What Is The Term Used For A Threat Actor Who Controls Multiple Bots In A Botnet?
A botnet is a collection of internet-connected devices, which may include personal computers (PCs), servers, mobile devices and net of things (IoT) devices, that are infected and controlled by a common blazon of malware, often unbeknownst to their owner.
Infected devices are controlled remotely by threat actors, often cybercriminals, and are used for specific functions, all the same the malicious operations stay hidden from the user.
Botnets are commonly used to send spam emails, engage in click fraud campaigns and generate malicious traffic for distributed denial-of-service (DDoS) attacks.
How do botnets work?
The term botnet is derived from the words robot and network. A bot, in this case, is a device infected by malicious code, which then becomes role of a network, or net, of infected machines all controlled by a single attacker or assail grouping.
A bot is sometimes called a zombie, and a botnet is sometimes referred to as a zombie army. Conversely, those controlling the botnet are sometimes referred to as bot herders.
The botnet malware typically looks for devices with vulnerable endpoints across the internet, rather than targeting specific individuals, companies or industries.
The objective for creating a botnet is to infect as many continued devices every bit possible and to use the large-scale calculating power and functionality of those devices for automated tasks that more often than not remain subconscious to the users of the devices.
For example, an advert fraud botnet infects a user's PC with malicious software that uses the system's web browsers to divert fraudulent traffic to certain online advertisements. Even so, to stay concealed, the botnet won't take complete control of the operating system (OS) or the web browser, which would alert the user.
Instead, the botnet may use a modest portion of the browser's processes, oftentimes running in the groundwork, to send a barely noticeable corporeality of traffic from the infected device to the targeted ads.
On its own, that fraction of bandwidth taken from an individual device won't offering much to the cybercriminals running the advertisement fraud campaign. Yet, a botnet that combines millions of botnet devices will be able to generate a massive amount of faux traffic for advertisement fraud.
The architecture of a botnet
Botnet infections are usually spread through malware or spyware. Botnet malware is typically designed to automatically scan systems and devices for common vulnerabilities that haven't been patched in hopes of infecting equally many devices as possible.
Once the desired number of devices is infected, attackers tin can control the bots using ii unlike approaches.
The client-server botnet
The traditional client-server model involves setting up a command and command (C&C) server and sending automated commands to infected botnet clients through a communications protocol, such as Internet Relay Conversation (IRC).
The bots are then often programmed to remain dormant and await commands from the C&C server before initiating any malicious activities or cyber attacks.
The P2P botnet
The other approach to controlling infected bots involves a peer-to-peer (P2P) network. Instead of using C&C servers, a P2P botnet relies on a decentralized approach.
Infected devices may be programmed to scan for malicious websites or even for other devices that are office of a botnet. The bots can then share updated commands or the latest versions of the malware.
The P2P approach is more common today, every bit cybercriminals and hacker groups try to avoid detection by cybersecurity vendors and constabulary enforcement agencies, which have often used C&C communications to locate and disrupt botnet operations.
Examples of botnet attacks
Zeus
The Zeus malware, kickoff detected in 2007, is one of the best-known and widely used malware types in the history of information security. Zeus uses a Trojan horse program to infect vulnerable devices. Variants of this malware have been used for various purposes over the years, including to spread CryptoLocker ransomware.
Initially, Zeus, or Zbot, was used to harvest banking credentials and financial information from users of infected devices. In one case the data was collected, attackers used the bots to send out spam and phishing emails that spread the Zeus Trojan to more prospective victims.
In 2009, cybersecurity vendor Damballa estimated Zeus had infected 3.6 million hosts. The following yr, the Federal Bureau of Investigation (FBI) identified a group of Eastern European cybercriminals who were suspected to be behind the Zeus malware campaign.
The Zeus botnet was repeatedly disrupted in 2010 when two internet service providers (ISPs) that were hosting the C&C servers for Zeus were close down. All the same, new versions of the Zeus malware were after discovered.
GameOver Zeus
Approximately a year later on the original Zeus botnet was disrupted, a new version of the Zeus malware, known as GameOver Zeus, emerged.
Instead of relying on traditional, centralized C&C servers to control bots, GameOver Zeus used a P2P network arroyo, which initially made the botnet harder for constabulary enforcement and security vendors to pinpoint and disrupt.
Infected bots used a domain generation algorithm (DGA) to communicate. The GameOver Zeus botnet would generate domain names to serve as communication points for infected bots. An infected device randomly selected domains until it reached an agile domain that was able to issue new commands. Security firm Bitdefender institute it could issue as many as 10,000 new domains each day.
