BOTNET
WHAT IS BOTNET?
A botnet refers to a group of computers which have been infected by malware and have come under the control of a malicious actor. The term botnet is a portmanteau from the words robot and network and each infected device is called a bot. Botnets can be designed to accomplish illegal or malicious tasks including sending spam, stealing data, ransomware, fraudulently clicking on ads or distributed denial-of-service (DDoS) attacks.
While some malware, such as ransomware, will have a direct impact on the owner of the device, DDoS botnet malware can have different levels of visibility; some malware is designed to take total control of a device, while other malware runs silently as a background process while waiting silently for instructions from the attacker or “bot herder.”
Self-propagating botnets recruit additional bots through a variety of different channels. Pathways for infection include the exploitation of website vulnerabilities, Trojan horse malware, and cracking weak authentication to gain remote access. Once access has been obtained, all of these methods for infection result in the installation of malware on the target device, allowing remote control by the operator of the botnet. Once a device is infected, it may attempt to self-propagate the botnet malware by recruiting other hardware devices in the surrounding network.
While it's infeasible to pinpoint the exact numbers of bots in a particular botnet, estimations for total number of bots in a sophisticated botnet have ranged in size from a few thousand to greater than a million.
A botnet [short for bot network] is a network of hijacked computers and devices infected with bot malware and remotely controlled by a hacker. The bot network is used to send spam and launch Distributed Denial of Service [DDoS] attacks, and may be rented out to other cybercriminals. Botnets can also exist without a command and control (C&C) server by using peer-to-peer [P2P] architecture and other management channels to transfer commands from one bot to another.
Initially, botnet operators used IRC clients to deliver instructions and execute DDoS attacks. Much recent botnet operations were observed to have the ability to mine bitcoins, intercept any data in transit, send logs that contain sensitive user information to the botnet master, and consume the user’s machine resources. See infographic below:
Botnets have continued to evolve over the years. Their most common features now include varied C&C models [centralized or distributed] and attack types [spam, DDoS, data theft], an increased communication protocols used [IRC, HTTPS], the use of effective evasion techniques [SSL, VoIP tunneling] and versatile rallying mechanisms [hard-coded IP address, distributed DNS service].
Botnets have also been used to target point-of-sale [PoS] and other payment systems.
Trend
Micro’s free RUBotted antivirus service monitors your computer for
suspicious activities associated with bots. If it discovers a potential
infection, RUBotted will identify and clean it with the Trend Micro™
HouseCall™, which can detect known and unknown variants of botnet
families including the following notorious botnets [5]:
- ZBOT/ZeuS – bank information stealer
- KOOBFACE – most successful Web 2.0 botnet
- WALEDAC – infamous spamming bot
A botnet is a
group of computers connected in a coordinated fashion for malicious
purposes. Each computer in a botnet is called a bot. These bots form a
network of compromised computers, which is controlled by a third party
and used to transmit malware or spam, or to launch attacks.
A botnet may also be known as a zombie army.
A botnet may also be known as a zombie army.
Originally, botnets were created as a
tool with valid purposes in Internet relay chat (IRC) channels.
Eventually, hackers exploited the vulnerabilities in IRC networks and
developed bots to perform malicious activities such as password theft,
keystroke logging, etc.
An attacker will often target computers not safeguarded with firewalls and/or anti-virus software. A botnet manipulator can get control of a computer in a variety of ways, but most frequently does so via viruses or worms. Botnets are significant because they have become tools that both hackers and organized crime use to perform illegal activities online. For example, hackers use botnets to launch coordinated denial-of-service attacks, while organized crime uses botnets as ways to spam, or send a phishing attack that is then used for identify theft.
Even more concerning is the industry that has sprung up around botnets in which bot herders build botnets specifically to "rent" to the highest bidder. Whether they send spam, adware/spyware, viruses/worms, etc., botnets can be used to perpetrate just about any type of digital attack.
