Botnet

Main article: Malware (malware)

Notorious botnets

Yandex revealed the details of the "largest ever" DDoS attack Mēris

On September 9, 2021, Yandex revealed details of a DDoS attack, which the company called "the largest in history." It is reported that the cyber attack was carried out using the new botnet Mēris ("plague" in Latvian). Read more here.

Microsoft: We neutralized the largest hacker network from Russia

In March 2020, Microsoft announced that the company, together with 35 partners in different countries, had neutralized the Necurs botnet, covering about 9 million computers. According to the company, the hacker network is based in Russia, and it is the largest of its kind. Read more here.

Botnet of 5 million Android devices

Chinese cybercriminals use RottenSys malware to create a botnet that already has about 5 million Android devices. In its current form, the malware is used to display intrusive ads on the screen of infected devices. However, researchers from Check Point discovered^[1] in the spring of 2018] evidence of attackers using a new Lua module to combine infected gadgets into one giant botnet^[2].

The botnet will provide cybercriminals with far more options than simply displaying ads, the researchers said. "This botnet will have advanced capabilities, including discreet installation of additional applications and automation of the user interface," the researchers wrote.

RottenSys hasn't always been so dangerous, experts said. The malware appeared in September 2016, and most of the time cybercriminals were distributing it in order to display ads. Over time, the number of infected devices has slowly but surely grown and has so far reached about 4,964,460.

A component on Lua that allows botnet operators to gain control of infected devices was added to RottenSys just last month. So far, the malware is active only in the Chinese market and spreads through Chinese infected applications. Most of the botnet is made up of devices from Huawei (over 1 million), Xiaomi (almost 0.5 million), OPPO, vivo, LeEco, Coolpad and GIONEE.

RottenSys outperforms most malware for Android devices in terms of infection speed. This malware owes two open source projects published on GitHub. The first project, Small, is an application virtualization framework, and the second, MarsDaemon, makes applications "immortal."

First, using Small, the malware creates virtual containers for its internal components, allowing them to run in parallel at the same time. As a rule, Android OS does not support such functionality. Then, using MarsDaemon, the malware supports active processes. Even when the user completes them, the mechanism for introducing ads still does not turn off.

Arrest of Kelihos botnet founder

In April 2017, the US Department of Justice announced the detention of Russian programmer Pyotr Levashov, who is called the "king of spam" for creating a large Kelihos botnet. Levashov was arrested in Barcelona. Read more here.

Georgian botnet Win32/Georbot

In 2012, the company ESET announced the discovery of a network of infected computers (botnet), which is managed through the official government website. Georgia

In early 2012, ESET specialists identified a botnet called Win32/Georbot. According to ESET, the management teams come from the official website of the Georgian government. The purpose of this botnet is to steal documents and digital certificates from infected computers. Another feature of this malware is that it searches an infected PC for RDP (Remote Desktop Connection) configuration files in order to further steal and gain unauthorized access to them. In addition, the bot is capable of creating audio and video recordings and collecting information about the local network.

To date, the Georgot botnet is still active, its latest updates were recorded on March 20 of this year. ESET analysts note that Georgot has an update mechanism that allows it to remain unnoticed for detection by antivirus programs. The botnet also has a backup mechanism for receiving commands in case the main command center is unavailable - this is a connection to a special web page hosted on the same server as the official website of the Georgian government.

According to ESET, the Win32/Georbot is focused primarily on Georgia's computer users. Of all the infected computers that specialists managed to detect, 70% were in Georgia, followed by the United States with a significantly lower rate (5.07%), followed by Germany (3.88%) and Russia (3.58%).

According to experts, the Win32/Georbot was developed by a cyber-criminal group, the purpose of which is to extract classified information with subsequent resale

According to Pierre-Marc Bureau, manager of global monitoring of ESET malicious activity, "this fact does not mean at all that the Georgian government is managing this malicious program." Quite often, organizations are unaware that their servers have been compromised, he said. "However, it is worth noting that the Georgian Ministry of Justice and CERT (Computer Incident Rapid Response Team) were fully aware of the situation. The investigation of this incident is still ongoing, and on our part we do not stop monitoring, "" he said.

