Botnet

[Jakesu]

Botnet - computer network of devices infected with malware. The term consists of the parts of the English words "robot" and "network".

In this context, a bot is usually called a device (computer, smartphone) controlled by a hidden program that receives commands from its owner via the Internet. Botnets are used for DDoS attacks, brute-force password guessing, mining bitcoins or other cryptocurrencies, and spreading spam. IoT devices can also be bots: for example, the well-known Mirai botnet consists of them.

Due to the fact that an infected device executes any instructions of the attacker, it is often called a zombie machine, and a botnet, accordingly, is called a zombie network. The infiltration of malicious programs can happen if the user is not vigilant: cybercriminals disguise them as useful software. Also, a bot-agent can inject itself through the vulnerability of any software, by brute-force password detection for shared network resources. In rare cases, it is installed during open access to the computer.

Malicious programs for organizing botnets run independently on the device and are protected from deletion. The protection mechanism consists in using unconventional startup methods, replacing system files, rebooting the machine when accessing the automatic boot keys. Agents mimic system processes, they can use two processes that restart each other.

A botnet has huge computing resources and brings tangible profits to cybercriminals. An attacker can anonymously control infected computer devices from anywhere in the world.

Botnet classification

Botnets are classified by architecture and network protocol.

From an architectural point of view, botnets with a control center and decentralized ones can be distinguished. In the first case, all computers are united around one control center (Command & Control Center, C&C). This is the most common variety. The center waits for responses from bots, records them, distributes instructions that are determined by the owner. Sometimes an attacker creates several centers in case they are disabled or blocked. Zombie networks of this type are easy to create and manage, react more quickly to commands, but it is also somewhat easier to fight them than with other types of botnets: it is enough to destroy the command center and the network collapses. However, the task may become more complicated due to the migration of centers or traffic encryption.

Decentralized malicious networks are also called P2P botnets, from the English term "peer-to-peer", which means point-to-point connection. In such systems, bot agents do not connect to the control center, but to a certain number of other infected computers. Having received the command, the malware passes it on to the next machine, and this is how the instructions are propagated throughout the zombie network. Thus, a cybercriminal can control all infected computers through any botnet site. A network of this type is less convenient to operate, but due to the lack of a center, it is also more difficult to deal with it.

The classification of zombie networks by protocols is explained by the interaction between the machine issuing the command and the computers of the victims. It is built on network protocols that determine the order of communication between nodes. On this basis, botnets are divided into four groups.

The first group includes IRC-oriented zombie networks. They are characterized by connecting each infected device to the IRC server, moving to the specified channel and waiting for the owner's command. The second group is made up of networks using IM channels. The need to create a separate account for each node reduces the popularity of such botnets. The third group is web-oriented botnets, where computers are controlled through the World Wide Web. They are easy to develop, there are many web servers on the Internet, and they are very easy to manage for these reasons, such malicious networks are in demand. The fourth group should include other types of systems with their own, non-standard protocols.

Object of influence

The objects of influence of botnets are government agencies and commercial companies, ordinary Internet users. Cybercriminals use bots to achieve goals of different content and size. For example, the simplest and most popular and profitable use of botnets is spamming. The owner of the zombie network does not always do this himself: often spammers rent a botnet.

Botnets are also used to carry out DDoS attacks. The attacked server cannot cope with the streams of requests from infected computers and stops, users cannot access it. In order to restore the operation of the web resource, the attackers demand to pay a ransom. Cyber blackmail of this kind is very common, since today all companies actively use the Internet to conduct business, and some organizations work only through the World Wide Web. Also, owners or tenants of botnets can use DDoS attacks for political actions or provocations. Government, state, military and other organizations become targets of bot attacks.

Botnets are used to mine bitcoins. Penetrating into the user's computer, the bot-agent uses the machine's resources for its own purposes. The more infected devices, the more currency the attacker "mints". GPU power can be used while the computer is idle, so the presence of malicious activity is not immediately noticed.

Botnets are also used for anonymous access to the Internet in order to hack websites, transfer money. They are also actively used to steal classified information. The advantage of a zombie network over other malicious agents is the ability to collect information from a huge number of computers at the same time. This information is often sold or exploited to expand a botnet.

Source of threat

Bot agents are created by cybercriminals, for example, to steal. Typically, hackers steal access data to a particular system in order to obtain monetary gain or some other personal benefit. Zombie networks are used by representatives of illegal businesses to promote their goods and services.

The most dangerous group of developers of such programs are organized cybercriminals who use infected networks for attacks, stealing data and money, sending advertisements, blackmail, provocations, etc. In addition, they form botnets for sale and rent.

