The Business of Botnets

NETSCOUT Arbor

IoT Botnet
Kevin Whalen

The Mirai attacks against Dyn in 2016 drew widespread attention to botnets. Yet compared to how cybercriminals are using botnets today, the Dyn attacks may come to seem rather amateurish. Criminals are quickly learning how to leverage botnets running sophisticated malware as the infrastructure for massive, illegitimate moneymaking machines.

Law enforcement has had a few revealing successes against criminal botnet activity in recent years, but certainly not enough to make a significant dent in botnet fueled cybercrime.

Examples of Recent Botnet Prosecutions Include:

  • U.S. Justice Department revealed the guilty pleas of two young men for their roles in developing and using the Mirai botnet: 21-year-old Paras Jha and 20-year-old Josiah White. Jha and White targeted organizations with DDoS attacks and then extort money to call off the attacks, or sell them services to help fend off the attacks.
  • Spanish authorities arrested Peter Yuryevich Levashov, also known as Peter Severa, or “Peter of the North.” Levashov operated Kelihos, one of the internet’s longest running botnets estimated to have infected as many as 100,000 computers. Levashov hired out Kelihos for $200–$500 per million messages.
  • Two Israeli teenagers were arrested last year for running a DDoS for hire service called vDDoS. The pair made approximately $600,000 launching 150,000 DDoS attacks.

What is a Botnet?

Botnets are overlays of software that run, typically unknown to the owners of those systems, on large collections of internet connected machines. Botnets themselves were originally designed as tools to automate the running of non-criminal, routine tasks. Ironically, one of the first documented botnets created in 1993, “eggbot,” was designed to manage and protect Internet Relay Chat (IRC) channels against takeover attempts. But criminals are rapidly learning to exploit the power of botnets as global, virtually automatic moneymaking engines.

Botnet malware has evolved to include different attack techniques that can be run simultaneously over multiple vectors. From the criminal’s perspective, the “botconomics” are very attractive. There is no infrastructure cost as they are leveraging compromised machines, unbeknownst to the machine’s owners. This free infrastructure means that revenue falls right to the bottom line, in the form of illicit profits. Beyond the ability to leverage this infrastructure there is the attractiveness of anonymity on the global internet. Even if demanding a ransom, the use of "untraceable" crypto-currency like Bitcoin makes it easy to see why botnets are emerging as a preferred platform for cybercriminals.

The Botnet Business Model

From a business model perspective, botnets are an excellent platform from which to launch a multitude of potential revenue-generating functions:

  • Quickly spreading email containing ransomware
  • As a platform for click fraud
  • Open proxies for anonymous Internet access
  • Brute-force cracking attempts on other Internet systems
  • Hosting large scale phishing exploits
  • Lifting CD keys or other software license data
  • Theft of personal ID information, enabling ID theft
  • Lifting credit card and other account information, including PIN numbers or “secret” passcodes
  • Installing keyloggers to capture all user input to a system

Another enabling factor is the ease with which one can now assemble, swap, and upgrade botnet malware components. The public release of LizardStresser source code in early 2015 helped kick-start this trend. Readily available and easy-to-use LizardStresser code offered some sophisticated DDoS attack methods: hold open TCP connections, send a random string of junk characters to a TCP or UDP port, or repeatedly send TCP packets with specified flags. The malware also included a mechanism to run arbitrary shell commands; useful for downloading updated versions of LizardStresser with new command and control devices, or entirely different malware. Other botnet malware has since been released into the wild, most notably the Mirai malware in November 2016, thus dramatically lowering the “tech-savvy bar” for criminal activity while at the same time increasing the moneymaking options and flexibility.

The Emergence of IoT Botnets

But from a sheer size and traffic volume point of view, it is the explosion of unsecure IoT devices that is fueling unprecedented botnets. During the summer of 2016, an IoT botnet using the LizardStresser code leveraged an estimated 10,000 IoT devices (primarily webcams) to generate DDoS attacks with a sustained volume of 540 Gbps. The original Mirai botnet is estimated to have compromised 500,000 IoT devices worldwide.

Though some remediation efforts have been made by manufacturers, IoT devices are often shipped with default credentials or known security issues. In order to save time and money, manufacturers sometimes re-use hardware and software in different classes of devices. One result: the default passwords used to manage the original device may be shared across entirely different classes of devices. Billions of unsecured IoT devices are already deployed. And though projected growth has slowed (slightly), the numbers are still staggering.

IoT Connected Devices

IoT devices lend themselves perfectly for misuse as part of criminal botnets:

  • They are usually unmanaged making them extremely useful as anonymous proxies.
  • Typically, online 24x7, they are available for use in attacks at any time, usually without any bandwidth limitations or filtering.
  • They frequently run a stripped-down version of the familiar Linux operating system. Botnet malware can be easily compiled for a large target architecture, mostly ARM/MIPS/x86.
  • The stripped-down operating system means less room for security features, including auditing, and most compromises go unnoticed by the owners.

A recent example of the power of criminal IoT botnet infrastructure: in November, the Necurs botnet began mailing out a new strain of Scarab ransomware. The massive campaign sent about 12.5 million infected emails in just six hours, a rate of 2 million emails an hour. This same botnet has been implicated in the spread of the Dridex banking trojan, Trickbot banking trojan, Locky ransomware, and Jaff ransomware.

The ready availability and ease of use of more sophisticated, flexible botnet malware, coupled with a substantial pool of unsecure IoT devices has made criminal botnets a major component of a growing Digital Underground economy. This economy has marketplaces for ill-gotten data, malicious services for hire, even its own currency. All indications are the criminal use of IoT botnets as moneymaking machines will only get worse.