They’re big, they’re bad and sometimes downright scary. You’re probably familiar with the powerful and sometimes strange behavior of the infamous botnet. They’re becoming stronger and more sophisticated, a trend that has security researchers worried.
This month, it was reported that many high-profile botmasters are abandoning DDoS attacks in favor of cryptojacking. In this cyber-attack, botnet operators still hijack vulnerable IoT devices. However, rather than flood a network with junk traffic, the botnet uses device processing power to mine cryptocurrencies. The goal: steal resources of device owners under cover of normal network operations. In successful cryptojacking exploits, network operators don’t know what’s happening.
Two related botnets with very different behaviors show how stealthy botnet-directed cyber-attacks can be.
Easy as ADB
How do you spell trouble? When you’re talking about Android device security, it’s ADB—Android Debug Bridge.
All Android devices support this standard feature. The problem is, in most Android devices, ADB is disabled. When shipped in its default configuration, the ADB interface often doesn’t use a password. When the port is set up and connected to the internet, the port offers easy, permanent entry to malicious attackers.
This vulnerability is part of a more significant problem. Often, manufacturers accidentally build weaknesses into products based on Android technology. The source of the problem is the open-source code. It’s the foundation on which customized products—and happy customers—are made. However, it also makes it easy for cyber crooks to find easy ways into a wide range of products.
Trinity: Mining cryptocurrency under deep cover
In July 2018, security researchers noticed network behavior that was later attributed to the Trinity botnet. Trinity infects Android devices with ADB malware. The goal: To mine for Monero cryptocurrency.
Other than code that makes it very hard to find Trinity and track what it does, the botnet seemed unremarkable. Infection occurred through a vulnerability, in this case, port 5555. If the port is open, a Trinity bot downloads malware and establishes a channel to the botmaster’s command and control server. No surprises there.
What made Trinity most unusual was its similarity with a botnet that showed very different behavior.
Fbot: Do-gooder software or preparation for war?
In September 2018, a NetLab360 research bulletin reported an unusual botnet, which they named Fbot. It didn’t take long to see similarities to Trinity. Both botnets shared an “ancestor,” the notorious Satori malware. Both botnets also spread in the same way, through an open 5555 port.
However, resemblances stopped there. The biggest surprise was Fbot’s function. The botnet didn’t lay waste to networks or the internet. Instead, Fbot code found Trinity-infected bots, killed their malware, and cleaned away all traces of the Trinity infection. Then, the Fbot code deleted itself.
No one knows why the Fbot botnet behaves in this way. Some analysts suggest that Fbot is vigilante code. Given the hyper-competitive cyber-attack environment, however, another reason is more likely.
Trinity and Fbot botnets are in direct competition for the control of millions of unsecured Android devices. Fbot cleanups wipe away Trinity malware and infect devices with alternative crypto mining capabilities that might be used in the future.
Hardening network resources against botnet evolution
Botnet capabilities continue to increase in size and sophistication. That means mitigation services must match or exceed the bad guys’ abilities in sophisticated technology and inventiveness. When you look for a mitigation service provider, be sure to check for these capabilities:
- Scalable network protection. Current trends indicate fewer but stronger DDoS attacks. Botnets throw more and more junk traffic at network resources and capture more crypto mining capabilities. So defenses must scale up, too.
In the event of a network layer attack (a standard DDoS exploit), there’s no telling how much protection you’ll need. It pays to have nearly limitless, on-call defense capability. Reverse proxy methods are the first line of defense. They help hide specific IP addresses from malicious attack.
If more firepower is needed to protect network resources, traffic routing policies ensure that all incoming traffic travels through scrubbing centers first. Then, signals undergo deep packet inspection; finally, scrubbed data reaches its destination.
- Rapid-response data collection and analysis. Effective mitigation services continually document attack sources and assault patterns. The mitigation service transmits data to a threat database that contains an archive of known threats, their origins, and specific network behavior (signatures).
Advanced threat mitigation services use machine learning and predictive analytics to identify the threat, choose the best mitigation method, and minimize any damage posed by attacking bots. Standard mitigation times are fast—10 seconds or less. The best services add a 10-seconds-or-less guarantee to every SLA.
- Thwarting low-and-slow attacks. Cybercrooks have more than over-the-top DDoS methods up their sleeves. Application attacks use a stealthier approach. The key to stopping these exploits is sorting DDoS bots from human visitors in high-speed, high-volume mitigation methods. Security algorithms automatically detect these attacks as soon as they begin. Here, bots are immediately identified by using a combination of signatures and patterns of network behavior.
Ideally, standard mitigation methods would also include archiving attack information in a DDoS threat database. This approach ensures that knowledge and experience of each mitigated attack will improve future services.
Botnet attacks are continually evolving. The threat that they pose today will be more formidable in the future. It pays to engage DDoS mitigation services that are powerful, advanced, and versatile.