Risk analysis

Statistics show that a huge number of various computer devices are part of botnets. The consequences of infecting a computer with a bot agent may vary depending on the botnet owner and the goals he pursues. The most notable activities of the zombie network are DDoS attacks. The danger of infected networks is also growing because their creation becomes easier every year, new ways of introducing malicious programs are found, which means that new botnets appear and the existing ones expand.

In early March 2017, researchers discovered a vulnerability in the security system of DVR and surveillance cameras of the Chinese company Dahua. This meant that devices could easily turn out to be executing commands of attackers. Read more about this in the article "Chinese cameras and DVRs can become part of botnets."

Despite the scary statistics, you can protect your computer. This requires:

• use effective anti-virus protection,
• timely update the operating system and all applications,
• use an encryption program when transferring personal data,
• observe general reasonable precautions when using the Internet.

It is also helpful to monitor device activity. If it is working hard during idle time or is transferring too much data, then it is possible that there is a malicious agent on it.

 

[Brianwill]

The most dangerous botnets​

A botnet won't surprise anyone today: they occur all the time, and the underlying infection is easily cleaned out by antivirus software-thanks to the crookedness of authors who collect malware on their knees from humus and sticks. But it happens that pros take on virus writing, and then the damage becomes colossal, and the war against malware is protracted and interesting. In this article, I will analyze such stories, and some of them are not over yet.

The most dangerous botnets
It is impossible to cover all even the most interesting epidemics in one article, so I selected only eight of the most significant cases. And even they can't be described in full detail, so I warn you right away that some details may be omitted - intentionally or not. Keep in mind that the situation around active Trojans may well change from the moment the article is published.

ZeuS

• Brief description: banking Trojan
• Years of life: 2007-present
• Number of infections: more than 13 million
• Distribution method: exploit pack
• Distribution: 196 countries
• Damage: more than $ 120 million

Our hit parade opens with Zeus, but not the one who sits on Olympus among the gods. This banking Trojan is so widespread that it has taken the first place in the list of America's most wanted botnets. According to sofa analysts, it was used in 90% of all Bank fraud cases in the world.

At first, several hundred separate botnets were created on the basis of ZeuS, which were controlled by different gangs of cybercriminals. The author or authors of the bot simply sold the Builder to everyone they met and crossed, and they made their own botnets out of it.

Everyone distributed the bot as best they could for example, in 2009, one of the groups conducted a large-scale mailing of Zeus through the spam botnet Pushdo. Damballa estimates that about 3.6 million PCs were infected in the United States alone. In total, more than 13 million computers have been infected since the introduction of Zeus.

The Zeus developer was originally known under the nicknames Slavik and Monstr, and it was he who independently sold and supported the bot in 2007-2010. This continued until version 2.0, when in October 2010 Slavik transferred raw materials of version 2.0 to the developer of the SpyEye Trojan and, according to legend, stopped development. But, according to RSA, the original author did not go anywhere, and the transfer of the code was a red herring.

In August 2010, that is, two months before the official announcement of the termination of work on Zeus, experts discovered a botnet created on Zeus version 2.1, which was not sold on any underground forum at that time. From this, we can conclude that the author simply changed the business model and decided to create his own botnet, and not sell the bot Builder to everyone.

One of the main features in Zeus 2.1 - the scheme of communication with management servers has changed: now server addresses were created using DGA (Domain Generation Algorithms). To protect against interception, the signature of the file uploaded during the update was checked (the RSA-1024 signature was used).

Among the innovations of this version, some researchers also include the appearance in September of the ZeuS-in-the-Mobile (ZitMo) build for Android, Windows Mobile, BlackBerry and even Symbian. The newly-minted Troy worked in conjunction with the" regular " desktop version of Zeus and allowed you to bypass 2 TYPES of online banking. According to Check Point Software and Versafe, by the end of 2012, the zitmo build called Eurograber brought its owners a profit of about 36 million euros (about $ 47 million at that time).

Someone either got greedy or leaked the source code of Zeus 2.0.8.9 to the left, but the fact remains that the source code of the almost current version of Zeus went on sale on the darknet, it was February 2011. And then either there were no buyers, or the seller was hacked — in may, the source code got into the public. This event was, I think, the most significant for the hacker world in 2011.

We should also mention the HVNC module (H stands for Hidden). This is an implementation of a VNC server, but it interacts with a virtual desktop that the user cannot see. Later, based on the merged sources, the HVNC module was converted into a separate project.

After the leak, "craftsmen" immediately appeared, who began riveting their Trojans from the Zeus source code, which sometimes were clones of Zeus a little more than completely, including the admin panel. But there were also more worthwhile crafts — for example, the Citadel project. Its main feature was the creation of an online platform similar to the modern GitHub. Here, customers could request new features, report bugs, and add their own modules. In short, the development became interactive and brought a lot of money to its admins. Customers were even provided with technical support — it included, for example, the constant maintenance of Citadel in an up-to-date state to bypass the latest protection in the face of antivirus programs.

