In a similar structure, each bot could send orders to others and attackers to control the entire botnet, but they need access to at least one computer. This type of botnet is really concerning. Despite the fact that destroying a decentralized botnet is more difficult, this type of architecture presents a management superior complexity.
Botnets could be also classified by using network protocol or the technology on which they are based. Various architectures could be based on different communication protocols. For example in the case mentioned before of Zeus Peer to Peer variant, the expert noted that authors implemented communication through UDP protocol.
Of course we cannot miss web-based botnets, a collection of infected machine controlled through www. HTTP bots connect to a specific web server, receiving commands and sending back data.
This type of architecture is very easy to deploy and manage. A particular variant is represented by social network botnets. These architectures use popular social media platforms to send messages to zombies.
These architectures are very difficult to trace due large of volume generated by social networking activities. This type of botnet has become very popular with the diffusion of exploit kits able to compromise remote machines and control them.
Usually cyber criminals send malicious links to the victims, via mail or social network messages, that hijack user on a compromised website that hosts the exploit kit. The architecture of such botnets can be different and can be used for different purposes:. In such cases, it is hard to detect the anomalies in network traffic to find the malicious activity, as the bots just check the prepared file or text signature in social network.
Sometimes the functions of modern social networks, cloud services and WEB-portals are used as a covert channel for information storage. One of the latest incidents was related to Evernote services, where the hackers prepared their own user account and uploaded the file with the commands to the botnet. The same method was used also with Twitter in Flashback botnet. The Zeus botnet is a classic example of this type of architecture, it was known to be able to steal banking credentials from victims.
Figure 4 — Zeus Builder. As explained, one of most interesting evolutions in botnet world is the opening to mobile to mobile platform. Meanwhile, colleagues at McAfee Lab were some of the first firms to announce a large scale diffusion of new variant of Zeus malware on mobile platform. Today, mobile botnets are a reality. Millions of mobile devices have been infected by botnets in China via 7, Trojanized applications.
The botnet can allow the smartphones to be hijacked remotely and potentially used for fraudulent purposes. Exactly as for a desktop machine, mobile botnets exploit the same communication channels e. IRC, HTTP, P2P , and the technological evolution of mobile solution provides environments having advanced capabilities that are attracting an increasing number of botmasters.
Drew Williams, President at Condition Zebra declared:. Security researcher and digital forensic investigator Meisam Eslahi listed for Security Affairs the principal mobile cyber threats to emphasize their existence and their negative impacts on mobile network environments:.
The Zeus in the Mobile or Zitmo is a multiplatform agent that infects a variety of mobile operating systems, such as Symbian, Windows Mobile, BlackBerry, and Android, mainly by social engineering approaches. It sends an infected SMS to victims contain a fake URL to dupe users to download a security certificate that is, in fact, the Zitmo bot. It is also able to intercept messages sent by banks to their customers and authenticates illegal transactions by stealing mobile Transaction Authentication Numbers TAC.
It was designed to gain root privileges on infected mobiles and install a second application to steal sensitive information and protect itself from removal. The Android. Bmaster has infected a high number of mobile devices by using Trojan applications and exploited techniques. However, recently a new mobile botnet called MDK has overtaken the Bmaster by infecting nearby 7, applications and having one million mobile devices under the control of its botmaster. Although the Ikee. B is a simple botnet in nature, it can be named as one of the early generations of mobile botnets that operates on jailbreak iPhones with almost the same functionality as computer-based botnets.
Scanning the IP range of iPhone networks, looking for other vulnerable iPhones in global scale and self-propagation are the main activities of this malware. Amongst different types of mobile botnets, the AnserverBot can be considered as one of the most sophisticated malwares.
Its command and control is designed based on a complex two-layer mechanism and implemented over a public blog.
In addition to detecting and disable the security solution in infected device, the AnserverBot periodically checks its signature to verify its integrity in order to protect itself from any type of changes.
In addition to collecting private data like SMS messages, it has sophisticated capabilities to record voice-call conversations and even surrounding sounds.
Figure 6. Perkele Lite post in the undergrond. One of most concerning phenomena related to malware diffusion is the increasing of the offer of tools and services to allow criminals to implement and manage similar structures. An increasing number of ill-intentioned individuals are requesting services and are acquiring the tools and malicious code for the arrangement of powerful botnet thanks the explosion of the sales model of malware as a service.
Malware as a service model allows the outsourcing of criminal services. Recently the researcher described a new service offering access to thousands of malware-infected hosts, Danchev also estimated the cost to arrange a botnet composed of 10, machines located in the US.
Figure 7 — Botnet Admin Panel. The expert analyzed a service offering access to infected hosts located everywhere in the world that is active since middle of and that despite its official Web site is currently offline it remains in operation until the present day.
Offer of similar services will increase in the next months, also attracting ordinary criminals and inexperienced cyber criminals. This will cause a decrease in the cost needed to acquire infrastructures and services to conduct a cyber-attack.
Purchases of US-based, malware-infected hosts are more expensive than machines located elsewhere due higher online purchasing power compared to the rest of the world.
Following the price list proposed by Danchev, as it is possible to note the expense is contained, and the offers various and articulated. Last year Trend Micro published an excellent analysis on the Russian underground market, researcher Max Goncharov analyzed the services and the products offered by cyber on online Russian forums and services attended by hackers such as antichat.
It is relatively simple to come across sites that offer rented service for pre-built botnets, if the following table reflects the cost of Botnets, organizing a botnet has never been so easy! Figure 8 — Botnet prices Trend Micro.
The scenario presented demonstrates the rapid diffusion of botnets, and the increased ease for criminals to acquire products and services to create and manage malicious architecture. This first article is an introduction of the botnet world that provides an overview of the state of the art on this cyber threat detailing also offers that support the growing phenomena of DIY.
The fight against the proliferation of botnets, in my judgment, goes through following key factors:. Despite the good intentions, we are still far from global agreement on the definition of the proper action against botnet diffusion, both on legislative and operative perspectives.
The second part will also propose methods for detection and fighting of malicious architecture. A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Thanks for sharing your expertise.
Microsoft said the botmasters behind ZeroAccess have abandoned the peer-to-peer botnet less than a month after Microsoft and law enforcement disrupted its click-fraud operation.
As expected, the attackers were able to issue new configuration commands to bots under their control and resume operations. The German BKA led the charge in this respect less than 24 hours after the disruption began, Boscovich said.
The point remains that, until the P2P network is disrupted, the botnet can resume malicious activities at any time. If Microsoft is correct, ZeroAccess is one of the first peer-to-peer botnets to be shut down in such an effort.
In the past, Microsoft has led efforts to squash botnets such as Kelihos and Nitol using a similar coordinated effort with U. Those botnets, however, worked off of a centralized and command and control infrastructure and the good guys were able to key in on a relatively small number of command servers. Communication in a peer-to-peer botnet, however, is much different. Usually, attackers write a custom protocol that supports communication between bots; through this channel, updates and configuration changes are shared, rather than with a single point of failure.
Researchers in the past have had a difficult time enumerating peer-to-peer botnets, much less taking them down. A research report presented earlier this year said P2P botnets were resilient to sinkholing and other research and takedown methods. ZeroAccess, according to the paper, updated its peer lists automatically every few seconds and would communicate only through the most recent peers. Microsoft was also able to wrest control of 49 domains associated with ZeroAccess.
A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year. Google, Microsoft, Cisco Systems and others want appeals court to deny immunity to Israeli company for its alleged distribution of spyware and illegal cyber-surveillance activities. Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts.
Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial. Sponsored Content is paid for by an advertiser.
0コメント