Turning Devices Against Their Users: A Brief History Of Botnets

Users are unaware if a device they own is infected. While infected, besides for carrying out attacks, the host device can also be used to infect nearby devices or devices in any part of the world.

To understand why a hacker would use a botnet, it is best to use an analogy of a business owner wishing to undergo a large scale construction process. Think of a football team owner desiring to build a new stadium for their team. To do so, they need to hire a huge number of construction workers to have the task completed in a reasonable amount of time. If the owner tried to build it themselves, it would be impossible, and take many lifetimes! However, in the case of botnets, these attacks can be carried out in seconds, with enough infected hosts.

And so, a hacker will use a botnet to leverage a vast number of devices of joined processing power to carry out devestating attacks in only a few moments.

A botnet is usually led by a hacker-controlled device, called a herder. The herder uses commands to call the shots, and directs the rest of the infected network in their actions.

Botnets and bot herders aren’t always used by the hackers that developed them, and many services operate on a leasing or rental bases, for prices much cheaper than you would think.

The stages of a full infection and attack can be broken into three steps, usually.

Step 1 – Preparation and Exploitation – Here a hacker will get into a device, and deploy the malware underlying the botnet. These attack vectors are varied, and will be covered shortly.

Step 2 – Infection – This is the stage at which the underlying botnet infects the device, and is now controlling it. Security is breached and in most cases the device is past the point of no return. The device may not be used for an attack yet however, as the hacker may need to gather more devices into the botnet first.

Step 3 – Activation – At this point, the device is actively used in attacks. It will work in sync with every other host in the botnet. Depending on the objective of the botnet, the user may or may not notice that a device of theirs has been compromised.

One active, a botnet shares some similarities to a trojan or spyware. A botnet can often read and write data, collect personal information, monitor the user, send files, and install applications.

It’s usual end goal is to perform distributed denial-of-service (DDoS) attacks, though botnets are often sold on for other hackers to do the same. More sophisticated botnets can install additional payloads, such as ransomware. Botnets are also used to harvest login credentials, and play a huge role in crimes like identity theft.

Traditionally, Botnets infected computers and laptops. With the advent of smartphones, these were added to list of targets. The biggest growth for botnets has only come in the last decade, however, with the rise of Internet-of-Things (IoT) devices.

These can be smart light bulbs, doorbells, and even fridges. A common misconception about these smart, connected devices is that they only serve their intended purpose. However, under the hood, they are all computers, no matter how tiny. Thus, a fully connected smart home can serve as an arsenal to any hacker.

IoT devices face a unique problem as it is difficult, if not impossible, to detect if one is a part of a botnet. This is due to their limited feedback – A smart lightbulb doesn’t have a user interface outside an app, for example. It may sound like science fiction to hear that your fitness watch is being used as part of an international crime gangs activites, but this is much more common than you would think.

Along with the herder, a botnet is usually controlled at the Command-and-control (C&C) center. For bigger hacking organizations, this may be a large scale operation involving a server room, which will also host the herders main server.

In this article, we aim to give a top-level view of botnets, their history, their impact, as well as some recent stories that hit the news regarding botnets. Hopefully after reading this, you will be better prepared to face some more of the threats out there on the web – And prepared to make sure your devices are used by you, and you only.

Botnets Through The Years

Botnets have long been a staple of the internet. The first trio of Botnets existed on the Internet Relay Chat, known as IRC. IRC is considered one of the first chat rooms, and in a sense was the genesis of social media, where like minded individuals could come together in designated spaces to talk about their internets, ranging from politics, to religion, to computers, and much more.

The first botnets shown on IRC were Jyrki Alakuijala’s Puppe, Greg Lindahl’s Game Manager, and Bill Wisner’s Bartender. These IRC bots were developed with good itentions – They provided automated services to users, and stayed in the channel 24/7 to avoid inactivity shutdowns, which was a common problem on IRC.

More commercial early bots were web crawlers used by search engines. The first web crawler appeared in 1994, and was used to index web pages. Pretty simply, it was known as WebCrawler. AOL later used this technology in 1995, and later was used by Excite in 1997. The most efficient web crawler was named Googlebot, and was created by Scott Hassan, also known as BackRub. Suffice to say, Googlebot was the foundation of the company Google.

Hassan is often considered the ‘third founder’ of the company, but had left before they were officially incorportated. Googlebot has of course gone under many developments throughout the years.

In terms of early botnets that are more similar to what we now see were Sub7 and Pretty Park, a Trojan and worm respectively. They flooded IRC and would install themselves convertly on machines. These botnets listened to IRC channels for specific commands.

The most infamous botnet of this era was GTbot, which used a fake IRC client and was capable of the first DDoS attacks.

Botnets didn’t stay within IRC (or a later addition, mIRC) for much longer, and were later found on the wider web.

Botnets continued to grow as adoption of home internet increased. The late 00s saw one of the more destructive botnets of the era, named Storm. Storm was believed to have infected 50 million devices, and used from everything from stock price fraud to identity theft.