In the fall of 2011, a researcher named Roman Hussy (who was studying Zeus), while researching one of the Zeus variants, noticed strange UDP traffic. Further analysis showed that the new version of Zeus had several IP addresses in the configuration block and computers with these IP addresses responded to the infected system. During the day, approximately 100 thousand unique IP addresses were identified, which were contacted by the new modification, most of them were located in India, Italy and the United States.

It turned out that Zeus has acquired peer-to-peer functions designed for updating and based on the Kademlia Protocol. Because of the use of the script namegameover.php, this version was given the name GameOver.

In early 2012, another version of Zeus GameOver was discovered: it contained a built-in nginx server to interact with other bots via the HTTP Protocol. From this point on, each bot could act as a proxy for communicating with the original C&C, and protection from the distribution of "updates" by specialists on the other side of the barricades was provided by the same file signature. The GameOver version turned out to be very tenacious and still active.

More than 74,000 hacked FTP servers, spam, fraud with fake technical support, exploits, and even social engineering in social networks were used to spread the bot. In short, the whole gentleman's set.

Later, it was reported that the FBI, together with experts from about a dozen countries, revealed the group behind the creation of Zeus. All its participants were put on the wanted list,

You do not have permission to view link Log in or register now.

the alleged organizer-a certain Evgeny Bogachev. According to the FBI, Bogachev lives in Anapa and owns a yacht. For his head offer a record amount of 3 million green American rubles! Since then, little has been heard about Zeus updates: the author, apparently, has laid low, and there is no progress in the search at all. We will wait for news.

By saying "I don't hear much about updates", I mean that the original Zeus was actually no longer supported, but in 2015 there was a new interesting modification of it was called Sphinx. Its panel is not particularly different, but inside it is a new Trojan, well reworked by unknown authors. Now, in connection with the coronavirus, it is especially active and is spread through social engineering. A fake signature of Kaspersky Lab and a self-made certificate were used as a cover.

Treatment of Zeus is very difficult: it successfully bypasses antivirus programs using polymorphic encryption, infects many files, and is constantly updated. The best remedy is to reinstall the infected system, but if you really want to, you can try to find and cure the infected files, of course, without any guarantees of success.

Storm

• Brief description: email worm for spam and DDoS
• Years of life: 2007–2008
• Number of infections: about 2 million
• Distribution method: spam

 

[Brianwill]

Storm (aka Zhelatin) was first spotted in early 2007 and sent out under the guise of records of destruction due to severe storms in Europe. From the very beginning, the bot used social engineering in emails, and even such "news" as the resurrection of Saddam Hussein was indicated as bait in the topic. But if SI was the only feature of the Storm botnet, it would not have been included in our selection. For its time, Storm was probably the most technologically advanced malware. It implements a decentralized p2p management system based on the Overnet Protocol (based on the eDonkey network) and server-side polymorphism.

Server polymorphism was previously used only in the Stration botnet, which first appeared in 2006. Subsequently, there was a short and not particularly interesting war for users ' computers between this botnet and Storm. However, at one point Storm accounted for up to 8% of all malware on Windows computers.

In July 2007, at the peak of its growth, the botnet generated about 20% of all spam on the Internet, sending it from 1.4 million computers. He was engaged in the promotion of medicines and other medicines: both relatively legal, like viagra, and prohibited.

Around the same time, attempts were made to break the botnet into several separate subnets. Perhaps the authors wanted to sell access to infected machines in parts to interested parties. Either way, it didn't work out.

The botnet was quite brutal in protecting its resources from too curious researchers. When frequent requests were detected from the same address to download bot updates, which is what antivirus companies like to do, the bots launched a DDoS attack on this address. In addition, the websites of companies that prevented the botnet owners from doing their dirty work were attacked with varying success. So, as a result of DDoS attacks, the Spamhaus, SURBL (Spam URI Realtime Blocklists) and URIBL (Realtime URI Blacklist) services were disrupted for a short time. This was necessary to prevent anti-spam solutions from updating databases and blocking mailings.

At some point, the total performance of PCs infected with the "Storm" surpassed the then supercomputers. Imagine what power the owners of Storm had in their hands! If they decided to do parallel computing instead of sending spam… However, let's not talk about sad things. The cryptocurrencies that you were thinking about mining, of course, were not yet born out of Satoshi Nakamoto's ideas, so there was nothing to mine. It's a pity. In the role of a malicious miner, a botnet would look much more interesting in our selection.