An attacker will often target computers not safeguarded with firewalls and/or anti-virus software. A botnet manipulator can get control of a computer in a variety of ways, but most frequently does so via viruses or worms. Botnets are significant because they have become tools that both hackers and organized crime use to perform illegal activities online. For example, hackers use botnets to launch coordinated denial-of-service attacks, while organized crime uses botnets as ways to spam, or send a phishing attack that is then used for identify theft.
Even more concerning is the industry that has sprung up around botnets in which bot herders build botnets specifically to "rent" to the highest bidder. Whether they send spam, adware/spyware, viruses/worms, etc., botnets can be used to perpetrate just about any type of digital attack.
Botnets have become one of the biggest
threats to security systems today. Their growing popularity among
cybercriminals comes from their ability to infiltrate almost any
internet-connected device, from DVR players to corporate mainframes.
Botnets are also becoming a larger part of cultural discussions around cyber security. Facebook’s fake ad controversy and the Twitter bot fiasco
during the 2016 presidential election worry many politicians and
citizens about the disruptive potential of botnets. Recently published studies from MIT have concluded that social media bots and automated accounts play a major role in spreading fake news.
The use of botnets to mine cryptocurrencies like Bitcoin is a growing business for cyber criminals. It’s predicted the trend will continue, resulting in more computers infected with mining software and more digital wallets stolen.
Aside from being tools for influencing elections and mining
cryptocurrencies, botnets are also dangerous to corporations and
consumers because they’re used to deploy malware, initiate attacks on
websites, steal personal information, and defraud advertisers.
It’s clear botnets are bad, but what are they exactly? And how can
you protect your personal information and devices? Step one is
understanding how bots work. Step two is taking preventative actions.
The Internet is filled with threats to online security. Many of these threats are just productive, positive technologies turned to evil use. The botnet is an example of using good technologies for bad intentions. A botnet is nothing more than a string of connected computers coordinated together to perform a task. That can be maintaining a chatroom, or it can be taking control of your computer. Botnets are just one of the many perils out there on the Internet. Here’s how they work and how you can protect yourself.
Botnets are the workhorses of the Internet. They’re connected computers performing a number of repetitive tasks to keep websites going. It’s most often used in connection with Internet Relay Chat. These types of botnets are entirely legal and even beneficial to maintaining a smooth user experience on the Internet.
What you need to be careful of are the illegal and malicious botnets. What happens is that botnets gain access to your machine through some piece of malicious coding. In some cases, your machine is directly hacked, while other times what is known as a “spider” (a program that crawls the Internet looking for holes in security to exploit) does the hacking automatically.
More often than not, what botnets are looking to do is to add your computer to their web. That usually happens through a drive-by download or fooling you into installing a Trojan horse on your computer. Once the software is downloaded, the botnet will now contact its master computer and let it know that everything is ready to go. Now your computer, phone or tablet is entirely under the control of the person who created the botnet.
Once the botnet’s owner is in control of your computer, they usually use your machine to carry out other nefarious tasks. Common tasks executed by botnets include:
- Using your machine’s power to assist in distributed denial-of-service (DDoS) attacks to shut down websites.
- Emailing spam out to millions of Internet users.
- Generating fake Internet traffic on a third-party website for financial gain.
- Replacing banner ads in your web browser specifically targeted at you.
- Pop-ups ads designed to get you to pay for the removal of the botnet through a phony anti-spyware package.
Why are botnets created?
Reasons for using a botnet ranges from activism to state-sponsored disruption, with many attacks being carried out simply for profit. Hiring botnet services online is relatively inexpensive, especially in relationship to the amount of damage they can cause. The barrier to creating a botnet is also low enough to make it a lucrative business for some software developers, especially in geographic locations where regulation and law enforcement are limited. This combination has lead to a proliferation of online services offering attack-for-hire.How is a botnet controlled?
