The use of botnet campaigns is on the rise. We are in an era where cyber threats from hired and state-sponsored hackers, organized syndicates, and terrorists are on high alert. They are in every nook seeking top-secret information, technology, sensitive documents, and ideas––Generally, valuable information that matters to us. They might choose to strike anytime, hitting critical infrastructure and our national economy hard.
It is no news that cybercriminals pose a severe threat to the economy and privacy of a nation and its citizens. One of the many ways they achieve this is through the use of Botnets. Cybercriminals are leveraging their effectiveness to infect large networks and a significant number of endpoints.
Botnet campaigns are now a perfect tool for cybercriminals. To avoid serious attacks, you need to take the first approach to understand the intent of botnets and how they work. Then you can move to find proactive measures to avoid becoming a victim of malicious botnet attacks.
What is a Botnet Campaign?
A ‘Botnet’ (short for ‘robot network’) is a collection of network-connected devices that have been compromised and work as a swarm. Unlike malware of the past, in which independent singular devices were programed separately to attack, botnets are centrally coordinated by a bot-herder or Command and Control (C2) server.
Essentially, these botnets prospect internet-connected devices to work in unison in carrying out attacks. Once activated, a botnet can be used for DDoS attacks, malware distribution, and other organized crimes. It can also be used to attack network-connected critical infrastructure or as a weapon of ideology campaigns to instigate fears or cause public embarrassment.
Typically, a botnet attack can get thousands of devices infected without obvious evidence of its existence and can theoretically be operational for years. Once an endpoint becomes part of a botnet campaign, it can be difficult to prevent the download of malicious code throughout your network.
In 2016, Mirai, a prominent botnet attack, caused a distributed denial-of-service that left millions of internet users unable to use the network on the east coast of the US. It was a major attack and the first of its kind that infected over 600,000 insecure IoT devices.
In 2020, Google removed a number of apps from the Play Store after the research team White Ops Satori Threat Intelligence & Research reported the apps’ malicious activities forcing users to install ad fraud botnets on their devices. The attack saw two billion fraudulent bid requests generated, infected over 65,000 witted devices, and spoofed over 5,000 apps in just one week.
How Botnets Work
Typically, C2 servers or bot masters control their botnets in two models––Centralized and decentralized peer-to-peer (P2P) models. The centralized model, now not so common, establishes direct communication between the bot herder and each infected device. The concept is based on a Command and Control (C2) server and communication protocol like IRC.
The IRC is responsible for triggering the command to other infected devices. But initially, the bot herder programs each bot to remain dormant and await a command from the C&C server. When the time comes, the bot herder sends the command to the C2 server, which in turn relays the message to the client devices (Zombie devices). The client performs the activity and reports back to the bot herder with results.
The decentralized P2P approach is the modern-day method for hackers because of its robustness compared to the centralized approach. In this method, the botnets share commands and coordinate information across every other botnet device without relying on the central server. Typically, this method can take control of a worldwide network, taking over as many as 100,000+ devices.
Difference Between Botnet and Malware
A botnet is a coordinated attack involving many endpoint devices that are installed with malicious codes. It is a large-scale cyber-attack affecting a large number of malware-infected devices. In contrast, malware is a coordinated attack on an individual device or endpoint.
A botnet can be extremely powerful when compared to traditional malware attacks. Unlike a malware attack that replicates and inflicts malicious code on a single device, botnets pose a greater threat by allowing the bot master to perform a large number of cyber-attacks on numerous devices at once.
Types of Botnet Attacks
An attacker controlling a botnet has an extensive list of malicious attack types. Some of those include the following.
Distributed Denial of Service (DDoS)
A botnet DDoS attack is a common attack targeting network devices, servers, applications, and operating systems. The network layer DDoS attacks use different techniques such as DNS amplification and UDP floods to eat up the target’s bandwidth, thereby preventing legitimate requests from being treated.
A DDoS attack on the application layer exploits vulnerabilities in your operating system, application, or system protocols to prevent it from communicating or delivering content to its users.
Brute Force Attacks
Brute force attacks are one of many ways of infiltrating malicious code into your network, servers, and applications. The attacker tries to gain access to your infrastructure or application by trying multiple repetitive password attempts. During the brute-force process, the malware interacts directly with the service for real-time feedback. This is most common in RDP technology. But it has slightly decreased recently, but not in all countries. Statistics have shown that the US has experienced 47.5 million botnet attacks on RDP technologies in the first quarter of 2021. This has significantly increased to 50 million in the same period in 2022.
Phishing
Botnet attacks are an easy tunnel for distributing malware via phishing emails. Because botnets are designed and automated to attack multiple devices, shutting down phishing campaigns is like making scrambled eggs. The concept of phishing makes it easy for hackers to gain access to more devices to grow their botnet, hence infiltrating widespread harm to businesses at large.
Security Teams Must Stop Botnets
Industry experts have estimated that botnet attacks have cost millions of dollars to financial institutions, defense contractors, government agencies, and other major businesses around the globe. Botnet attacks have hit 83% of enterprises in just the past 12 months, and 77% have lost at least 6% of their revenue due to attacks.
Every security team’s first instinct for preventing botnet attacks should be to find ways to detect them ahead of time. Once botnet campaigns get into your infrastructure and infect your core devices, the process for mitigation becomes increasingly complex. Detection has become increasingly difficult with rising traffic volume and stronger encryption algorithms.
However, inspecting incoming encrypted network traffic with JA3 signatures is one way of detecting malware hidden inside encrypted traffic. The JA3 will help identify a fingerprint that can be used to track down specific client application communication over TLS. It does so by comparing the JA3 fingerprint to a threat intelligence feed that has identified this fingerprint as a known indicator of compromise (IoC).
Take Action Now Against Botnets!
Botnets are continually evolving, and every SecOps team must constantly improve their threat hunting mechanisms to detect botnet campaigns before they can cause damage.
To optimize visibility, NetQuest’s Streaming Network Sensors monitor large-scale enterprise and telco networks, inspecting all encrypted and unencrypted traffic. The sensors can also extract detailed information from each network conversation and export unsampled flow records to be used to detect any anomalies that may be present in your network.