So it would have continued, but at the end of 2008, the botnet, as if by magic, disappeared. Kaspersky Lab believes that this happened due to the closure of the Russian Business Network, a criminal abusive hosting service from Russia. According to another version, which seems more real to me, Storm was destroyed by security researchers. At the Chaos Communication Congress conference (December 2008), a group of hackers showed the tool Stormfucker, which, using a bug in Storm, independently spread through the Overnet network and treated infected computers. And in Microsoft, as usual, what is happening is interpreted in its own way: they believe that the Windows update helped get rid of the botnet. The experts did not agree on one thing.

Of course, a place in the sun is usually not empty, and with the demise of Storm, a new botnet from the Waledac Trojan appeared. Although the code was completely different from its predecessor, Waledac suspiciously resembled Storm in some features: the use

You do not have permission to view link Log in or register now.

C&C hosting, server polymorphism, spam distribution functions and a p2p update mechanism. Even the spam email templates were almost identical to those from Storm. Waledac advertised the same products from the same sellers as Storm. A visual demonstration of how one botnet is covered up and replaced immediately by a new one.

Storm seemed like a Ghost until 2010, when members of the Honeynet Project discovered a new version of it. It consisted of approximately two-thirds of the code of the first version: 236 of the worm's 310 functions remained unchanged. The piece responsible for peering went to the trash (it seems that it was due to Stormfucker), and the communication Protocol with C&C was changed to HTTP (previously, sockets were changed to TCP). Fortunately, Storm 2.0 was not as widely adopted as its older brother, which could have happened due to the transfer of raw materials of the first version to another development team.

It was relatively easy to notice the symptoms of infection if you monitored attempts to start processes. Malicious processes were usually named gameX.exe, where X is the number. The following options are possible:

 

[Brianwill]

• game0.exe - backdoor and bootloader in one package, this process started the rest;
• game1.exe - SMTP server for sending spam;
• game2.exe - email address Styler;
• game3.exe -spam distribution module;
• game4.exe - DDoS utility;
• game5.exe - bot update process.

The code was run by the rootkit from%windir%\system32\wincom32.sys, which allowed you to bypass some security mechanisms. Although the rootkit code in the kernel doesn't care about any protection, because getting something out of the kernel, even knowing its internal structure, is not as trivial as it seems.

Also, the rootkit did not hesitate to fake antivirus programs so that the user would think that the protection was working normally, even though it did not work at all.

Thus, Storm became one of the first commercial ready-to-use spam tools. It may not have lasted long, but it showed the way to other attackers who began to act in a similar way.

Mariposa

• Brief description: Trojan worm
• Years of life: 2009–2011
• Number of infections: 12 + 11 million (two waves)
• Distribution methods: pirated software, self-distribution via flash drives, peer-to-peer networks, and MSN messenger
• Distribution: 190 countries

The Mariposa botnet ("butterfly" in Spanish) appeared in 2009 and was based on the Code of the Palevo Trojan, also known as Rimecud. Panda Labs estimated that the size of this giant butterfly was 12 million computers.

In the code, the bot was called somewhat more simply - Butterfly Bot, but no one forbids anyone to name things as they please, so antivirus companies came up with their own name and issued it as an official one. The author had to accept it.

The bot could work as a loader for other malware of all stripes, could get passwords from Firefox and IE out of the box, and raised HTTP and SOCKS proxies to cover up the attacker. And of course, DDoS, with two modules at once: TCP SYN flood and UDP flood.

One of the distribution methods was USB flash drives and at that time still worked autorun.ini. However, this was very annoying for the bot (it is not for nothing that it is based on Palevo): Mariposa created a highly obfuscated autoload file, in which instructions were mixed with a large number of characters of different encodings. So the ini file looked different every time.

The main activity of Mariposa was a Scam and already traditional DDoS. This included the theft of affected accounts from their computers and their subsequent resale. Then bank accounts were used to pay for services, and social networks were used for any kind of Scam. Spoiler alert: now the purpose of stolen data is exactly the same.

In terms of protection from studying, the bot authors tried their best: we enabled a lot of security features, which, however, still did not help to avoid closing the botnet. Security mechanisms include frequent updates and modifications to the binary code that allowed bypassing signature analysis, countering startup on virtual machines and in sandboxes, and a new secure Protocol for interacting with the command center based on UDP.

Unfortunately for the botnet authors (the DDP Team group from Spain directly stated its involvement), in December 2009, Mariposa's career was over. Researchers and the police managed to identify, capture and disable C&C servers in the same Spain. Three months later (in February), Spanish law enforcement officers arrested three members of the DDP Team. An interesting detail — none of those arrested knew how to program.