A core characteristic of a botnet is the ability to receive updated instructions from the bot herder. The ability to communicate with each bot in the network allows the attacker to alternate attack vectors, change the targeted IP address, terminate an attack, and other customized actions. Botnet designs vary, but the control structures can be broken down into two general categories:The client/server botnet model
The client/server model mimics the traditional remote workstation workflow where each individual machine connects to a centralized server (or a small number of centralized servers) in order to access information. In this model each bot will connect to a command-and-control center (CnC) resource like a web domain or an IRC channel in order to receive instructions. By using these centralized repositories to serve up new commands for the botnet, an attacker simply needs to modify the source material that each botnet consumes from a command center in order to update instructions to the infected machines. The centralized server in control of the botnet may be a device owned and operated by the attacker, or it may be an infected device.A number of popular centralized botnet topologies have been observed, including:
Star Network Topology
How botnets work
To better understand how botnets function, consider that the name
itself is a blending of the words “robot” and “network”. In a broad
sense, that’s exactly what botnets are: a network of robots used to
commit cyber crime. The cyber criminals controlling them are called
botmasters or bot herders.
Size Matters
To build a botnet, botmasters need as many infected online devices or
“bots” under their command as possible. The more bots connected, the
bigger the botnet. The bigger the botnet, the bigger the impact. So size
matters. The criminal’s ultimate goal is often financial gain, malware
propagation, or just general disruption of the internet.
Imagine the following: You’ve enlisted ten of your friends to call
the Department of Motor Vehicles at the same time on the same day. Aside
from the deafening sounds of ringing phones and the scurrying of State
employees, not much else would happen. Now, imagine you wrangled 100 of
your friends, to do the same thing. The simultaneous influx of such a
large number of signals, pings, and requests would overload the DMV’s
phone system, likely shutting it down completely.
Cybercriminals use botnets to create a similar disruption on the
internet. They command their infected bot army to overload a website to
the point that it stops functioning and/or access is denied. Such an
attack is called a denial of service or DDoS.
Most people who are infected with botnets aren’t even aware that their computer’s security has become compromised. However, taking simple, common-sense precautions when using the Internet can not only remove botnets that have been installed, it can also prevent them from being installed on your computer, tablet and phone in the first place.
- Good security begins with an Internet security suite that detects malware that has been installed, removes what’s present on your machine and prevents future attacks.
- Always update your computer’s operating system as early as possible. Hackers often utilize known flaws in operating system security to install botnets. You can even set your computer to install updates automatically.
- The same is true of applications on your computer, phone and tablet. Once weakness are found and announced by software companies, hackers rush to create programs to exploit those weaknesses.
- Don’t download attachments or click on links from email addresses you don’t recognize. This is one of the most common vectors for all forms of malware.
- Use a firewall when browsing the Internet. This is easy to do with Mac computers, as they come with Firewall software pre-installed. If you’re using a Windows-based machine, you might need to install third-party software.
- Don’t visit websites that are known distributors of malware. One of the things that a full-service Internet security suite can do is warn you when you’re visiting such sites. When in doubt, check with Norton Safe Web.
Want to learn more about these types of threats and where they come from? Check out the trailer for Episode two of "The Most Dangerous Town On the Internet- Where Cybercrime Goes to Hide" below. The full documentary premieres March 10th! check it out on MostDangerousTown.com
The term botnet is derived from the words robot and network. A bot in this case is a device infected by malware, which then becomes part of a network, or net, of infected devices controlled by a single attacker or attack group.
The botnet malware typically looks for vulnerable devices across the internet, rather than targeting specific individuals, companies or industries. The objective for creating a botnet is to infect as many connected devices as possible, and to use the computing power and resources of those devices for automated tasks that generally remain hidden to the users of the devices.
For example, an ad fraud botnet that infects a user's PC will take over the system's web browsers to divert fraudulent traffic to certain online advertisements. However, to stay concealed, the botnet won't take complete control of the web browsers, which would alert the user. Instead, the botnet may use a small portion of the browser's processes, often running in the background, to send a barely noticeable amount of traffic from the infected device to the targeted ads.
On its own, that fraction of bandwidth taken from an individual device won't offer much to the cybercriminals running the ad fraud campaign. However, a botnet that combines millions of devices will be able to generate a massive amount of fake traffic for ad fraud, while also avoiding detection by the individuals using the devices.
