Botnets Still Abound

Robots taking over the world have been a fear propagated by films since the launch of Metropolis in 1927. It seems to get worse with the improvement of special effects and movies like iRobot with Will Smith.  Reality seems to be scarier than fantasy when the likes of “Stephen Hawking fears robots could take over in 100 years.” And even more so as those robots shrink down to the bot-level and wreak havoc on our cyber assets. And when those bots are harnessed into a botnet we truly have something to fear as IT Security.

What Is A Botnet?

The first recorded botnet was named MaXITE in 2003. So, botnets are not new, but for those of you who need a refresher, according to SearchSecurity a botnet is 

“The term botnet is derived from the words robot and network. A bot in this case is a device infected by malware, which then becomes part of a network, or net, of infected devices controlled by a single attacker or attack group.

The botnet malware typically looks for vulnerable devices across the internet, rather than targeting specific individuals, companies or industries. The objective for creating a botnet is to infect as many connected devices as possible, and to use the computing power and resources of those devices for automated tasks that generally remain hidden to the users of the devices.”

There have been dozens of botnet attacks since 2003, all with various levels of impact.

Botnets In Action

There are a number of ways that botnets take action:

  • Telnet:scanning scripts run on an external server in order to scan IP ranges for telnet and SSH server default logins; once identified, they are hijacked and the botnet installed
  • IRC:use simple, low bandwidth communication methods to execute DDoS and SPAM attacks where infected clients can lie dormant until a server connects with them
  • P2P:peer to peer networks proved to be more resilient than IRC
  • Domains:a zombie computer accesses a specially-designed webpage or domain(s) which serves the list of controlling commands to a large botnet
  • Others:new methods such as the XMPP open source instant message protocoland Torhidden services can bypass filters and communicate with a command & control server.

According to a Wired article titled “The Worst Cybersecurity Breaches of 2018 So Far” the one to watch out for now is VPNFilter:

“At the end of May, officials warned about a Russian hacking campaign that has impacted more than 500,000 routers worldwide. The attack spreads a type of malware, known as VPNFilter, which can be used to coordinate the infected devices to create a massive botnet. But it can also directly spy on and manipulate web activity on the compromised routers. These capabilities can be used for diverse purposes, from launching network manipulation or spam campaigns to stealing data and crafting targeted, localized attacks. VPNFilter can infect dozens of mainstream router models from companies like Netgear, TP-Link, Linksys, ASUS, D-Link, and Huawei. The FBI has been working to neuter the botnet, but researchers are still identifying the full scope and range of this attack.”

Despite how much is known about botnets they remain an effective technique for cyber criminals to breach networks.  It’s time for a new approach.


Static Analysis To The Rescue

Unlike signature-based and behavior-based security, which have both proven to be evaded by determined cyber criminals with publicly documented techniques, Solebit’s SoleGATE uses a static analysis which is faster, more accurate, not OS version dependent and covers 100% of your code, with complete visibility.  With SoleGATE, every line of code is evaluated, making Sandbox evasion techniques ineffective. On average, Solebit analysis time is between milliseconds up to a few seconds. Network Sandboxes typically take 5-15 minutes to perform the same analysis.

Using deep inspection and analysis methods, SoleGATE is able to interpret and detect code in real time and immediately block threats from penetrating your organization. DvC™ has no assumptions on threat heuristics and behavior, and assumes that there is no legitimate reason for executable code to be present in a data file, it relies solely on identifying code existence on non-executables files

See for yourself what SoleGATE can do to deliver evasion proof security in your organization. Register for a demo today.

 

 

Recent Posts