According to the Spanish police, the bot drivers were completely childish: they connected as admins to C&C from their home IP, instead of using a VPN or proxy. However, it was not possible to call the perpetrators to account, largely due to the fact that running a botnet at that time was not considered a crime in Spain at all, and for a criminal case, the police would have to prove that they stole information and then used it for profit. According to official information, private data of more than 800 thousand people in 190 countries were stolen with the help of Mariposa — however, it was not possible to apply this in the investigation for lack of solid evidence.

As a result, the investigation reached a dead end, and the administrators of Mariposa, who were released a couple of months later, visited the office of Panda Security, which had a significant hand in their capture, and began to ask them to hire them: according to them, they were completely out of money after the Mariposa infrastructure was destroyed. They left, of course, with nothing.

Despite the destruction of C&C Mariposa, since the end of 2010, the number of its detections began to grow again, and six months later another botnet based on the same Palevo, numbering about 11 million machines, was found. They called it Metulji ("butterfly" in Slovenian).

Just a month and a half to two months after the botnet was discovered, its operators, residents of Serbian Bosnia, were identified. The guys also didn't bother and spent money right and left. They were arrested jointly by the Slovenian police, the FBI and Interpol. Since then, Palevo and its derivatives have disappeared from the list of top threats.

As you can see, even kulhatskers with minimal knowledge can build botnets that are not sickly in number, even without using spam and exploit packs. Twelve million dollars out of the blue is a serious result.

 

[Brianwill]

ZeroAccess

• Brief description: Trojan Downloader, spammer, and miner
• Years of life: 2009–2013
• Number of infections: 9 million
• Distribution method: exploit pack

The history of ZeroAccess in the rootkit chronicle began in June 2009. At that time, there was an interesting sample with a string in F:\VC5\release\ZeroAccess.pdbthe rootkit driver. So the name ZeroAccess is copyright. There were others, of course: ZeroAccess is also known as Smiscer and Sirefef.

An interesting feature of ZeroAccess is "live bait fishing" for breaking off antivirus programs. In addition to its main driver, the rootkit, the bot had an additional kernel driver for creating a decoy-an object that antivirus programs and other supposedly protective mechanisms pecked at. This driver created the device \Device\svchost.exeand stored the dummy BINAR at the address \Device\svchost.exe\svchost.exe. Access to this pseudo-file was monitored by a rootkit. If something hit the bait, ZeroAccess killed the process by injecting code into it that called ExitProcess(). And to prevent subsequent launches of the program that got caught, ZeroAccess reset the ACL for its executable file to prohibit reading and execution. Thus, once caught, the antivirus could no longer start.

In January 2010, the creators of ZeroAccess rolled out an update that enriched ZeroAccess with new features. For this purpose (surprise!), the resources of the Russian Business Network were used. In this version, an obvious borrowing of the ideas of the older TDL-3 rootkit became more noticeable: the launch was now performed through driver infection, and hidden storage in a separate hard disk partition was used to store rootkit components.

Until April 2011, 64-bit versions of Windows were relatively safe and did not get infected with ZeroAccess. However, in may, with the next update, this annoying omission was corrected, but not very technologically. The fact is that in the 32-bit version, the rootkit worked at the kernel level, and in the 64-bit environment, everything worked in user space. Apparently, the authors decided not to bother with bypassing the driver signature verification and made such a crutch.

To increase survivability, we added TCP-based P2P for distributing our modules, as well as a list of initial peers, which contained 256 supernode IP addresses. Antivirus analysts note that this version began to load two types of payload for click fraud and mining.

As time went on. More and more people have switched to 64-bit operating systems, which make it difficult to develop a nuclear rootkit. In may 2012, the kernel driver was closed, and now all work took place in usermode. The algorithm of the peer-to-peer network has also changed slightly, and the length of the RSA key has been doubled-from 512 to 1024 bits. Previously, peer-to-peer connections went only over TCP, but now the list of IP addresses was requested over UDP, and the list of modules was requested over TCP. As before, there was still a division according to the type of payload: there was a clickfraud or mining module to choose from.

The ZeroAccess example illustrates the principle of Occam's razor-don't multiply entities unnecessarily, or, in a simple way, don't complicate them. ZeroAccess started out as a technological development, then the rootkit fell off in the course of evolution, but the botnet continued to live and even got such a fashionable feature as P2P.

Sophos estimates that the number of computers infected by the bot at the end of summer 2012 was more than 9 million, and active infections — about a million. According to experts, the ZeroAccess botnet was the most active in 2012.

Antivirus companies, of course, did not ignore the existence of the botnet and actively looked for methods of intrusion through the ZeroAccess peer-to-peer Protocol to disable it. In March 2013, engineers from Symantec took up the task and successfully discovered a vulnerability in the botnet Protocol, which allowed, although with great difficulty, to disrupt its work.