Botnet architecture
Botnet infections are usually spread through malware, such as a Trojan horse. Botnet malware is typically designed to automatically scan systems and devices for common vulnerabilities that haven't been patched, in hopes of infecting as many devices as possible. Botnet malware may also scan for ineffective or outdated security products, such as firewalls or antivirus software.Once the desired number of devices is infected, attackers can control the bots using two different approaches. The traditional client/server approach involves setting up a command-and-control (C&C) server and sending automated commands to infected botnet clients through a communications protocol, such as internet relay chat (IRC). The bots are often programmed to remain dormant and await commands from the C&C server before initiating any malicious activities.
The other approach to controlling infected bots involves a peer-to-peer network. Instead of using C&C servers, a peer-to-peer botnet relies on a decentralized approach. Infected devices may be programmed to scan for malicious websites, or even for other devices in the same botnet. The bots can then share updated commands or the latest versions of the botnet malware.
The peer-to-peer approach is more common today, as cybercriminals and hacker groups try to avoid detection by cybersecurity vendors and law enforcement agencies, which have often used C&C communications as a way to monitor for, locate and disrupt botnet operations.
Notable botnet attacks
Zeus
The Zeus malware, first detected in 2007, is one of the best-known and widely used malware types in the history of information security.
Zeus uses a Trojan horse program to infect vulnerable devices and
systems, and variants of this malware have been used for various
purposes over the years, including to spread CryptoLocker ransomware.
Initially, Zeus, or Zbot, was used to harvest banking credentials
and financial information from users of infected devices. Once the data
was collected, attackers used the bots to send out spam and phishing
emails that spread the Zeus Trojan to more prospective victims.
In 2009, cybersecurity vendor Damballa estimated Zeus had infected
3.6 million hosts. The following year, the FBI identified a group of
Eastern European cybercriminals who were suspected to be behind the Zeus
malware campaign; the FBI later made more than 100 arrests in the U.S.
and Europe.
The Zeus botnet was repeatedly disrupted in 2010, when two internet
service providers that were hosting the C&C servers for Zeus were
shut down. However, new versions of the Zeus malware were later
discovered.
Srizbi
The Srizbi botnet, which was first discovered in 2007, was, for a time, the largest botnet in the world. Srizbi, also known as the Ron Paul spam botnet, was responsible for a massive amount of email spam -- as much as 60 billion messages a day, accounting for roughly half of all email spam on the internet at the time. In 2007, the Srizbi botnet was used to send out political spam emails promoting then-U.S. Presidential candidate Ron Paul.
The botnet used a Trojan to infect users' computers, which were then used to send out spam. Experts estimated that the Srizbi botnet included approximately 450,000 infected systems.
The cybercriminals behind Srizbi used San Jose, Calif.-based hosting provider McColo for the botnet's C&C infrastructure. The botnet's activity ceased when McColo, which was discovered to be hosting other botnet and spam operations, as well, was shut down in 2008.
Gameover Zeus
Approximately a year after the original Zeus botnet was disrupted, a new version of the Zeus malware emerged, known as Gameover Zeus.Instead of relying on a traditional, centralized C&C operation to control bots, Gameover Zeus used a peer-to-peer network approach, which initially made the botnet harder for law enforcement and security vendors to pinpoint and disrupt. Infected bots used the domain generation algorithm (DGA) to communicate.
The Gameover Zeus botnet would generate domain names to serve as communication points for infected bots. An infected device would randomly select domains until it reached an active domain that was able to issue new commands. Security firm Bitdefender reported two versions of Gameover Zeus, one of which generated 1,000 new domains, and the other which generated 10,000 new domains each day.
In 2014, international law enforcement agencies took part in Operation Tovar to temporarily disrupt Gameover Zeus by identifying the domains used by the cybercriminals, and then redirecting bot traffic to government-controlled servers.
The FBI also offered a $3 million reward for Russian hacker Evgeniy Bogachev, who is accused of being the mastermind behind the Gameover Zeus botnet. Bogachev is still at large, and new variants of Gameover Zeus have since emerged.
