In this interview, Cyren botnet expert Geffen Tzur explains how botnets work and gives a view from the trenches on successes and challenges in fighting botnet cybercrime.
What defines a botnet? Doesn’t all malware “phone home”?
A botnet is defined as a network of infected computers set up to perform synchronized operations such as spam campaigns, distributed denial of service (DDoS) attacks, and virus distribution to other computers. Not all malware “phones home,” but all botnets do, either to a single command and control (C&C) server or via one of their “fellow” bots in what is known as a peer-to-peer (P2P) communication. The key thing about a botnet is that it is a synchronized network waiting for commands from a computer operated by the botmaster.
If malware goes to a server for downloads/instructions, but there is no controller, is this a botnet?
No. Probably not. A botnet usually updates and receives mission instructions after initial installation. A botnet involves human control.
How can you tell that different infected computers are working together—that they are actually a botnet?
To detect a botnet, you need to be able to correlate between multiple network transactions from various sources around the globe. Once you have this capability there are several different ways to actually identify the botnet during operation.
In the first way, cybersecurity solutions will attempt to identify correlations among infected computers, using a secure web gateway (like Cyren Web Security) to detect the same anomaly originating from different sources. For example, criminals may use the same non-standard port in an HTTP transaction to the same destination server. Sometimes you can only see the anomalies after the fact when you aggregate and count transactions and perform log analysis. Also, a spam bot usually sends the same emails simultaneously from multiple IPs. Cyren’s email service can spot a spam bot using this technique.
How do security solutions identify peer-to-peer (P2P) botnets?
Identifying P2P botnets is more of a challenge. The problem with P2P botnets is that there is no single server that they communicate with. There can be up to thousands of individual computers working together and you can’t always tell which are the command and control (C&C) servers. Identifying the P2P behavior usually involves detecting the number of different connections originating from one server—if a cybercriminal opens too many destinations in a non-standard port, security solutions can often see this.
Does the malware itself provide any clues that it is malware specific to a botnet?
By dynamic analysis of the malware we can detect behaviors typical to botnet set up, such as agent registration, information collection on the operating system and environment, and network reconnaissance. These behaviors can then be characterized into a profile, so that other variants of the same malware can be labeled as responsible for the same botnet. Eventually, when a heuristic anti-malware solution finds one of these variants, it can tell it belongs to the same malware family. In addition, when security professionals analyze malware being distributed by botnets, it is possible to detect typical behavior in a sandbox and identify the registration of agents and botnets, as well as attempts by the botnet to do network reconnaissance and send info to the C&C.
How do botnets get their names?
Security professionals often name botnets based on some word, phrase, or string they see inside the binary code. Sometimes it could be based on a network-related activity, such as the server name or special header. Each company gives different names. For example, with Zeus there are several industry names, such as Zbot, Zeus Gameover, and Trojan-Spy, and Win32.Zbot. The names that are publicized by security professionals are not necessarily the botnet owner’s chosen name. Criminals may create their own names for botnets, and we don’t necessarily know what those are.
Is there real expertise involved in creating a botnet?
Can anyone simply download or purchase a kit and build their own botnet? It is actually fairly easy to build a botnet, and someone with basic knowledge and expertise could do it. You can also purchase botnets off-the-shelf, hire someone to build it for you, engage an organization to do distribution for you, purchase C&C servers, or even rent an existing botnet. Botnets are available for all kinds of functionalities, from banking, spam/phishing, hacktivism, and distributed denial of service (DDoS) attacks. We still see specialized malware for setting up a botnet and for adding a bot to the network. It is an industry—and it is organized and available for rent or purchase, just like any legitimate service. One of the most famous cases is the Mariposa botnet, in which three cybercriminals bought a kit and deployed it. There is no special skill required and often we discover “entry-level” beginner botnets. There is some expertise required for new or hyper-evasive malware.
Like any software, you can also purchase open-source versions that enable you to build a botnet, but this software is fairly easy for security professionals to detect, so the botnet will likely only be used for a very short period of time. For targeted botnet attacks you need expertise, skill, and knowledge of evasion techniques, such as how not to activate in a sandbox, particularly if you don’t want security solutions to find you too quickly.
How does a banking botnet, like Zeus, function?
Zeus is a Trojan horse malware which infected millions of computers between 2007 and 2010. It steals banking information by monitoring the browser’s process, often known as a man-in-the-browser attack, detecting keystrokes and grabbing web forms. Once the information is stolen, it is sent to a remote location which is often a compromised server. Then, the botmaster retrieves the banking credentials, logs into the victim’s online bank account through a compromised proxy, and performs a money transfer to a designated bank account. These bank accounts are controlled by networks of money mules—a network of people whose job is to withdraw money from these bank accounts, usually in countries with little or no banking regulation. The mules then transfer the money to the botmaster’s organization.