ESET analysts also managed to gain access to the botnet control center, which contains information about the number of infected PCs, their location and transmitted commands. Among the information received, keywords used to search for documents that are of interest to cybercriminals are of particular interest. In the list of keywords - ministry, service, secret, says, agent, USA, Russia, FBI, CIA, weapons, FSB, KGB, phone, number and others.

Experts have found that botnet features such as recording video using a webcam, taking desktop shots, conducting DDoS attacks have been used more than once. The fact that the botnet used the Georgian website to receive commands and updates, and possibly to distribute malware, suggests that the main target of the attackers are Georgian citizens.

However, the level of technological implementation of this threat is quite low. ESET virus experts believe that if this attack were sponsored by the state, it would be more technically advanced and hidden. According to experts, the Win32/Georbot was developed by a cyber-criminal group, the purpose of which is to extract classified information with subsequent resale.

Origin of most botnets - USA

On June 23, 2015, it became known that Level 3 Communications issued a report for the 1st quarter of 2015, from which it follows that traces of the activities of most botnets are carried out in the USA^[3].

The report focuses on botnets - infected computers combined on a network and operating without the knowledge of their owners to conduct illegal activities. According to the document, traces of most botnets lead to the United States. Level 3 Communications found about 20% of all control servers in the North American address space, from which the identified botnets are managed. This figure is close to the joint share of Ukraine and Russia - countries occupying, respectively, the second and third places in the Level 3 Communications rating.

Botnet Interaction, 2013

According to the company's specialists, there are two reasons for what is happening:

• stability and reliability of US Internet infrastructure
• traffic from the United States is not suspicious.

Contacting a computer in the UK, for example, or France - to a server in the United States, raises much less suspicion than servers in Romania or Ukraine.

Level 3 Communications experts estimate the length of command server management by cyber criminals, on average - 30 days, before their activity is suppressed by local telecom operators or law enforcement officers.

Consequences of infection for the company

7 troubles that are fraught with the entry of your company's computers into the botnet^[4].

1. Sending e-mail spam from company IP addresses

One of the popular uses of botnets is spam. In case of a long entry of computers into a botnet engaged in such activity, the IP addresses from which emails are sent will be entered into special databases that filter spam. This will greatly complicate interaction with business contacts, since all emails will fall into the spam mail folder.

2. DoS and DDoS attacks from company IP addresses

Other common uses for botnets are DoS and DDoS attacks. DoS (Denial of Service) is a denial of service that has recently been used to attack computer systems in order to bring them to a "failure." In this state, access to certain network resources is impossible, or much difficult. Recommendations for protecting against DoS attacks can be found here. DDoS (Distributed DoS) is a distributed DoS attack when an attack is carried out not from one computer, but at the same time from a large number of systems.

Accordingly, if a DDoS attack is carried out from your company's computers, then the company's IP addresses can be blocked by various providers. In this case, users will lose the ability to have access to certain resources.

In addition, with a large number of complaints to your provider that DDoS traffic is coming from your IP addresses, access to the network Internet may be blocked completely until the circumstances are clarified, which will cause the company to be idle for an indefinite amount of time.

3. Idle Computing Waste

During attacks, computer resources are spent. In cases where the company is engaged in resource-consuming tasks (IT sphere, video production, design, etc.), this can extremely affect the production time of the final product, which leads to a loss of profit.

4. Reputational risks

Attacks on company computers can cause significant damage to reputation, since the IP addresses from which malicious traffic originates are known as addresses belonging to a particular business and are associated with it.

5. Proxy server for intruders

Attackers can access servers on the Internet using "zombies" and commit various cybercrimes on behalf of infected machines (for example, trying to hack websites). That is, in this case, the user's computer is a kind of proxy server between the attacker and the target of the attack, hiding the address of the real attacker.