Methbot
An extensive cybercrime operation and ad fraud botnet known as Methbot was revealed in 2016 by cybersecurity services company White Ops. According to security researchers, Methbot was generating between $3 million and $5 million in fraudulent ad revenue daily last year by producing fraudulent clicks for online ads, as well as fake views of video advertisements.
Instead of infecting random devices, the Methbot campaign is run on approximately 800-1,200 dedicated servers in data centers located in both the U.S. and the Netherlands. The campaign's operational infrastructure includes 6,000 spoofed domains, and more than 850,000 dedicated IP addresses, many of which are falsely registered as belonging to legitimate U.S.-based internet service providers.
The infected servers can produce fake clicks and mouse movements, as well as forge social media account logins to appear as legitimate users to fool conventional ad fraud detection techniques. In an effort to disrupt the monetization scheme for Methbot, White Ops published a list of the spoofed domains and fraudulent IP addresses to alert advertisers and enable them to block the addresses.
Mirai
Several powerful, record-setting distributed denial-of-service (DDoS) attacks were observed in late 2016, and they later traced to a new brand of malware known as Mirai. The DDoS traffic was produced by a variety of connected devices, such as wireless routers and CCTV cameras.
Mirai malware is designed to scan the internet for insecure connected devices, while also avoiding IP addresses belonging to major corporations, like Hewlett-Packard and government agencies, such as the U.S. Department of Defense.
Once it identifies an insecure device, the malware tries to log in with a series of common default passwords used by manufacturers. If those passwords don't work, then Mirai uses brute force attacks to guess the password. Once a device is compromised, it connects to C&C infrastructure and can divert varying amounts of traffic toward a DDoS target.
Devices that have been infected are often still able to continue functioning normally, making it difficult to detect Mirai botnet activity from a specific device. For some internet of things (IoT) devices, such as digital video recorders, the factory password is hard coded in the device's firmware, and many devices cannot update their firmware over the internet.
The Mirai source code was later released to the public, allowing anyone to use the malware to compose botnets leveraging poorly protected IoT devices.
Preventing botnet attacks
In the past, botnet attacks were disrupted by focusing on the command-and-control source. Law enforcement agencies and security vendors would trace the bots' communications to wherever the C&C servers were hosted, and then force the hosting or service provider to shut them down.However, as botnet malware has become more sophisticated, and communications have become decentralized, takedown efforts have shifted away from targeting C&C infrastructures to other approaches. These approaches include identifying and removing botnet malware infections at the source devices, identifying and replicating the peer-to-peer communication methods and, in cases of ad fraud, disrupting the monetization schemes, rather than the technical infrastructures.
Preventing botnet attacks has been complicated by the emergence of malware like Mirai, which targets routers and internet of things devices that have weak or factory default passwords, and which can be easily compromised.
In addition, users may be unable to change the passwords for many IoT devices, which leaves them exposed to attacks. If the manufacturer cannot remotely update the devices' firmware to patch them or change their hardcoded passwords, then they may have to conduct a factory recall of the affected devices.
Botnet Infections
Botnets aren’t typically created to compromise just one individual computer; they’re designed to infect millions of devices. Bot herders often deploy botnets onto computers through a trojan horse virus.
The strategy typically requires users to infect their own systems by
opening email attachments, clicking on malicious pop up ads, or
downloading dangerous software from a website. After infecting devices,
botnets are then free to access and modify personal information, attack
other computers, and commit other crimes.
More complex botnets can even self-propagate, finding and infecting
devices automatically. Such autonomous bots carry out seek-and-infect
missions, constantly searching the web for vulnerable internet-connected
devices lacking operating system updates or antivirus software.
Botnets are difficult to detect. They use only small amounts of
computing power to avoid disrupting normal device functions and alerting
the user. More advanced botnets are even designed to update their
behavior so as to thwart detection by cybersecurity software. Users are
unaware they’re connected device is being controlled by cyber criminals.