At the same time, monitoring of botnet activity continued, and on June 29, Symantec specialists noticed that a new version of ZeroAccess was being distributed through the peer-to-peer network. The updated version contained certain changes that closed the vulnerability found earlier. This, it seems, prompted the operation to capture the botnet, which started on July 16. The researchers tried to have time to take control before the update arrived on all nodes. As a result, more than half a million bots left the botnet.

But even greater success was achieved by whitehats from Microsoft: in December 2013, together with the law enforcement agencies of different countries, they disrupted the work of ZeroAccess, taking control of C&C. Law enforcement officers received search and seizure orders for servers that responded to 18 IP addresses and from which the botnet was managed. After this operation, the bots received the latest update from the authors with the WHITE FLAG message. In short, the botnet gave up.

Technically, the botnet is still alive, but it will never receive updates again, as the command servers have sunk into Oblivion. The bot is not updated, the detection rate is constantly growing, and more and more antivirus programs are disabling it. But we can't rule out that developers are currently working on a new version of ZeroAccess

 

[Brianwill]

Dridex

• Brief description: banking Trojan
• Years of life: 2011-present
• Number of infections: unknown
• Distribution methods: spam, social engineering, free software

The Dridex banking Trojan is one of the major financial cyberthreats since Zeus left office. In 2015, its damage was estimated at more than $ 40 million.

Dridex (then Cridex) first appeared around September 2011. The bot already then knew how to use web injections to steal money on the Internet, and could also infect USB drives. Therefore, it was initially classified not as a Trojan, but as a worm. Web injections turned out to be suspiciously similar in style to Zeus - this could have been facilitated by the leak of the source code of the latter in 2011. Later, in 2012, the attackers abandoned the USB infection.

The similarity between the Zeus and Dridex web injections is not the only thing that unites them. Specifically, with the Gameover Zeus version, the mechanisms for working with regular expressions, the distribution method (email spam), some aspects of the installer (the main body of the virus and the loader), as well as the set of available components on the infected system were common. Their list includes a SOCKS proxy and a hidden VNC, obviously borrowed from Zeus.

By the beginning of 2015, Dridex even had some semblance of a peer-to-peer network, which again resembles Gameover Zeus. This cannot be called honest P2P, because not all network nodes were equal. Instead, there were supernodes whose addresses were specified in the Trojan's configuration file, in the XML section <nodes>. Encryption of the communication Protocol with the command center also appeared.

The network grew rapidly and criminals seemed elusive, but on August 28, 2015, one of the Dridex administrators was found and arrested. Some of the bots (they were divided into subnets) disappeared from the network, but after a short time they not only returned, but also brought new ones. It seems that other admins took control of the arrested friend's subnets and continued working without him.

After the arrest, security measures were immediately tightened: IP-based filtering by geographical location was introduced. If the country was not included in the list, the bot received an error message. This, of course, did not prevent the Trojan from being studied. A couple of months later, the network owners rolled out an update to the Trojan loader, in which the XML config was replaced with a binary one. In fact, this solution was already used in early versions of the then Cridex, so this move was intended to confuse researchers rather than make the Trojan more convenient.

Another interesting version was found in early 2017. In terms of its capabilities, it was similar to the third one, but the analysis of new samples is now greatly complicated by the fact that the loader works for a maximum of a couple of days. Again, the solution is not new: it was about the same with the Lurk Trojan, only the loader worked there for only a few hours. When the boot loader's lifetime ends, the encryption keys are changed and the old samples become useless. All legacy instances receive a 404 error from the server.

Encryption remains the same as its ancestor, RC4, with a static key in the Trojan's body. Encryption was needed to protect against detection in traffic, and not to block research, since RC4 is a symmetric algorithm that can be easily broken by brute-force, but traffic analysis systems are powerless in front of such a pseudo-random data stream.

Most of the victims are located in Europe. Most of the infections were recorded in the UK, followed by Germany and France. Dridex does not infect Russian computers: command servers do not respond to requests from Russian IP addresses.

Over the years of Dridex's existence, whitehats and law enforcement agencies from different countries have repeatedly tried unsuccessfully to stop the botnet's activity. In 2009, the US Department of justice filed charges against two Russians who, according to them, are behind the development of Dridex malware and not only.

The indictment says that 32-year-old Maxim Yakubets and 38-year-old Igor Turashev were the developers of the famous banking Trojan Dridex and Yakubets was the leader of the group. In addition, Yakubets is also accused of developing and distributing Zeus.

But so far, Dridex is only adding more and more user account control (UAC) bypass techniques that help you stay afloat and continue to infect Windows machines. The damage is difficult to name, but even by the most sparing estimates, it is measured in hundreds of millions of dollars.