6. Load balancer for intruders' websites

The addresses of phishing pages on the Internet quickly get blacklisted. The botnet makes it possible to very quickly change the address of a phishing page using infected computers as proxy servers between the target of the attack and the web server on which the phishing website is deployed, which again masks the real address of the phishing web server.

7. Theft of confidential information

Another key danger waiting for the company is the theft of sensitive data. Violation of privacy and obtaining classified information is one of the main fields of activity of attackers. Using botnets, the amount of information received in the form of various passwords (for accessing boxes, social networks, company servers, web services and other resources) and other user data is increased many times. A bot infected with computers in a botnet can be given the command: "download malware," for example, a "worm" with a "Trojan horse" stealing passwords. In this case, all computers included in the company's local network will be infected with the "Trojan" program, and attackers will be able to get passwords from all infected computer systems. Stolen passwords can be resold, used to fill password dictionaries, or to massively infect web pages (for example, if you managed to get a password from the control panel of a site) in order to further distribute the bot program for a wider botnet coverage.

For the company, this is fraught with the loss of classified, sensitive data, which can lead to a significant loss of profit or compromise of the company.

Harassment of botnet organizers

Criminal prosecution of botnet owners is still an extremely rare event, and the number of such cases over the past few years can be counted on the fingers of one hand. The most sensational case remains the case of Jenson James Anchete, who, using a network of zombified computers, distributed and installed adware, that is, free software, for the use of which you have to pay by viewing ads. Moreover, it was about products regarding the "cultural" company - 180solutions, which in contracts with agents severely restricts the methods of distributing its programs, so as not to cause trouble and not cause discontent among users. Or so the firm's representatives argued.

However, twenty-year-old Anchete turned out to be an extremely diligent partner and used an adware botnet he created, numbering about 400 thousand computers, for installation. Then people from the FBI came to 180solutions and easily convinced the company to cooperate with them in catching and collecting evidence about Anchet's crimes. However, the range of interests of the latter was much wider than installing adware. The hacker willingly rented the botnet to spammers. Among the infected were the vehicles of the US Navy airbase in China Lake, which attracted the attention of the special services and gave rise to an unprecedented previously relativity in the capture of a cybercriminal. After the arrest and closure of the botnet, the level of spam in general mail traffic dropped sharply.

According to the verdict passed in May last year, Anchete lost his freedom for 57 months, returned $60,000 in illegal profits and was fined $15,000 for entering computers of a military facility.

Another verdict in the botnet case was passed this year, this time in the Netherlands. The local court sentenced two hackers who organized a botnet of several million computers to imprisonment and fines in the amount of 4 thousand and 9 thousand euros. However, immediately after the announcement of the verdict, the defendants were released, since they had already served their sentences during pre-trial detention.

The case again featured 180solutions. A couple of years ago, employees of the company noticed an unusually high volume of adware installations from one of their Dutch agents, suspected him of violating the terms of the partnership agreement and tried to get in touch, but to no avail. Then the cooperation was interrupted on the initiative of 180solutions. Having stopped receiving money, the ex-agent immediately reacted, but instead of repenting, he began to extort from the company the amount due to him, as he believed, threatening to otherwise stage a DDoS attack. When Hacker was refused and went to action, 180solutions herself turned to the FBI. The company "agreed" to the requirements of the racketeer and transferred the requested money to the specified bank account, not forgetting to transfer the details to law enforcement agencies. After that, the FBI turned to its legal representative office in the Netherlands, through which the Dutch authorities were informed about the crime. During the investigation, the police managed to identify the authors of the Trojan W32.Toxbot, who "weaves" botnets from computers.

In September 2010, it was reported that the German Ministry of the Interior allocated 2 million euros to implement a state program to identify infected computers and help their owners in the fight against viruses. The technical side of the program will be dealt with by the Federal Information Security Agency and the German Internet Industry Association.

In accordance with the program, which has already been announced by five German providers, customers will be notified of the detection of infection by phone or mail - e-mail or regular. They will be offered instructions on how to independently remove viruses from the computer or free help by phone. The program is designed for a year, and during this time the organizers hope to withdraw Germany from dozens of countries in the world with the most active botnets.