Is ransomware ever part of a botnet?
The line is thin. Ransomware distribution may originate from a botnet, but after the distribution there is no botnetlike activity such as synchronized operations. Ransomware is typically a focused attack with a single attack vector. A botnet is a group of computers working together to perform continuous attacks. Ransomware requires no synch with other infected machines.
Are botnets smaller than they used to be?
We don’t necessarily have any data to support this, although there have been reports of takedowns of multiple small botnets such as Citadel. Botnets definitely come in all sizes. But, it does make sense that a criminal may want to reduce the risk of a takedown by making the botnet smaller and thus harder to detect. It also depends on the purpose of the botnet. A spam/DDoS botnet will naturally be large, global, and non-specific. On the other hand, a
botnet designed to launch spear-phishing and targeted attacks will tend to be smaller and stealthier—limiting the size of the botnet reduces the chance of detection.
If all botnets “phone home,” shouldn’t it be easy to simply spot some unexpected outgoing communication and block it?
It used to be simple. In the early days of botnets, simple filtering of outgoing traffic with rules and signatures would have been enough. Since then, botnets have evolved to use multiple evasion techniques, such as domain generation algorithms (DGA), piggybacking on user traffic, posting in legitimate blogs, and hiding the C&C server address in a web search results page. Botnets have evolved—like all technology—and the botnet industry has large amounts of money associated with it. Today we have professional criminals with knowledge and expertise, actually investing in improving botnet evasion solutions.
There seem to be a lot of security companies and organizations tracking botnets these days. Why are botnets so hard to take down?
Well, there are obviously more botnet owners and malware groups than security companies. The takedowns have been complicated. It all boils down to hyper-evasive malware which avoids detection, and security companies which are often one step behind in inventing new detection methods. As for taking down botnets—this is normally done by law enforcement and ISPs, and in many cases there is not enough cooperation and information sharing with the security vendors. In some cases, privacy concerns and regulations between countries are delaying or preventing such cooperation. Moving the wheels of law enforcement and government regulation is hard. Ultimately, security organizations like Cyren defend customers faster than law enforcement can take down a botnet.
Sometimes after a takedown, we hear that a sinkhole has been set up—how does this work?
A sinkhole is basically a way of redirecting malicious Internet traffic so that it can be captured and analyzed by security analysts. It uses a standard DNS server configured to hand out non-routable addresses for all domains in the sinkhole, so that every computer that uses it will fail to get access to the real website. For example, if a victim receives an email with malicious link that has been sink-holed, and if the victim clicks the link, they won’t reach the malicious site, instead they reach a non-routable address. Cyren offers this type of security in our DNS security solution to help protect users from malicious websites.
Do botnet owners specifically target security solutions or law enforcement?
Bots are highly aware of security solutions and detection techniques. There is a history of malware samples, that when analyzed, were found to contain code to check for specific anti-virus vendor software. Botnet owners will also engage in spear phishing attacks on specific companies or law enforcement. It is also very common for cybercriminals to code botnet malware with sandbox evasion techniques.
Are botnets used in hacktivism?
It is definitely possible and likely that certain government, political, or business organizations are being targeted for hacktivism purposes—we probably saw some of this during the recent elections in the United States, as well as during the Brexit vote, when bots were used for promotional purposes or to disseminate fake news and disinformation on social media sites like Twitter. After the election in the U.S., a number of major think tanks were targeted by spearphishing attacks. We see it all the time in Israel with criminal organizations developing botnets to target think tank organizations.
What financial gain is there in a DDoS attack?
Usually a DDoS attack is not directly profit-related. Sometimes competitors of the victim might order an attack to draw clients to their service. Sometimes DDoS attacks are used as a form of retaliation, as in the case of the recent Krebs on Security attack. In other cases, a DDoS attack is used as a distraction from a stealthier operation. Sometimes, DDoS attacks are even used as a form of blackmail.
How much does it cost to rent a botnet?
It definitely varies. The price of botnets-for-rent can range from thousands of dollars to hundreds of thousands of dollars, depending on type of attack, botnet purpose, the type of damage it is supposed to do, etc.
What industries are most often the target of botnet attacks?
Definitely attacks on banks and other financial institutions, as well as governments will continue to grow.
What can we expect in the future for botnets?
Ransomware distribution involves high profitability and it will likely continue to keep everyone busy. We expect to see a shift with more botnets using a P2P structure, which is harder to detect. Botnets using Internet of Things (IoT) devices will likely grow and get more sophisticated. In addition, botnets will continue to be used for malware distribution and spam. I don’t see that going away.
For a thorough primer on botnets, get a free copy of Cyren’s special threat report on botnets or visit our botnet resource page.