 

[Brianwill]

Emotet

• Brief description: banker, loader
• Years of life: 2014-present
• Number of infections: unknown
• Distribution methods: spam, SI

Emotet is another high-tech banking Trojan. The first versions stole the Bank data of only a few banks, but the botnet was quickly improved and is now also among the top 3 most active and dangerous, although it first appeared relatively recently — in 2014.

Infection actively occurs through spam: emails contain a malicious attachment with a macro. The macro is not just executed, but it uses social engineering methods to force the victim to launch itself, which leads to infection.

At the turn of 2016 and 2017, the creators repurposed the botnet, and now it mainly acts as a loader for other malware of all stripes. However, it is also not worth deleting it from the list of bankers yet.

The botnet is sold under the IaaS or MaaS (malware as a service) model to other cybercrime groups. In particular, Emotet often works in tandem with Ryuk.

In the second half of 2019, the number of Emotet infections increased dramatically. The loader suddenly registered a burst of activity. In September, after a short four-month pause, Emotet again began to operate with increasing strength. A total of 27,150 Emotet instances were detected in the second half of 2019 (an increase of 913% compared to last year). During this attack, more than 1000 unique IP addresses were recorded, which hosted C&C Emotet. The graph below shows the number of Emotet samples found for the second half of 2018 and 2019. There is a huge difference.

In 2020, a new feature was discovered: Emotet behaves like a worm, hacking into poorly covered Wi-Fi networks and spreading there. Another demonstration of how attackers invent new techniques in the name of more effective infection.

As for the geographical distribution, Germany, the United States, India and Russia were the most affected. The top affected countries also include China, Italy and Poland. Emotet is still active, so the infection pattern is constantly changing and may even change by the time this article is published.

To date, nothing is known about the creators of Emotet, so there will be no fascinating story of the idiocy of developers and the resourcefulness of law enforcement officers. It's a pity.

3ve

• Brief description: clickfraud botnet
• Years of life: 2013–2018
• Number of infections: ~1.7 million
• Distribution methods: spam, SI
• Damage: about $ 30 million

I think you've had enough of the banking Trojans in this collection. However, this bot belongs to a different family-clickfraud botnets. 3ve ("Eve") does not steal Bank data when infected, but clicks tons of ads on fake sites. Of course, the user does not notice anything, since everything happens secretly. The bot contained many detection bypass mechanisms to bring maximum profit to its creators. 3ve is considered the most advanced clickfraud botnet.

Distributed by 3ve through the botnets Methbot and Kovter and had several schemes of operation.

One of the schemes was identified as 3ve. 1, but it was first discovered by WhiteOps specialists and named

You do not have permission to view link Log in or register now.

. This campaign was also monitored by experts from Symantec and ESET, under the names

You do not have permission to view link Log in or register now.

and

You do not have permission to view link Log in or register now.

, respectively. Naturally, no one knew then that this operation was just a small piece of a larger advertising Scam.

Another scheme used primarily servers in data centers, rather than computers of ordinary users — bots imitated the behavior of live users of mobile and stationary devices. According to the FBI, 3ve operators used about 1,900 servers in commercial data centers, and they had about 5,000 advertising sites at their disposal.

3ve operators went down after they began to fake BGP and allocated blocks of IP addresses belonging to real clients to mask fraudulent activity. When ad networks started blocking addresses associated with the 3ve.1 scheme, operators simply rented infected machines in the Kovter botnet. New bots opened hidden browser Windows and continued using the old scheme.

In the third scheme, everything remained the same, but instead of a huge number of low-power bots, the campaign involved several powerful servers and a lot of rented proxies to hide servers.

At its peak, the 3ve botnet generated about 3 billion fraudulent requests every day, used about 10,000 fake sites to display ads, had more than a thousand bot servers in data centers, and controlled over a million IP addresses needed to hide bots.

The botnet was closed by a joint effort of Google, the FBI, Adobe, Amazon, ESET, Malwarebytes and other companies. There were eight authors, and thirteen criminal cases were opened against them. Six authors are Russians, and two more are Kazakhs. Sometimes legends about Russian hackers do not lie!

According to Google, after the 3ve infrastructure was blacklisted and synkholing was used against it, there was a real lull in advertising fraud. Although the men in uniform don't give the exact income of the group, experts estimate 3ve's earnings to be at least $ 30 million.

Mirai

• Brief description: DDoS botnet
• Years of life: 2016-present
• Number of infections: more than 560 thousand
• Distribution methods: brute force

It would be strange if we didn't remember such a famous bot. He is the king of botnets that attack IoT devices, and although he himself has long since died out, his numerous descendants still haunt security professionals. First discovered in 2016, it quickly and efficiently hijacked smart home devices (and sometimes not only them) with weak Telnet passwords.