Threat Reports

2024: Hackers install malware on routers around the world and create a global cyber espionage platform

On February 15, 2024, it became known that German law enforcement agencies, together with American special services, liquidated a cyber espionage network operating on a global scale. The botnet combined private and corporate routers around the world. Read more here.

2023

The number of devices in botnets increased by 4 times over the year

At the beginning of 2024, StormWall experts noticed a trend of rapid growth of botnets around the world, as well as in Russia. According to the company's analysts, in 2023 the average number of devices in botnets increased 4 times compared to 2022 from 4 thousand to 16 thousand devices. Botnet attacks threaten internet security globally. StormWall announced this on March 12, 2024.

There are more than 50 billion IoT devices in the world, and almost all devices have security problems. Often there are no mechanisms for timely elimination of vulnerabilities due to the impossibility of updating software, and the security of such devices is often not a priority of manufacturers, especially in the budget segment. This makes most IoT devices potentially vulnerable to re-emerging threats. Hackers can easily access such devices and use them as part of botnets.

Botnets include not only IoT devices, but also infected PCs and VPS servers. The number of active devices is considered by IP from which the attack is carried out. Usually, site protection solutions are based on the number of requests that bots generate. If a botnet consists of a large number of bots, then attackers can generate as many or even fewer requests from each bot than users, and in this situation you need to use completely different methods of protection. Often, a small number of IP addresses (several tens of thousands) are enough to create serious problems for companies that lack professional DDoS protection up to the application level.

Using botnets, attackers arrange carpet bombing of companies when DDoS attacks are launched, aimed immediately at a large range of addresses or subnets that can contain hundreds or even thousands of destination IP addresses.

In Russia, over the past 2-3 weeks, several major DDoS attacks have been organized using botnets on cloud and Internet providers. During the attack, attackers scanned the IP addresses of providers, found open ports and sent legitimate requests there using bots. The only way to filter such attacks at the level of the OSI L3-L4 model (network and transport) is to block them by the number of requests, but when there are many requests, this method will not help. Solutions for repelling DDoS attacks at the L3-L4 level are not able to filter such attacks and can only calculate the number of requests. Cloud and ISPs often do not have the ability to check traffic at the application level (L7) because they do not have sufficient knowledge of end-user applications.

Cloud and ISPs put protection on their customers, but DDoS attacks become more frightening and have more devastating consequences. Everyone expected the Internet to become safer, but botnets are growing, attacks are becoming smarter, and as of March 2024 there is no simple and understandable way to solve this problem. We need to pay more attention to this problem and establish interaction within the industry to jointly confront such threats. In addition, it is necessary to raise customer awareness and regulate manufacturers of IoT equipment in order to minimize the risks of using devices as part of botnets, said Ramil Khantimirov, CEO and co-founder of StormWall.

Updated Prometei botnet infected more than 10 thousand systems around the world

On March 13, 2023, it became known that from November 2022 to March 2023, an updated version of the Prometei malicious botnet infected more than 10,000 systems around the world. Infections are both geographically indiscriminate and targeted, with the majority of victims recorded in Brazil, Indonesia and Turkey.

Prometei, first discovered in 2016, is a modular botnet with a large set of components and several distribution methods, including exploiting vulnerabilities in Microsoft Exchange Server. In the latest version of the malware, "Prometei V3," the authors significantly pumped its stealth in the target system.

The motives for the spread of the cross-platform botnet are primarily financial in nature, since infected hosts are used to cryptocurrency mining collect accounts. data

The attack sequence is as follows: after docking to the target system, the PowerShell command is executed to load the botnet payload from the remote server. The main Prometei module is then used to obtain the actual payload of cryptomining and other auxiliary components.

Some of these support modules function as distribution programs designed to distribute malware through the Remote Desktop Protocol (RDP), Secure Shell (SSH), and Samba ( SMB).

Prometei v3 is also notable for using the domain generation algorithm (DGA) to create a C2 infrastructure. In addition, it contains a self-updating mechanism and an advanced set of commands for collecting sensitive data and capturing the host.

