The Council on Foreign Relations, a non-profit US-based think tank, ended 2018 with a report arguing that we need to work towards an internet with zero botnets. Yes, botnets, those malicious powerhouses that are each comprised of anywhere from thousands of enslaved devices to millions of enslaved devices. In the defence of the Council on Foreign Relations, they never said it would be easy, they just said it’s what needs to happen because botnets are the bane of the internet. They are correct.
The history of botnets and their associated attacks and other malicious accomplishments like DDoS, spam and cryptojacking is long and storied, since botnets have been at it for decades. However, there isn’t much point in looking to the past when the current botnet situation is so scary.
Here are three pieces of bad news you need to know about botnets.
A scary-smart malware is building a botnet and no one knows what it’s for
If there’s one thing a botnet loves, it’s IoT devices. With the huge number of IoT devices connected to the internet – currently estimated to be somewhere around seven or eight billion – and their typically lax security, they’re ripe for the picking for botnet malware designed to guess default usernames and passwords. Now, unfortunately, it would seem they’re also ripe for the picking for a scarily brilliant botnet malware armed with over 100 variants of its malware payload, a range of commands designed to ensure payload delivery, and the capability of infecting between 15 and 20 IoT architectures. Forget about wiping this malware with a reboot of the device as well, because it has seven different methods of persistence all in use at once.
Beyond being a major step up in what botnet malware is capable of, not much is known about the so-called Torii botnet. It’s carefully encrypted, and so far only one of its servers has been analysed by security researchers. No one knows what for sure Torii is being built for or who is behind it, but experts say that in addition to the usual botnet abilities it is capable of stealing data.
A vulnerability from 5 years ago is helping to build a massive botnet
Ah, yes, the internet. A place where a funny cat picture from two days ago is old news but vulnerabilities from years and years ago continue to aid and abet cybercriminals. A botnet catchily nicknamed the BCMUPnP_Hunter is using a universal plug and play or UPnP vulnerability from over five years ago to feast on home and small office routers to add devices to its ranks.
Originally designed to make configuring devices easier for their users, the UPnP protocol has caused a variety of cybersecurity issues. In this case, it causes the routers in question to respond to discovery requests that come from outside of the local network, which then allows the botnet malware to deliver the malicious payload. As a result, BCMUPnP_Hunter currently consists of over 100,000 devices, and researchers suspect they are being used to send spam.
The Mirai malware has move beyond the IoT
Mirai had its first run as a terroriser of the internet at the end of 2016 when it launched a series of record-breaking DDoS attacks, including the assault on the Dyn DNS server that took down Twitter and Reddit, among other major online entities. It’s been enjoying a second run as one of the biggest malicious forces on the internet since its source code was released and everyone with a passing interest in launching distributed denial of service attacks has created a Mirai variant to create their own IoT botnet.
Now that fervor for the Mirai botnet has extended beyond the IoT and right into Linux land. Mirai variants are now targeting the Hadoop YARN vulnerability on unpatched Linux servers. With the power and bandwidth these servers offer to botnet operators, even a small Linux botnet could be capable of thundering DDoS attacks, ones that rival the attacks coming from massive IoT botnets.
Battling back against botnets
With a truly concerted effort from business owners, device owners, governments and cybersecurity professionals, we may one day have a future without botnets. For now, however, we have a present rife with them, including the devilishly brilliant botnet gearing up to steal data, a router botnet preying on a vulnerability from five years ago, and a Mirai variant going after all the firepower provided by Linux servers. It’s time to start applying patches and checking security on IoT devices because while that zero botnet goal may currently feel out of reach, we should all be able to work towards decreasing the size of botnets.