At this time botnets were particularly popular for sending spam emails. 2009 saw a botnet named Cutwail which sent out 74 billion spam emails a day.

In more recent time, the COVID lockdowns saw an increase of all kinda of malware attacks, including botnet attacks. Q3 of 2020 alone saw 1.3 billion attacks.

There may come a time when botnets will be a thing of the past, when cybersecurity technicians will develop fool-proof methods to distinguish bot from human traffic. However, these bots, for good or bad, are here to stay for now.

The Biggest Attack Of The Summer

This summer saw the largest distributed denial-of-service (DDoS) attack in Europe, which occured in July. The target was a client of cybersecurity company Akamai, had went through a barrage of assaults that lastest 30 days.

DDoS attacks skyrocketed across the board since earlier this years. These attacks involve denying access to victims digital services by flooding them with thousands of requests. The increase in attacks is due to a number of reasons, including the situation in the Ukraine.

Akamai’s reported of the attack detailed the DDoS attack that occured on July 21st, and in 14 hours it peaked at 853.7 Gbps (gigabits per second) and 659.6 Mpps (million packets per second).

Akamai did not revealed details regarding the identity of their client. They added that the client was the target of 75 seperate DDoS attacks over the entirity of July.

The most popular attack vector during this time was UDP (user data protocol). This method was seen in each record attack spits too.

There were a number of additional attack vectors used, including UDP fragmentation, ICMP flood, RESET flood, SYN requests flood, TCP anomaly, TCP fragment, PSH ACK flood, FIN push flood, and PUSH flood.

Akamai reported that the DDoS attacks came from a “highly-sophisticated global botnet” of infected devices. With the advanced of consumer technology, more and more botnets are capable of record-breaking DDoS attacks.

The campaign was reminiscint of the Meris botnet, which hit Russian internet giant Yandex with 21.8 million RPS (requests per second). Later in this article we will cover the Mantis botnet, which peaked at 26 million RPS.

Though the reasons behind the attack remain unclear, it is known that they took place in Eastern Europe, so may have politicial reasoning.

Disrupting A Russian Botnets

Recently, the US Department of Justice announced its disruption of the Russian Rsocks botnet. The botnet was used to hijack millions of computers, android phones, and IoT(internet of things) devices across the globe.

The disruption operation was a joint one from law enforcement agencies around the world, including Germany, the Netherlands, the UK, and the USA. The botnet maintained its infrastructure across these countries.

The RSocks botnet used residential computers as proxy servers, allowing clients of the botnet to use them for malicious activities. If any of these attacks were traced, it would simply ping back to the residential IP address.

The botnet was also promoted as a shopping bot, which aren’t usually banned from online retail websites.

The FBI started tracking the botnets infrastructure in an undercover sting when they purchased a large number of proxies in 2017.

According to the public report, the botnet prices ranged from $30 per day for 2,000 proxies to $200 per day for 90,000 proxies.

During the initial investigation, authorities identified 325,000 compromised devices, nearly all of which were located in the US.

It is believed Rsocks compromised affected devices by brute-forcing passwords and installing the botnet onto the devices.

“Several large public and private entities have been victims of the RSocks botnet, including a university, a hotel, a television studio, and an electronics manufacturer, as well as home businesses and individuals,” explains the DOJ announcement.

“At three of the victim locations, with consent, investigators replaced the compromised devices with government-controlled computers (i.e., honeypots), and all three were subsequently compromised by RSocks.”

There has not been any arrests announced as of yet, but it is know that the botnet is severely disrupted.

One the strongest botnet attacks occurred earlier this year, the Mantis botnet attack, which was mentioned previously in this article. Much of the attack was mitigated by Cloudflare.

At its peak, the botnet built up 26 million requests per second coming from over 5000 devices. Before the Mantis botnet attacks, the previous record was by the Meris botnet, which spiked at 21.8 million RPS.

Mantis had been tracked by Cloudflare previously, which was part of the reason it was able to be mitigated.

The Cloudflare report stated that its analysts named the botnet Mantis after the Mantis Shrimp, which can attack quickly and powerfully. The analysts felt the botnet behaved in a similar manner.

Usually, a botnet needs to compromise a massive number of devices to perform a large scale attack. However, Mantis focuses on servers and virtual machines, which have more resources to carry out heavy attacks.

The previous record holder, Meris, acheived its strong attacks by taking over MikroTik devices, which came with very powerful hardware.

Mantis targeted entities in the IT and telecom (36%), news, media, and publications (15%), finance (10%), and gaming (12%) sectors. Over 30 days, it launched 3000 DDOS attacks against over 1000 Cloudflare clients.

The targets were from around the globe, with nearly half being from the US and Russia. This is somewhat unusual, as hackers usually only focus or one on the other, but rarely both.

The ‘Frankenstein’ Botnet

Early this year, researchers at Securonix discovered the EnemyBot botnet, which was put together using code from multiple malware strains. It has quickly expanded its reach, and affects targets quickly by using exploits and vulnerabilites. The botnet has mostly been found in web servers, content management systems, Androids, and iOS devices.