Last but not least, the malware deploys an Apache web server associated with a PHP-based web shell that is capable of executing Base64-encoded commands and downloading files.

This recent addition of updated features indicates that Prometei operators are constantly updating the botnet and adding features, [5] researchers said[6].

A botnet of 55 thousand infected devices was found in Russia. Through them, DDoS attacks with a capacity of 1.4 Tb/communication are carried out

Experts from StormWall, a company specializing in information security technologies, found a botnet of 55 thousand infected devices that are used for powerful DDoS attacks. StormWall told about this in mid-February 2023. Read more here.

2022

GoTrim botnet brute-force passwords for WordPress site administrators

Fortinet FortiGuard Labs researchers discovered a malicious campaign in which a Golang-based botnet hacks WordPress sites to then seize control of target systems. This became known on December 15, 2022. Read more here.

Found a version of the RapperBot botnet capable of conducting attacks on game servers

Information security specialists from Fortinet FortiGuard Labs have discovered samples of malware called RapperBot, which are used to create a botnet capable of launching DDoS attacks on game servers. This became known on November 17, 2022. It is worth noting that it was they who were the first to detect the malware in August 2022. Then it was sharpened only under the brute force of Linux SSH servers.

And in the updated version discovered by Fortinet specialists, there are many additional functions and features:

Telnet brute force. The possibility reminded researchers of the Mirai botnet;

The ability to launch DoS attacks through the Generic Routing Encapsulation tunneling protocol;

Possibility of holding UDPattacks-. Botnet operators demonstrated this function when they directed UDP flooding to gaming servers GTAs: San Andreas.

In addition, the list of hard-coded credentials (which are credentials for default IoT devices) is now embedded in a binary file, and not downloaded from the C&C server, as it was before. If the attacker manages to hack the device, the credentials used to successfully hack are sent to the hacker server, only after which RapperBot will be installed on the device.

According to representatives of Fortinet, the malware is intended only for devices that run on ARM, MIPS, PowerPC, SH4 and SPARC architectures. On chipsets from Intel, the botnet stops the self-propagation mechanism.

Moreover, the current campaign was found to share many features with other earlier hacking operations in which RapperBot was used. Based on this, the researchers concluded that RapperBot can be controlled by one group or by different hackers who have access to the source code^[7].

The Russian botnet "Fronton" knows much more than just massive DDoS attacks

On May 24, 2022, it became known that Nisos published a study describing the inner workings of an unusual botnet.

Fronton became known in 2020 when hacktivists cracked the contractor's Digital Revolution group FSB published technical documents demonstrating the creation of a botnet on behalf of the FSB. Until recently, it was believed that the botnet was intended for execution -. DDoSattacks According to the analysis of additional Fronton documents, DDoS attacks are only part of the botnet's capabilities.

According to Nisos, the Fronton is a "system for coordinated inauthentic behavior," and special SANA software shows that the botnet's true goal can be the rapid and automatic spread of misinformation and propaganda.

SANA consists of many functions, including:

• News: Tracks messages, trends and responses to them.
• Groups: runs bots.
• Behavior models: creates bots that impersonate social media users.
• Response models: Responds to messages and content.
• Dictionaries: stores phrases, words, quotes, reactions and comments for use in social networks.
• Albums: Stores image sets for platform bot accounts.

SANA also allows the user to create social media accounts with generated email addresses and phone numbers, and distribute content online. In addition, the user can set a schedule for posts and adjust the number of likes, comments and reactions that the bot should create. The botnet operator can also specify how many "friends" the bot account should have.

"The configurator also allows the operator to specify the minimum frequency of actions and the interval between them. Apparently, a machine learning system is involved, which can be turned on or off depending on the behavior of the bot on the social network, "- researchers said[8]

Mirai-based IoT botnet Enemybot gains momentum

On April 14, 2022, it became known that specialists from the information security company Fortinet discovered a botnet based on the Mirai source code, called Enemybot. The botnet is gaining momentum by infecting modems, routers and IoT devices through known vulnerabilities.

