Skip to main content

Botnets: More than just a platform for DDoS

(Image credit: Image Credit: Profit_Image / Shutterstock)

How much damage can a botnet possibly cause? After all, the common perception is that botnets are just a collection of compromised connected devices, designed to be pointed at a target to overwhelm and cripple it.

A botnet is only but a tool, a distributed platform that provides resources to run any kind of malicious payload that could profit attackers. Distributed Denial of Service (DDoS) has long been one of the primary payloads, which is not surprising since it is the easiest to implement and most effective on large distributed botnets.

But since the first half of 2018 we are seeing changes in how botnets operate, their applications and the motivations behind them, including but not limited to:

Crypto-mining

Botnets targeting vulnerable and unsecured cloud servers, such as those targeting Hadoop YARN for example, leverage the elastic nature of the cloud and the vast amounts of resources provided to big data Hadoop servers to run open source crypto-mining software such as Cpuhunter.

While cloud is a lucrative platform because of the vast resources provided by each bot, IoT devices have also been targeted for crypto-mining campaigns. By joining forces in Mining Pools, resource constrained devices contribute and aggregate their processing power to solve the Proof-of-Work puzzle and get rewarded for it.

Adding many devices into a mining pool, the rewards reaped by the pool’s ‘consortium’ is shared between the members of the pool based on their individual contribution to the work. Given enough devices, of which IoT provides plenty, it becomes a lucrative operation.

Anonymising networks

Having a large network of devices that can forward traffic provides an effective way to conceal the source of malicious traffic. From browsing cybercrime forums, validating stolen credit cards at merchant websites, hiding the source of spam mail and click-fraud servers, up to targeted attacks, anonymising networks are being sold in the underground for profit.

IoT devices, especially routers, provide a potent platform for anonymiser networks. There are many different ways to turn IoT devices into forwarders of malicious traffic. The OMG botnet, for example, leveraged 3proxy. 3proxy is an open source, cross-platform proxy server with tiny footprint providing HTTP proxying with HTTPS and FTP support, SOCKSv4/SOCKSv4.5/SOCKSv5, POP3, SMTP, AIM/ICQ, MSN messenger/Live messenger, FTP, and caching DNS proxies as well as TCP and UDP portmappers.

Another example is through the remote reconfiguration of vulnerable routers through UPnP. Certain router manufactures have UPnP as listener on WAN interfaces by default. UPnP allows dynamic forwarding rules to be configured remotely and without authentication into the router. By chaining vulnerable routers together, a central controller can create dynamic tunnels across the internet that passed through multiple hobs and can conceal any type of traffic.

Routers exposing UPnP can be configured remotely, without requiring a local malware running on the vulnerable device. All that is needed is a list of vulnerable devices (potential forwarding hops) and a central controller that creates the dynamic path for each connection and cleans it up after the connection is complete. 

Snooping

IoT bots have been observed monitoring network traffic, some passively for informational purposes, others actively injecting malicious Javascript code in the HTTP traffic traversing the router device. Motivations range from gathering intelligence on victims up to launching Javascript based crypto-jacking malware, stealing credentials from browser forms, and dropping of malware through code injection.

Bricking

Disrupting communications can impact city security surveillance networks, internet service providers, causing internet blackouts in whole regions to create chaos, etc. By infecting enough devices in a certain region or specific IP range, malicious agents can instruct their malware to brick (destroy or corrupt) the infected devices.

BrickerBot is one such botnet built exclusively to destroy (brick) infected IoT devices. The author, 'the Janit0r' referred to his project as 'Internet Chemotherapy.' The botnet used many known IoT vulnerabilities to compromise infected IoT devices that were discovered through its sensor network of sentinels and then launched a sequence of destructive remote shell commands corrupting the ash or breaking internet connectivity on the victims.

VPNfilter is another highly sophisticated botnet that had bricking among its long list of features. With a single remote command from its operators, the bot would attempt to destroy itself and the device. Motivations behind bricking can be about causing chaos and blacking out communications in a region, or it could just be an attempt to destroy any evidence on the infected device and hamper forensic research.

Behind the botnet

Today, modern botnets are mainly comprised of infected IoT devices such as cameras, routers, DVRs, wearables and other embedded technologies. The evolution in the botnet landscape highlights the security risks from millions of Internet-connected devices configured with default credentials, manufactures who won’t issue updates or owners who aren’t able to install updates. Hackers can build enormous botnets consisting of a wide variety of devices and architectures because of this. 

In comparison to server and desktop/laptop exploits, IoT devices come with poor security features such as open ports and default credentials. They are also poorly maintained and hardly receive updates. The process of capturing devices for a botnet is still a fairly simple task that’s mainly automated. Hackers typically compromise these devices via brute force login. They have also evolved to inject exploits via open ports. They leverage these exploits typically after researchers disclose vulnerabilities, knowing that most of the IoT devices only get updated sporadically or even never. 

Overall it is an automated process in which a bot is scanning the internet to identify potential targets and sending that information back to a reporting process. When a match is found, the device is exploited with an injection exploit and a malicious payload is downloaded to the device.

IoT botnets continue to evolve and they are becoming more versatile. It wasn’t long ago when Mirai reached the 1Tbps mark but the process of how it was done has improved, leading many of us in the industry to worry about the next generation of “smart” devices that will leverage 5G for high-bandwidth, always on, and unfiltered connectivity.

Today we see botnet development filling the void of exploit kits as they incorporate more attack vectors and exploits into their deployments.  Keep in mind that it’s not just about the multiple exploits. It also has to do with the speed in which exploitation occurs in the wild. 

One of the main reasons we are seeing exploit kits fall out of favour is due to the improved browser security and speed in which the industry patches vulnerabilities. This is not seen in the IoT botnet world where vulnerabilities are rarely patched.  At the end of the day, cybercriminals are following the money by taking the path of least resistance.   

Pascal Geenens, EMEA Security Evangelist, Radware