with ESET and Microsoft took down 464 botnets last week, associated with 1,214 command-and-control domains and 80 malware families. The take-down resulted in an arrest of a person in Belarus.
According to ESET, this particular group has been around since 2011, with ready-to-go botnet kits sold on the dark web, variously known as Andromeda, Gamarue and Wauchos. These botnets were responsible for infecting more than 1.1 million systems per month.
The law enforcement groups began working to take them down in 2015, says Jean-Ian Boutin, senior malware researcher at ESET, LLC. "This type of operation takes time," he says. During that time, security teams analyzed thousands of Andromeda samples. "Based on this, we believe that this operation led to the disruption of all current Andromeda botnets." However, since the kit is sold on underground forums, someone else might start a new Andromeda botnet from scratch, he adds.
Another team of researchers, at Recorded Future, Inc., is also pessimistic that the botnet is gone for good. "Several independent parties were involved in the distribution of Andromeda," says Recorded Future security analyst Alex Solad. "We believe that in the near term the botnet will remain operational, although the absence of ongoing support will significantly hinder its proliferation."
Solad adds that even though Belarus maintains strong ties with Russia, it has recently increased participating in international criminal investigations. It also has the strictest sentences for computer crimes anywhere in the Commonwealth, which includes Russia and allied ex-Soviet republics.
Recorded Future also identified the man behind the botnet as Jarets Sergey Grigorevich, also known as “Ar3s." In addition to being the Andromeda mastermind, he is also a longstanding administrator of the DamageLab forum. ESET's Boutin says that his firm cannot confirm that it was Grigorevich who was arrested, and the law enforcement agencies involved have also not released the name.
A long way from a permanent solution to botnets
The problem is that there haven't been that many arrests, Meyers says. "[Russian hacker Evgeniy] Bogachev was fingered in June 2014 in the Gameover Zeus attacks, and he's still at large in Russia someplace," he says. "A lot of these guys don't have to worry about arrests. If they work in Russia, and don't target Russian systems, they can pretty much operate with impunity."
Permanently solving the botnet problem requires a global solution to cybercrime, on top of the technical challenges, says Daniel Miessler, director of advisory services at IOActive, Inc. That's not happening in the foreseeable future. "Botnets are an emergent malady that exist because of the vulnerabilities and incentives that exist within society," he says. "Until we fix those, we should expect botnets and other emergent intersections between malice and vulnerability, to be permanent co-passengers."
In addition to creating a common, worldwide cybercrime enforcement system, there also needs to be standard regulations for manufacturers, requiring a certain level of minimal security in IoT devices. "Any regulation must also apply to all manufacturers, as many markets tend to be flooded with very cheap devices produced in regions where internet laws are very lax or non-existent," says Roy Soto, director of security research at Jask, an AI cybersecurity startup.
It's hard to imagine all the world's nations and affected industries coming together and agreeing on a common approach, and then enforcing it, says Igal Zeifman, product evangelist at Incapsula, Inc. "All initiatives to combat the growth of botnets through industry standards and legislation will likely continue to occur only on a regional or country level," he says.
That means that even if individual countries can slow down the growth of botnets in their regions, there will still be plenty of other places where they can grow.
"Considering the global nature of the internet, this means that botnet attacks will continue to pose a threat to the digital businesses and the online community for many years to come," Zeifman says.