Breaking Down Modern Botnets

Posted by Geraldine Hunt on Wed, Apr 17th, 2019

“Botnets” is the term given to a group of computers infected with malware and used in collaborated attacks against publicly accessible servers. An attacker controls all malware-infected computers from a central location. Once the attacker determines a target, the central location sends commands to botnet computers to flood traffic to the target. The result can be an overwhelming amount of traffic sent to a server that is unable to handle these traffic volumes and services are taken offline. Botnets are responsible for DDoS attacks on Internet resources.

Infecting Computers

The first step for an attacker is infecting targeted computers with malware. This can be done in a number of ways. Drive-by malicious pages where users download malware packaged as upgrades or software needed to view a page is one way to infect computers. Sending email messages with malicious attachments is another way. Some attackers send email messages without attachments but a link to a server that hosts malicious content.

It’s also common for attackers to use infected computers to send malicious emails to a victim’s contact list. When recipients see email from someone they know, it’s much more likely they will open an attachment or click on a link that points to an attacker-controlled server.

With enough infected computers (most botnets have hundreds and even thousands of infected machines), the attacker can move on to the next steps. Not every attacker uses a botnet for personal attacks. Malware-as-a-service provides third-party attackers with the tools and rented botnet devices to launch DDoS attacks for a fee.

Controls and Commands

After infection, the attacker needs to know the computers that were successfully breached. The malware silently “phones home” to a central location where the attacker can review malware success. The malware must be able to avoid detection from anti-malware and intrusion detection appliances that review suspicious traffic.

The attacker-controlled server changes IP addresses and uses domain generation algorithms to create names filled with a random string of numbers and letters. By frequently changing IPs and domain locations, the attacker can avoid detection. Attackers also use proxies on other infected trusted servers to avoid detection.

Malware for botnets consistently performs additional requests to keep in contact with the main control station, and some malware scans the network for vulnerable hosts. To keep the botnet growing, malware sends emails to targeted users from a set address list or a user’s personal contacts.

Aside from finding other vulnerable machines, botnet malware silently waits for commands. After receiving an attack command from the central server, the malware sends traffic requests to a targeted service. The bandwidth used during an attack can be detected by the host’s user if requests are frequent. If several machines on an enterprise network are infected, network performance degradation could be detected by users and administrators.

With enough traffic requests, a targeted server won’t be able to process responses fast enough. Any services hosted on this server will crash and become unavailable. DDoS attacks cost companies millions in unavailable revenue-generating services, containment procedures from administrators, and future cost for infrastructure to avoid the issue in the future.

WebTitan is a highly effective DNS based web filter that’s scalable, quickly and easily installed, configured and managed for multiple domains. Stopping malicious requests at the DNS layer is preferred over waiting for the payload to be delivered onto the machine and then removed. By stopping it at the DNS layer you're reducing not only malware infections, but containing machines already infected by preventing them from communicating out to their C&C servers. Nothing kills these attacks earlier than DNS-layer security.

Blocking Malicious Email with Security Filters

Since botnet malware is spammed to targeted users, email security is necessary to quarantine these messages before they reach recipient inboxes. Email security filters scan messages and detect if the sender address is spoofed using DMARC (Domain-based Message Authentication, Reporting, and Conformance) detection.

Emails that contain attachments are scanned and quarantined for an administrator to later review them. If emails are from legitimate users with no malware detected, an administrator can then send it along to the user’s inbox. With DMARC, administrators can set security configurations that analyze headers and sender IP addresses to verify that the listed email sender is indeed the true sender.

Together with email filters and DMARC security, administrators can stop many of the email messages spammed by botnet malware. By filtering out malicious email, and organization can stop malware from infecting local workstations. An attacker with access to just one corporate machine can spread malware throughout the entire organization. Some malware allows attackers to remote control workstations, which can lead to even more critical security events such as data breaches and stolen intellectual property.

Without email security, an organization is vulnerable to numerous email-based attacks from spreading malware to phishing. These attacks are prominent on the Internet and must be considered when creating a cybersecurity plan. Email security is the only way to stop these messages from ever reaching the intended recipient. At TitanHQ we will continue to block attacks and continually investigate the botnets that fuel much of today’s cyber crimes.

Worried about phishing, zero-day attacks, malware & spoofing?   In this webinar, we’ll show you how 8,500 businesses and 1,850 managed service providers use Spamtitan Email Security as a vital email security layer.  SpamTitan includes extensive threat protection layers including sandboxing and DMARC.