Enemybot's operator is the cybercriminal group Keksec, which specializes in cryptomining and DDoS attacks. Both activities are carried out using a botnet that infects IoT devices and uses their computing power.

Enemybot uses string obfuscation, and its C&C server is hidden behind Tor nodes, so it is very difficult to map it and disable it.

After infecting the device, Enemybot connects to the C&C server and waits for commands to execute. Most teams belong to -, DDoSto the attacks but are not limited to.

Of particular interest are teams targeting the ARK game: Survival Evolved and OVH servers, as they may indicate that the target of attackers may be extortion. In addition, the LDSERVER command allows them to add additional URLs to the payload to solve problems with the download server. This is interesting since most Mirai-based botnets have fixed sewn URLs to download.

Enemybot attacks various architectures, ranging from the common x86, x64, i686, darwin, bsd, arm and arm64 to the outdated ppc, m68k and spc.

As for the vulnerabilities exploited by the botnet, they differ depending on the malware option, but three of them are used by everyone:

CVE-2020-17456 - remote code execution on Seowon Intech SLC-130 and SLR-120S routers;

CVE-2018-10823 - remote code execution in D-Link DWR routers;

CVE-2022-27226 - cronjob injection in iRZ mobile routers.^[9]

Muhstik botnet attacked Redis servers

The Muhstik botnet attacks Redis servers (abbreviated from Remote Dictionary Server, a fast key-value data store in open source memory). This became known on March 29, 2022. Malware exploits sandbox traversal vulnerability in Lua Scripting programming language (CVE-2022-0543). Read more here.

2021

The largest botnet in the history of the Internet has been discovered

In December 2021, the largest botnet in the history of the Internet was discovered. With its help, hackers carry out DDoS attacks with a capacity of more than 1 TB/s and a duration of several days. This was reported in StormWall, which specializes in protecting businesses from cyber threats.

In total, in December 2021, about 230 attacks were recorded through this botnet, of which:

• 72 (32%) fell on the entertainment sphere;
• 55 (24%) - for retail;
• 28 (12%) - for the financial sector;
• 23 (10%) - for Internet providers and hosting;
• 16 (7%) - for banks;
• 9 (4%) - for education;
• 8 (3.5%) - for insurance;
• 7 (2%) - for medicine;
• 6 (2.5%) - in the media.

The attacks were carried out using a new botnet consisting of several tens of thousands of servers with different operating systems. They also used webcams, routers, smart TVs. Since the botnet includes different devices with different operating systems, experts conclude that they are infected in different ways.

According to experts, hackers combine botnets in order to get the maximum attack power that can break through even DDoS protection. If earlier the botnet could be used for an entire attack, now, in order to disable the target, only part of it is enough. For this reason, attackers can sell botnets to several people at the same time and make more money.

StormWall says that it is possible to repel such attacks by using a geodistributed defense network and filtering them closer to the regions from which they were launched. However, in order to create an effective defense system against such attacks, it is necessary to have huge channel capacities, as well as large capacities in terms of network and computing equipment. Experts recommend protecting against DDoS attacks using specialized solutions.^[10]

Botnet found with power of attack up to 2 Tbit/sec

StormWall on August 4, 2021 announced the discovery of DDoS attacks, organized, according to its experts, using "the most powerful botnet in the entire existence of the Internet." So, the maximum attack power reaches 2 Tbit/s, which as of August 4 is an absolute record among all attacks involving botnets. Most DDoS attacks targeted the gaming industry.

The botnet consists of 49 thousand devices, among which, remarkably, there are only servers, while ordinary computers and mobile devices are absent. The attacks carried out by this botnet are quite standard, it can launch attacks using UDP, TCP and HTTP protocols (at level 7 of the OSI model) with browser emulation. Hackers have been using the tool for about a month, experts record the most powerful attacks on Russian companies every day. The botnet is of Spanish origin, it can be rented on the Internet: the cost of the instrument is from $2,500 in two days.