What’s worse, botnet design continues to evolve, making newer versions
harder to find.
Botnets take time to grow. Many will lay dormant within devices
waiting for the botmaster to call them to action for a DDoS attack or
for spam dissemination.
Vulnerable Devices
Botnets can infect almost any device connected directly or wirelessly
to the internet. PCs, laptops, mobile devices, DVR’s, smartwatches,
security cameras, and smart kitchen appliances can all fall within the
web of a botnet.
Although it seems absurd to think of a refrigerator or coffee maker
becoming the unwitting participant in a cyber crime, it happens more
often than most people realize. Often appliance manufacturers use unsecure passwords to guard entry into their devices, making them easy for autonomous bots scouring the internet to find and exploit.
As the never-ending growth of the Internet of Things brings more
devices online, cyber criminals have greater opportunities to grow their
botnets, and with it, the level of impact.
In 2016, a large DDoS attack
hit the internet infrastructure company Dyn. The attack used a botnet
comprised of security cameras and DVRs. The DDoS disrupted internet
service for large sections of the country, creating problems for many
popular websites like Twitter and Amazon.
Botnet Attacks
Aside from DDoS attacks, botmasters also employ botnets for other malicious purposes.Ad Fraud
Cybercriminals can use the combined processing power of botnets to run fraudulent schemes. For example, botmasters build ad fraud schemes by commanding thousands of infected devices to visit fraudulent websites and “click” on ads placed there. For every click, the hacker then gets a percentage of the advertising fees.Selling and Renting Botnets
Botnets can even be sold or rented on the internet. After infecting and wrangling thousands of devices, botmasters look for other cybercriminals interested in using them to propagate malware. Botnet buyers then carry out cyber attacks, spread ransomware, or steal personal information.Laws surrounding botnets and cybercrime continue to evolve. As botnets become bigger threats to internet infrastructure, communications systems, and electrical grids, users will be required to ensure their devices are adequately protected from infection. It’s likely cyber laws will begin to hold users more responsible for crimes committed by their own devices.
Botnet Structures
Botnet structures usually take one of two forms, and each structure is designed to give the botmaster as much control as possible.Client-server model
The client-server botnet structure is set up like a basic network with one main server controlling the transmission of information from each client. The botmaster uses special software to establish command and control (C&C) servers to relay instructions to each client device.While the client-server model works well for taking and maintaining control over the botnet, it has several downsides: it’s relatively easy for law enforcement official to location of the C&C server, and it has only one control point. Destroy the server, and the botnet is dead.
Peer-to-peer
Rather than relying on one centralized C&C server, newer botnets have evolved to use the more interconnected peer-to-peer (P2P) structure. In a P2P botnet, each infected device functions as a client and a server. Individual bots have a list of other infected devices and will seek them out to update and to transmit information between them.P2P botnet structures make it harder for law enforcement to locate any centralized source. The lack of a single C&C server also makes P2P botnets harder to disrupt. Like the mythological Hydra, cutting off the head won’t kill the beast. It has many others to keep it alive.
Botnet Prevention
It should be clear by now that preventing botnet infection requires a comprehensive strategy; one that includes good surfing habits and antivirus protection. Now that you’ve armed yourself with the knowledge of how botnets work, here are some ways to keep botnets at bay.Update your operating system
One of the tips always topping the list of malware preventative measures is keeping your OS updated. Software developers actively combat malware; they know early on when threats arise. Set your OS to update automatically and make sure you’re running the latest version.Avoid email attachments from suspicious or unknown sources
Email attachments are a favorite source of infection for many types of viruses. Don’t open an attachment from an unknown source. Even scrutinize emails sent from friends and family. Bots regularly use contact lists to compose and send spam and infected emails. That email from your mother may actually be a botnet in disguise.Avoid downloads from P2P and file sharing networks
Botnets use P2P networks and file sharing services to infect computers. Scan any downloads before executing the files or find safer alternatives for transferring files.Don’t click on suspicious links
Links to malicious websites are common infection points, so avoid
clicking them without a thorough examination. Hover your cursor over the
hypertext and check to see where the URL actually goes. Malicious links
like to live in message boards, YouTube comments, pop up ads, and the
like.
