This Halloween, Don’t Be Scared by Botnets

October 31, 2019

Botnets – large networks of compromised, internet-connected computers and devices that do the bidding of malicious actors – have long been compared to “zombies” that roam the internet infecting unprotected devices and making them part of the hoard.

In this Halloween-themed blog post, we examine some spooky trends in the world of botnets, which showcase how this threat is evolving.

1. Double, Double, Mirai and Trouble

What’s the spookiest family of botnets for Internet of Things (IoT) devices?

The Mirai family of course. Previously, Mirai mostly targeted devices found in the home, such as cameras, video recorders, lighting fixtures, and thermostats. But now, in an effort to satisfy zombie-like hunger for IoT devices, newer variants have exploits that allow them to “eat the brains” of enterprise IoT and other increasingly complex systems.

Activity from Mirai variants almost doubled between 2018 and 2019.[1] Mirai-related activity had decreased after a historic cyberattack in 2016 that shut down significant portions of the internet in the US and Europe – including Twitter, Netflix, Reddit, CNN, PayPal, and Spotify –  but this resurgence indicates the malware continues to be a serious threat.

2. Bot of Frankenstein

Since the Mirai botnet’s source code was leaked online three years ago, malicious actors have taken the role of Dr. Frankenstein and experimented with the botnet’s source code to create new breeds of online threats. Various botnets now popular among criminals have been compared to Frankenstein’s monster because they are made from different pieces of open source malware, including (but not limited to) Mirai.[2] An ominous news article from 2018 reads: “Botnet authors twist corpse of Mirai into new threats”.[3] As of July 2019, the Mirai botnet has at least 63 confirmed variants[4] and it is very possible others remain undiscovered.

3. Little Dark Web Shop of Horrors

Across the dark web, criminal marketplaces exist where botnets can be rented for a low fee by cybercriminals. This arrangement, called malware-as-a-service (MaaS), puts destructive tools into the hands of a broader set of malicious actors.[5] Some of the criminals who rent a botnet lack the technical skills to make a botnet of their own. However, others see renting a botnet as purely a pragmatic business decision.

Lest you think all malicious activity unfolds in the secrecy of the dark web, increasingly botnet creators are advertising their creations on mainstream platforms. Botnet creators have advertised their projects on YouTube and Instagram, openly flouting the law and charging a low rental fee to incentivize criminals to become their customers.[6]

4. It’s The Great Botnet, Emotet

The botnet Emotet returned with a vengeance in September 2019.[7] Armed with more than 200,000 stolen username-password combinations, Emotet spews spam at a high volume to users across the world, tricking them into unleashing malicious payloads. Emails sent by Emotet often appear to come from legitimate contacts and may include details from real conversations. Emotet is known to quote previous email threads and even send follow-up emails like a human being would – tactics that make the botnet increasingly difficult for spam filters and human beings to detect.[8] Because of Emotet’s widespread impact, tech news publications have referred to this particular zombie hoard as “the world’s most destructive botnet”[9] and “today’s most dangerous botnet”.[10]

5. Beware the Swarming Hivenets

Picture thousands of bees swarming a single target. That, in essence, is a swarmbot. Swarmbots can often overwhelm traditional cyber defenses through sheer volume alone.[11] To make matters worse, these bots are directed by an artificial intelligence known as a hivenet. Hivenets are “botnets that think for themselves” and have the ability to learn during an attack.[12] The ability to learn in real-time is a big part of what makes them dangerous. Whereas traditional botnets needed to wait for commands from their operators,[13] the hivenet coordinates strategies automatically based on what the swarmbots learn.

6. Jekyll and Mr. Necurs

Botnet developers are constantly evolving their strategies to keep bots hidden and active longer. They may pose as regular good bots, hide in crowds of mostly legitimate traffic, or even play dead. The Necurs botnet analyzed by CenturyLink’s Black Lotus Labs goes into sustained downtime at various intervals. In one observed instance, Necurs was active for three weeks, went quiet for two weeks, and then activated again.[14] In 2019, Necurs appeared largely inactive for several months, only springing into action about once per week for brief periods of time.[15]

7. Invasion of the Botnet Snatchers

Criminals frequently use botnets to perpetrate ad fraud by sending fake traffic instead of real human eyes to online destinations. In the past, it was relatively easy to identify suspicious activity such as botnets opening and closing millions of windows.[16]  But today’s malicious botnet activity increasingly resembles real human activity. This development has implications beyond defrauding retailers and advertisers.

Notably, botnets abuse social media, impersonating millions of people with the goal of shaping public opinion. By falsifying social proof, botnets that imitate human behavior could potentially influence human opinions on just about any topic, from musical trends to politics. Curtailing botnets that exploit social media is no easy task. Platforms such as Twitter have purged millions of fake accounts, but human-impersonating botnets are constantly learning, adapting, and returning to cause trouble.

8. Zombie Eats Zombie

What’s a zombie’s worst enemy? Potentially, another zombie. Botnets quite often infect devices already infected by other botnets – and delete their rivals in order to increase their own dominion. As bots that “eat” other bots become more common, and profits are at stake, there is significant pressure on botnet operators to fight their rivals using the latest tools, or at least take steps to defend themselves. Some botnets will actively patch security vulnerabilities after they break into a device, in order to prevent a rival from breaking in. The tendency for botnets to compete will likely drive their evolution in new directions, possibly making them more resilient to mitigation efforts.

Scary stuff, but for more information about botnets (and how to fight them), see our Council to Secure the Digital Economy’s anti-botnet guide, which we update annually. This year’s edition will include specific guidance for securing IoT devices.

[1] https://securityintelligence.com/posts/i-cant-believe-mirais-tracking-the-infamous-iot-malware-2
[2] https://www.darkreading.com/attacks-breaches/new-botnet-shows-evolution-of-tech-and-criminal-culture/d/d-id/1333792
[3] https://www.theregister.co.uk/2018/06/01/mirai_respun_in_new_botnets
[4] https://securityintelligence.com/posts/i-cant-believe-mirais-tracking-the-infamous-iot-malware-2
[5] https://www.cyberscoop.com/mirai-botnet-for-sale-ddos-dark-web
[6] https://www.darkreading.com/attacks-breaches/new-botnet-shows-evolution-of-tech-and-criminal-culture/d/d-id/1333792
[7] https://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html
[8] https://arstechnica.com/information-technology/2019/09/worlds-most-destructive-botnet-returns-with-stolen-passwords-and-email-in-tow
[9] https://arstechnica.com/information-technology/2019/09/worlds-most-destructive-botnet-returns-with-stolen-passwords-and-email-in-tow
[10] https://www.zdnet.com/article/emotet-todays-most-dangerous-botnet-comes-back-to-life
[11] https://www.csoonline.com/article/3301148/the-evolving-threat-landscape-swarmbots-hivenets-automation-in-malware.html
[12] https://www.darkreading.com/vulnerabilities—threats/rise-of-the-hivenet-botnets-that-think-for-themselves/a/d-id/1331062
[13] https://www.darkreading.com/vulnerabilities—threats/rise-of-the-hivenet-botnets-that-think-for-themselves/a/d-id/1331062
[14] https://threatpost.com/necurs-botnet-hide-payloads/142334
[15] https://blog.centurylink.com/casting-light-on-the-necurs-shadow
[16] https://www.cyberscoop.com/smart-botnet-human-behavior-ddos-ad-fraud-methbot