StormWall estimates that the botnet is much more dangerous than its predecessors. Attacks of this power affect not only the victim, but also the entire chain of his providers, and can cause problems with access to the Internet at the same time in hundreds of thousands of users and online resources. Due to the fact that the attack has great power, protection against it will be expensive, and only cloud DDoS protection services with sufficient filtering network capacity can cope with it, and independent protection is out of the question, the company concluded.

Cryptocurrency mining botnet operators use bitcoin blockchain to hide activity

Specialists of the information security company Akamai spoke about a cryptocurrency mining botnet that uses bitcoin transactions to disguise. This became known on February 25, 2021. Read more here.

2020

Check Point: Phorpiex botnet became the most dangerous threat in November 2020

On December 18, 2020, a team of researchers from Check Point Research, a division of Check Point Software Technologies Ltd., a provider of cybersecurity solutions around the world, published the results of a Global Threat Index study for November. The most active threat of the month in the world was the famous Phorpiex botnet, which attacked 4% of organizations around the world. In Russia, it was in sixth place in the number of threats, and the first place was taken by the Fareit Trojan, affecting 10% of companies in the country.

The Phorpiex botnet was first discovered in 2010. At its peak, it controlled more than a million infected devices. Phorpiex distributes other harmful programs through spam campaigns, and is also used to send sextortion letters. As in June 2020, this botnet was used to distribute the Avaddon ransomware. Relatively recently, operators have again been offering Avaddon to Management Services (attacks programs extortioners RaaS) platforms for some of the profits from its distribution. Spam messages contain JS and files in Excel which Avaddon is hidden, capable to encrypt of files of various extensions.

Phorpiex is one of the oldest and most resilient botnets and has been used for years to distribute other malware, such as the ransomware GandCrab and Avaddon, and to blackmail victims using intimate photos or videos. A new wave of attacks using Phorpiex shows how effective it is for these purposes, - comments, Vasily Diaghilev head of the representative office of Check Point Software Technologies Ltd Russia in and. - CISCompanies should teach employees to distinguish spam emails containing malware and ON urge them not to open unknown files in attachments, even if it seems that they were sent from a verified address. In addition, you should implement security solutions that can protect the corporate network from infection.

Also, Check Point Research researchers note that remote code execution in headers HTTP (CVE-2020-13756) has become the most common vulnerability and affected 54% of organizations around the world. Remote execution of the MVPower DVR code affected 48% of organizations, becoming the second most popular vulnerability. In third place authentications router is the Dasan GPON bypass (CVE-2018-10561), which affected 44% of organizations in the world.

Active malware in November 2020 in the world:

• ↑Phorpiex (4%) is a botnet that spreads malware, including for the purpose of blackmail with revelations of personal life.
• ↑Dridex (3%) is a banking Trojan that affects. OS Windows Dridex is distributed through spam mailings and exploit kits that use WebInputs to intercept, personal data as well as bank cards user data. Dridex can send information about an infected system to a remote server, as well as execute arbitrary modules received from it.
• ↔Hiddad (3%) is a modular Android backdoor that grants superuser rights to downloaded malware, and also helps inject it into system processes. It can access key security details built into the OS, allowing it to obtain sensitive user data.

The most active malware in November in Russia:

In Russia, in November 2020, the most common malware was Fareit, which attacked 10% of Russian organizations and for the first time this year fell into the malware TOP-3 in the country. This is followed by Emotet and FormBook with coverage of 7% and 6%, respectively.

• Fareit or Pony Loader is a Trojan discovered in 2012. Its varieties steal user passwords, FTP accounts, a list of phone numbers and other identification data that web browsers store. It is also capable of installing other malware on infected devices and was used to spread the P2P Game over Zeus Trojan.
• Emotet is an advanced self-propagating modular Trojan. Emotet was once an ordinary banking Trojan, and has recently been used to further spread malware and campaigns. The new functionality allows you to send phishing emails containing malicious attachments or links.
• FormBook was first discovered in 2016: it is an infostiler designed for Windows. On underground hacker forums, it is positioned as MaaS due to its developed evasion methods and relatively low price. FormBook collects credentials from various web browsers, takes screenshots, monitors and registers for keystrokes, and can download and execute files as ordered by its command server.