Get Antivirus Software
Getting antivirus software is the best way to avoid and eliminate botnets. Look for antivirus protection that’s designed to cover all of your devices, not just your computer. Remember, botnets sneak into all types of devices, so look software that’s comprehensive in scope.With the Internet of Things increasing, so too does the potential for botnet size and power. Laws will eventually change to hold users more responsible for the actions of their devices. Taking preventative action now will protect your identity, data, and devices.
How do IoT devices become a botnet?
No one does their Internet banking through the wireless CCTV camera they put in the backyard to watch the bird feeder, but that doesn't mean the device is incapable of making the necessary network requests. The power of IoT devices coupled with weak or poorly configured security creates an opening for botnet malware to recruit new bots into the collective. An uptick in IoT devices has resulted in a new landscape for DDoS attacks, as many devices are poorly configured and vulnerable.If an IoT device’s vulnerability is hardcoded into firmware, updates are more difficult. To mitigate risk, IoT devices with outdated firmware should be updated as default credentials commonly remain unchanged from the initial installation of the device. Many discount manufacturers of hardware are not incentivized to make their devices more secure, making the vulnerability posed from botnet malware to IoT devices remain an unsolved security risk.
How is an existing botnet disabled?
Disable a botnet’s control centers:
Botnets designed using a command-and-control schema can be more easily disabled once the control centers can be identified. Cutting off the head at the points of failure can take the whole botnet offline. As a result, system administrators and law enforcement officials focus on closing down the control centers of these botnets. This process is more difficult if the command center operates in a country where law enforcement is less capable or willing to intervene.Eliminate infection on individual devices:
For individual computers, strategies to regain control
over the machine include running antivirus software, reinstalling
software from a safe backup, or starting over from a clean machine after
reformatting the system. For IoT devices, strategies may include
flashing the firmware, running a factory reset or otherwise formatting
the device. If these option are infeasible, other strategies may be
available from the device’s manufacturer or a system administrator.
How can you protect devices from becoming part of a botnet?
Create secure passwords:
For many vulnerable devices, reducing exposure to botnet vulnerability can be as simple as changing the administrative credentials to something other than the default username and password. Creating a secure password makes brute force cracking difficult, creating a very secure password makes brute force cracking virtually impossible. For example, a device infected with the Mirai malware will scan IP addresses looking for responding devices. Once a device responds to a ping request, the bot will attempt to login to that found device with a preset list of default credentials. If the default password has been changed and a secure password has been implemented, the bot will give up and move on, looking for more vulnerable devices.Allow only trusted execution of third-party code:
If you adopt the mobile phone model of software execution, only whitelisted applications may run, granting more control to kill software deemed as malicious, botnets included. Only an exploitation of the supervisor software (i.e. kernel) may result in exploitation of the device. This hinges on having a secure kernel in the first place, which most IoT devices do not have, and is more applicable to machines that are running third party software.Periodic system wipe/restores:
Restoring to a known good state after a set time will remove any gunk a system has collected, botnet software included. This strategy, when used as a preventative measure, ensures even silently running malware gets thrown out with trash.Implement good ingress and egress filtering practices:
Other more advanced strategies include filtering practices at network routers and firewalls. A principle of secure network design is layering: you have the least restriction around publicly accessible resources, while continually beefing up security for things you deem sensitive. Additionally, anything that crosses these boundaries has to be scrutinized: network traffic, usb drives, etc. Quality filtering practices increase the likelihood that DDoS malware and their methods of propagation and communication will be caught before entering or leaving the network.If you are currently under attack, there are steps you can take to get out from under the pressure. If you are on Cloudflare already, you can follow these steps to mitigate your attack. The DDoS protection that we implement at Cloudflare is multifaceted in order to mitigate the many possible attack vectors. Learn more about Cloudflare's DDoS Protection.
No comments