This botnet was developed by students who for some reason got angry at their own University and wanted to organize DDoS attacks on it. But they missed something, and now this is the largest IoT botnet, if you take into account all its clones.

The botnet grew slowly at first, but after several attacks, it was noticed and the hunt for its creators began. They didn't come up with anything smarter than just publishing the source code. Like, we don't have to be the authors: it could have been anyone, the source code is open. This feint with their ears did not help them, and the authors were found. Unfortunately, it was already too late: other groups received a powerful and dangerous tool for free. The number of botnets based on Mirai (and sometimes complete clones of it) has exceeded one hundred and continues to grow.

In September 2016, after Brian Krebs published an article about DDoS botnet vendors, Krebs himself was the victim of an unusually strong DDoS attack, which peaked at 665 GB/s. This attack in General became one of the most powerful among the known ones. The hoster did not tolerate this anymore, and the site temporarily lay down until a new hoster was found.

A month later, a powerful attack was launched against DynDNS. It was held in two waves of about an hour and a half each. Despite the rapid response and measures taken to repel the attack, it still affected users. The consequences were visible until the evening of the same day. It is noteworthy that not one server was attacked, but many around the world. The engineers clearly did not expect such a feed and could not react normally. As a result, at least Twitter, GitHub, SoundCloud, Spotify and Heroku were affected.

Ironically, DNS queries were used to attack the DNS provider. Traffic exceeded normal by almost two orders of magnitude, and this is not counting the fact that system administrators urgently introduced filtering. At that time, DNS amplification was already described, but it was not taken seriously. The attack on Dyn corrected the situation, so there are not so many servers vulnerable to this technique anymore.

According to the investigation, only about 100 thousand excessively "smart" devices participated in the attack. Nevertheless, the attack was impressive in its scale.

Inside Mirai - a small and clean code, which, however, was not very technologically advanced. Only 31 login and password pairs were used for distribution, but even this was enough to capture more than half a million devices.

Conclusion
Powerful botnets come and go: as soon as cybersecurity researchers and law enforcement agencies close one network (and sometimes its owners), the next one appears on the horizon, often even more threatening. For ordinary mortals, the moral here is very simple: put strong passwords on all your devices and update the firmware, and then your computer, router and too smart refrigerator will not start working for a criminal gang.

 

[Na*Dyz]

A botnet is a network of zombified computers. Roughly speaking, this is a virus that subjugates your computer to itself, and you will notice the dick. This is one of the most dangerous cyber threats to date.

Why is one of the most dangerous? Because the botnet is just dying of opportunities.

I will divide them into several categories:

1. Loader. Allows you to download any game from the Internet to your computer. Update the virus itself, install another, install some program, whatever.

2. Spam. Have you ever received a letter for soap saying that an inheritance has fallen to you over the hill?)) So, most likely this letter was sent through a botnet. About 80% of all spam worldwide is sent in this way, which is billions of emails.

3. DDoS. DDoS this is such a garbage that attacks other computers or servers by sending simply gasps how many requests that in the end either completely puts the computer or server down, or very much slows down its work. One of the successful and well-known attacks is considered to be an attack on Microsoft servers. A Trojan virus called "MSBlast!" stupidly began to fuck requests from all infected computers address microsoft.com, because of which the site did not work for quite a long time. I think you yourself understand that the site of T-shirts is not an easy task to put, what to say about small sites) A botnet is fatal for them.

4. Keylogger. With the help of a virus, a hacker can capture and save all the characters entered on the keyboard. Logins and passwords, personal correspondence, payment data ... Sucking everything can go into the wrong hands.

5. VNC. Remote access to PC. That is, the botnet owner can use your computer in the same way as you. Often used for mining cryptocurrencies. One of the most popular types of botnet use, as everyone wants a lot of bitcoins)

6. Proxy. They use your IP address as a proxy server. You understand, very few people are so fooled by anonymity if they are not engaged in dark deeds) And then prove that it is not a camel, because your IP address will be in the logs of Comrade Major.

How to understand that your computer is infected?
1. Unknown files / folders in system folders
2. The computer spontaneously reboots and / or turns off
3. Unknown processes in the task manager
4. Unknown programs are registered in the PC startup

There are a lot of items, friends.

What to do if already infected?
Check your computer for viruses and delete those found, clean the registry. If it does not help, you will have to reinstall the system and format all disks.

How to protect your computer from such a threat?
Yes, standard recommendations, because the botnet is the same virus) Do not open suspicious links, do not download incomprehensible files, periodically check your computer with an antivirus program.