In 2014, international police force enforcement agencies took function in Operation Tovar to temporarily disrupt GameOver Zeus by identifying the domains used by the cybercriminals and and so redirecting bot traffic to government-controlled servers.
The FBI also offered a $three million reward for Russian hacker Evgeniy Bogachev, who was accused of being the mastermind backside the GameOver Zeus botnet. Bogachev is yet at large, and new variants of GameOver Zeus have since emerged.
Methbot
An extensive cybercrime operation and advertizement fraud botnet known as Methbot was revealed in 2016 by cybersecurity services company White Ops.
According to security researchers, Methbot was generating between $3 meg and $5 million in fraudulent ad acquirement daily by producing fraudulent clicks for online ads, equally well as faux views of video advertisements.
Instead of infecting random devices, the Methbot entrada was run on approximately 800 to 1,200 dedicated servers in information centers located in both the U.S. and the Netherlands. The entrada'south operational infrastructure included 6,000 spoofed domains and more than 850,000 defended Internet Protocol (IP) addresses, many of which were falsely registered as belonging to legitimate ISPs.
The infected servers produced fake clicks and mouse movements and were able to forge Facebook and LinkedIn social media accounts to appear as legitimate users to fool conventional ad fraud detection techniques.
In an effort to disrupt the monetization scheme for Methbot, White Ops published a list of the spoofed domains and fraudulent IP addresses to alert advertisers and enable them to block the addresses.
Mirai
Several powerful, record-setting DDoS attacks were observed in late 2016 and subsequently traced to a brand of malware known as Mirai.
The traffic produced by the DDoS attack came from a variety of connected devices, including wireless routers and closed-circuit television set (CCTV) cameras.
Mirai malware was designed to scan the cyberspace for unsecured devices, while also avoiding IP addresses belonging to major corporations and regime agencies. After it identified an unsecured device, the malware attempted to log in using mutual default passwords. If necessary, the malware resorted to brute-force attacks to guess passwords.
Once a device was compromised, information technology connected to C&C infrastructure and could divert varying amounts of traffic toward a DDoS target. Devices that were infected often still continued functioning normally, making information technology difficult to detect Mirai botnet activity.
The Mirai source code was later released to the public, enabling anyone to utilize the malware to create botnets past targeting poorly protected IoT devices.
Addressing vulnerabilities of IoT devices
The increase of connected devices used across modern industries provides an ideal landscape for botnet propagation. Botnets rely on a large network of devices to complete their objective, making IoT -- with its large attack surface -- a prime target. Today'southward inexpensive, internet-capable devices are vulnerable to botnet attacks, not only because of their proliferation, but because they often accept express security features. In add-on, IoT devices are often easier to hack because they cannot exist managed, accessed or monitored in the aforementioned way that conventional it (Information technology) devices can. Businesses can work to better IoT security by putting stricter authentication methods in place.
Disrupting botnet attacks
In the past, botnet attacks were disrupted by focusing on the C&C source. Law enforcement agencies and security vendors traced the bots' communications to wherever the control server was hosted and so forced the hosting or service provider to shut the server down.
However, as botnet malware becomes more sophisticated and communications are decentralized, takedown efforts have shifted away from targeting C&C infrastructures to other approaches. These include identifying and removing botnet malware infections at the source device, identifying and replicating P2P communication methods, and, in cases of ad fraud, bang-up downwards on budgetary transactions rather than technical infrastructure.
Preventing botnets with cybersecurity controls
At that place is no ane-size-fits-all solution to botnet detection and prevention, simply manufacturers and enterprises can showtime by incorporating the following security controls:
- strong user hallmark methods;
- secure remote firmware updates, permitting simply firmware from the original manufacturer;
- secure boot to ensure devices only execute lawmaking produced by trusted parties;
- advanced behavioral analysis to discover unusual IoT traffic behavior; and
- methods using automation, car learning and artificial intelligence (AI) to automate protective measures in IoT networks before botnets can cause serious harm.
These measures occur at the manufacturing and enterprise levels, requiring security to be baked into IoT devices from conception and businesses to acknowledge the risks.
From a user perspective, botnet attacks are difficult to detect considering devices continue to act ordinarily even when infected. It may be possible for a user to remove the malware itself, simply it is unlikely for the user to have whatever effect on the botnet equally a whole. As botnet and IoT attack vectors increase in sophistication, IoT security volition need to be addressed at an industry level.
What Is The Term Used For A Threat Actor Who Controls Multiple Bots In A Botnet?,
Source: https://www.techtarget.com/searchsecurity/definition/botnet
Posted by: foorlusell.blogspot.com
0 Response to "What Is The Term Used For A Threat Actor Who Controls Multiple Bots In A Botnet?"
Post a Comment