Understanding the Basic Functions of Botnets

In my last blog post, I talked about what a Botnet is and gave a history of Botnets - dating back over twenty years to the year 2000. In this blog, I will discuss how Botnets are used to launch attacks, breaking them into the three major tasks: infection and propagation, command and control, and payload or specific attack methods. We are also going to cover IoT as the new attack vector for Botnets.

Infection and Propagation

In the early days of the Internet, the main infection and propagation methods were email phishing campaigns and website ‘water-holing.' In this method, the attacker sends an email or text that references a URL, sending the victim to a botnet-infested destination. This is still a method today, but organizations are now making it harder by training their employees to recognize phishing emails and campaigns. An alternative infection and propagation method is the use of steganography techniques, which ‘embed’ the botnet code into a picture or a PDF document that can be attached to an email. These emails often mimic a colleague or manager requesting that the victim view the attached file, making them more difficult to immediately identify.

Some of the first steps in automated propagation were exemplified by BuleHero. This botnet used a modular architecture that would drop a scanning function onto the infected machine. The scanner would then scan for neighboring hosts with open ports. From there, identified hosts would dump their passwords through Mimikatz, a botnet that would also typically include a payload containing mining code as well as remote access trojans. This enables the quick and efficient propagation of hosts to ultimately be compromised by the Botnet.

Command & Control

Following infection and propagation, the third functional botnet requirement is Command and Control, or C2 channels. The purpose of C2 is to enable communications both to and from the ‘botnet master.’ In the early days, C2 channels were relatively static and primitive. It was up to the botnet master to be agile enough to change the botnet DNS configuration so they could stay one step ahead of detection. The obvious evolution was to create a dynamic DNS behavior known as ‘DNS fluxing,’ which uses a pseudo-random domain name generation. At the botnet level, these are domains that are queried. On the C2 level, these are the domains generated and listened to.

The generation mechanism is matched on both sides. A large enough C2 infrastructure will assure a domain match, at which point C2 channels can be established for a period of time. Almost all C2 methods now are encrypted or sourced from the Dark Web, where software development kits can be purchased to build and support botnet systems or pre-built botnets can be recruited or rented as a service. The overall communication profile of the botnet has also evolved, allowing them to pivot to other machines through peer to peer behaviors, extending C2 channels. A great example of this is GameOver Zeus, which employs peer to peer behavior to make the overall botnet much stealthier in the way it operates. The dynamic behavior causes the infected devices to blend into the ‘noise’ of the utility protocols of the network, making attacks harder to detect.

The Botnet Function or “Attack”

The payload is where the botnet rubber hits the road. Obviously, if a cyber-attacker has gone through the trouble of building this type of code, it must have some intended purpose. Botnets are not always malicious, and some, like web scraping bots or advertising bots, are mostly just annoying and can be easily blocked and eradicated.

However, there are many potential malicious uses of a botnet. As noted above, BuleHero used a modular payload architecture that allowed the compromised device to perform scanning as well as propagation. It also used password gathering utilities for further compromise and would leave a back door – often a Remote Access Trojan, or RAT – to maintain a connection to the compromised node. In the case of the Mirai botnet, the intention was based on the launch of a Distributed Denial of Service attack, which could be easily modified for other purposes such as the distribution of malware or ransomware.

Botnets have continued to evolve, but recently they have found something better and much easier to exploit: The Internet of Things. The Internet of Things, or IoT, has grown at a fantastic pace. Estimates show that by the end of 2021, there will be ten times as many devices as there are people using the Internet. Many of these devices are very limited in resources and often have lots of vulnerabilities that make them easy targets. In the third installation of this blog series, we will discuss the specifics of why IoT devices are so vulnerable and how to address these challenges.