Computer botnets have been around for years, causing trouble for enterprises across the globe. Their history dates back to at least 1999, when two groundbreaking threats – the Pretty Park worm and the Sub7 Trojan – demonstrated how compromised machines could be set up to receive malicious commands by listening to application layer protocols such as Internet Relay Chat.
A short history of the botnet: From IRC nuisance to cyber crime infrastructure
In the early days, IRC was indeed one of the most popular mechanisms for delivering such instructions to botnets. Subsequent botnet-related innovations, like the ones contained in the GTbot threat that surfaced in 2000, went further and took advantage of the mIRC client (a popular Microsoft Windows application, dating back to 1995, with an integrated scripting language) so that attackers could pull off more sophisticated schemes, including distributed denial-of-service attacks.
Eventually, botnet creators looked past IRC for command-and-control infrastructure. As Rik Ferguson of Trend Micro pointed out in his history of botnets, IRC became a channel that most organizations placed securely behind their firewalls, plus its distinctive traffic was and still is easily identified by network monitoring tools. Protocols such as HTTP(S), SSL and ICMP came to the fore as IRC alternatives.
By 2003, botnets had evolved beyond being mere novelties and proofs of concept. They instead turned into powerful distribution networks for spam and malware. The steady growth of CPU and GPU power as well as increasingly fast Internet speeds made botnets an ideal tool for cyber crime. They can now do anything from support a DDoS attack to mine Bitcoin, thanks to their versatility.
"The problem with dealing with botnets and command-and-control servers is that they are rather versatile resources that can be used for spamming, mass downloads and launching [DDoS]," stated the author of a 2014 Trend Micro news article. "Botnets can also exist without a C&C server by using peer-to-peer architecture and other management channels instead where commands are transferred from one bot to another."
In only 15 years, botnets have achieved vast, worldwide reach. For example, Trend Micro documented more than 9 million unique IP addresses that were victims of botnets in 2013, according to an infographic accompanying the above article. The spread of botnets has contributed to more frequent DDoS attacks, along with fluctuations in the value of cryptocurrencies and new risks to bank accounts.
Botnets in 2015 and 2016: Threats continue to evolve
Today's botnet are best understood as tools for financial gain rather than ways of gaining notoriety. A Trend Micro white paper from 2006, "Taxonomy of Botnet Threats," highlighted this shift (i.e., from achieving fame in the hacker community to stealing actual money) back when it started to occur, and the trend has only intensified over the past decade. It's readily apparent in the technical details of innovative botnets, which with time moved on from IRC and began casting a much wider net.
We won't cover every last possibility of what a modern botnet could look like, but diving into some of their most common features can help us understand what cyber security teams are now up against:
- Different C&C models: A botnet may use infrastructure that is centralized or distributed, possibly P2P in the latter case. Centralized assets are easy and relatively inexpensive to set up, while options such as P2P provide more resiliency against network failures in the botnet.
- A variety of attack types: DDoS is a well-known risk from botnets, but it's not the only one. Botnets can also be set up to steal sensitive data (such as payment card information), distribute spam at massive scale and take over new hosts through carefully planted malware.
- Many possible communications protocols: Botnets started with IRC and have since come to HTTP(S) and other channels. HTTP(S) provides cover for botnets since it is such a common protocol and one that is not as aggressively firewalled as IRC often is.
- Effective evasion techniques: Sophisticated botnets have twisted common security mechanisms such as SSL to their own ends, i.e., using encryption to disguise their traffic. Other approaches such as VoIP tunneling have also become popular.
- Versatile rallying mechanisms: Botnets are always searching for new machines to take over and then connect to their C&C infrastructures. To this end, they may use hard-coded IP addresses or something like a distributed DNS service.
This is all pretty high level; what would an advanced botnet that drew upon these techniques look like today? To get an answer, let's look at the Black Atlas effort that began in September, using the Gorynych botnet for support.
Black Atlas was targeted at small and medium-sized businesses with the goal of breaking into their networks and ultimately stealing data from point-of-sale terminals. The initiative combines many of the features mentioned above:
- It includes brute-force tools for guessing passwords, SMTP (email) scanners and remote desktop scanners, among other tools.
- It can deliver advanced malware such as BlackPOS, which is best known for the pivotal role it played in the theft of approximately 40 million payment cards from retailer Target in late 2013.
- Finally, it can exfiltrate the data it captures, using HTTP POST.
"The operation is run by technically sophisticated cybercriminals who are knowledgeable in a variety of penetration testing tools and possess a wide network of connections to PoS malware in the underground market," stated Trend Micro threats analyst Jay Yaneza in a December 2015 blog post at TrendLabs. "Its operators built a set of tools much like a Swiss army knife, with each tool offering a different functionality."
Old botnets also grow stronger as new ones emerge
Black Atlas is a good example of how the most effective botnets can piece together different tools and techniques to take advantage of weak network defenses. These components may come from a mix of old and new technologies, seen in Black Atlas' combination of SMTP scanning and BlackPOS delivery.
In some cases, the botnet itself may be an old creation that has continually evolved and increased its scope. An instructive example here is Ponmocup, a relatively obscure but enormous botnet that is still alive and well in 2015 even though its underlying code has spent nearly a decade in the wild.
At its peak in 2011, Ponmocup controlled 2.4 million machines, according to researchers from Fox IT. It has by now likely raked in millions of dollars in stolen funds. Its success can be attributed to its regularly maintained and quality-tested infrastructure as well as its huge ecosystem of support, which may include 25 plugins and 4,000 individual variants.
Old or new, botnets remain a central concern for cyber security teams everywhere. Identifying botnet infections and taking measures to curb their impact are essential steps in any malware-mitigation strategy.
Enterprises can get started by scanning their systems with a tool such as RuBotted, as recommended by Trend Micro. From there, other utilities such as HouseCall can be used to go after viruses and other threats. Fighting back against sophisticated botnets is no easy task, given how rapidly they have evolved just in the last few years. But top-notch network security tools and training can go a long way in keeping sensitive data safe.