The botnet was first discovered in March, with Fortinet conducting additional research in April. At this point, the botnet has already infected many devices.

Like many botnets, EnemyBots prime directive is to launch denial-of-service (DDoS) attacks. Additional, it uses modules to scan for new host devices to infect.

The latest report by AT&T Alien Labs stated that EnemyBot uses exploits for 24 vulnerabilities. The majority of these are critical errors.

Some flaws affect IoT devices specifically, with CVE-2022-27226 (iRZ) and CVE-2022-25075 (TOTOLINK) being the most recent. It also includes the Log4Shell exploit, one of the most infamous bugs found last year.

Some newer versions include a number of additional bugs, including:

CVE-2022-22954: Critical (CVSS: 9.8) remote code execution flaw impacting VMware Workspace ONE Access and VMware Identity Manager. PoC (proof of concept) exploit was made available in April 2022.

CVE-2022-22947: Remote code execution flaw in Spring, fixed as zero-day in March 2022, and massively targeted throughout April 2022.

CVE-2022-1388: Critical (CVSS: 9.8) remote code execution flaw impacting F5 BIG-IP, threatening vulnerable endpoints with device takeover. The first PoCs appeared in the wild in May 2022, and active exploitation began almost immediately.

One of the latest updates to the botnet allows it to bypass firewall restrictions, a feature rarely seen on Botnets.

The hacking group behind EnemyBot, Keksec, have an infamous reputation in the malware scene already, and have created a number of malware strains, including Tsunami, Gafgyt, DarkHTTP, DarkIRC, and Necro.

To make matters worse, the source code for EnemyBot has been released. This means that copycats will likely spring up rather quickly.

Though EnemyBot is currently used for DDoS attacks, it is very likely that as it becomes more advanced, it will be used for additional acts, such as cryptomining.

Botnet Leader Sees Prison Time

Recently, a 28 year old from the Ukraine was sentenced to 4 years in prison for using a botnet to steal thousands of login credentials and sell them on the dark web.

Glib Oleksandr Ivanov-Tolpintsev claimed to his peers in the hacking space that he could get the credentials for over 2000 devices a week by using a brute force attack carried out by a botnet.

“During the course of the conspiracy, Ivanov-Tolpintsev boasted that his botnet was capable of decrypting the login credentials of at least 2,000 computers every week,” the Department of Justice revealed today.

“From 2017 through 2019, Ivanov-Tolpintsev listed for sale thousands of login credentials of servers on the Marketplace, including more than 100 in the Middle District of Florida.”

These stolen credentials, when sold, can be used for a range of illicit activites, ranging from data theft to identity theft. They can also be used for sophisticated proxy attacks.

Ivanov-Tolpintsev operated a number of aliases, and the DOJ subpoenaed Google to discover his identity. They also got a hold of his Jabber account, which revealed his extensive conversations with fellow hackers as well as representatives of the dark web marketplace.

The FBI soon made a timeline of Ivanov-Tolpintsev’s activities, and narrowed down his actions on the dark web.

They reported that while using the alias, “Mars”, the hacker sold over 6,705 crdentials, earning over $80,000 on the dark web.

He was initially arrested in Poland in 2020, and soon extradited in the US.

Steps To Mitigate Risk From Botnets

Many methods to prevent malware attack vectors are similar between types of malware, however given the nature of Botnets, there are some extra steps to take.

One of the primary things to keep in mind when securing devices against botnets is to consider of their largest attack markets – IoT devices, smart devices like bulbs, thermostats, doorbells etc. These often come with factory standard passwords that are well known in the hacking community. Due to ease of access, users may be tempted to change passwords on these devices to easier versions, such as ‘pass12345’. This is move is even worse, as it can be brute forced in seconds.

Ideally, users should think of a long (20 or so characters) alpha-numeric password. Though it may mean initially onboarding will take a few minutes, it can immensely bolster the protect of that device. It is worth writing this password on a piece of paper and keeping it with your personal records, locked away.

The inner security of an IoT device should be considered too. With the popularity of IoT devices, there is a flood of cheaper models, many of which could be considered ‘knock-offs’ of bigger brands. These cheap models may function identically, but they tend to prioritize convenience over security. Do your research before purchasing a new gadget, or if in doubt, go with one made by a recognise big brand name, such as Philips or Ring.

When to comes to devices like phones, laptops, and computers, be aware of phishing emails and email attachments – By far the most common attack vector for botnets. Don’t open emails from unknown senders, and be cautious with attachments and links from people you know – As explored earlier, email addresses can be compromised, and used to send phishing emails to contacts. The same logic applies to SMS messages, and social media messages.

Any anti-virus software, including OS defaults such as Windows Defender, can also be a great defence against botnets, given their file scanning capabilities.

One of the greatest lines of defense you can make against botnets is using a cybersecurity focused VPN, such as SaferNet. SaferNet was designed to safeguard users against threats as Botnets, and many other types of malware – especially those that using phishing emails and messages as attack vectors. SaferNet also protects against drive-by-downloads, and unwanted trackers associated with botnets. It is in a constant state of development to ensure that you are protected against both present and future threats.