The emergence of a cryptocurrency botnet attacking AWS

In August 2020, cybersecurity specialists from Cado Security discovered the first cryptocurrency botnet of its kind, the capabilities of which allow you to steal confidential data from infected AWS servers. Read more here.

2019

Botnet blackmailing victims through intimate photos or videos revealed

On October 17, 2019, it became known that as part of a five-month research project, the team of researchers at Check Point Research, a division of Check Point Software Technologies Ltd., revealed the work of a malware that sends sextortion letters to its victims.

Sextortion - blackmail using intimate photos or videos of the victim, which attackers often receive from a webcam. If the victim refuses to fulfill the requirements of the attackers, the hackers promise to send the received private data to all contacts. Sextortion messages - letters containing similar threats from cybercriminals. Sometimes attackers say that they have a double video: on one video a screen recording with an 18 + film, on another screen a video with a user's reaction to this film.

Check Point Research researchers have uncovered a botnet that uses thousands of infected computers to deliver millions of Sextortion emails.

The malware responsible for such mailings is called Phorpiex. It has been active for about 10 years and has already infected about 450,000 hosts, but this number is growing very quickly. Previously, the main way to make a profit for Phorpiex was to distribute various other malware or use hosts to mine cryptocurrency, but recently this program has had a different form of income: a spambot used to launch the largest sextortion campaigns that have ever been.

Geost botnet infected 800 thousand. Android devices in the Russian Federation

On October 3, 2019, researchers from Czech the University of Technology, the National Kuyo University Argentina , and the company Avast discovered one of the bank botnets called Geost. The harmful victims of Android RUSSIAN FEDERATION the campaign were at least 800 thousand owners of devices in, in particular, attackers gained access to their bank accounts, in which a total of several million euros were stored.

The botnet could have gone unnoticed had it not been for operating security (OpSec) bugs by cybercriminals, including the use of unencrypted chat logs found in the investigation and an unsecured proxy network that failed to provide anonymity, the researchers said.

A rare chain of errors in OpSec led to the discovery of a banking Android botnet. The unusual discovery was made when criminals decided to trust a proxy network created by the malicious ON HtBot. HtBot offers a proxy service for rent that provides users with pseudo-anonymous communication in. Internet Analysis of the network interaction of HtBot led to the detection and disclosure of a large malicious operation, the researchers explained.

HtBot works by turning victims into private illegal internet proxies. Infected victims transmit messages from HtBot users to the Internet. Traffic is constantly being diverted to other victims, making tracking difficult. Cybercriminals also failed to encrypt their messages, allowing researchers to observe their actions. The information included technical details of accessing the servers, entering additional devices into the botnet, methods of evading antivirus solutions and details about the relationship between attackers. Experts have found that lower-ranking operators are responsible for entering devices into the botnet, and high - determine how much money is under their control.

The Geost botnet consists of Android devices infected through malware and fake programs, including fake banking apps and social media. After infection, the phones connect to the botnet and are controlled remotely. As the researchers explained, attackers can access and send SMS messages, communicate with banks and redirect phone traffic to different sites. The botnet could directly connect to the five largest banks in Russia to operate and deploy more than 200 Android APKs to falsify dozens of applications.

The team of researchers contacted the affected Russian banks and, together with them, is taking measures to neutralize the malicious campaign^[11].

Emotet's biggest botnet halted activity in June

On July 16, 2019, it was reported that a team of researchers from Check Point Research, a division of Check Point Software Technologies, published the Global Threat Index report with the most active threats in June 2019. Researchers report that Emotet (the largest botnet for July 2019) is not yet operational - almost the entire month of June, there have been no unknown campaigns. During the first half of 2019, Emotet was in the top 5 malware programs worldwide and distributed through large-scale spam campaigns. Read more here.

2018

Russia entered the top three countries in terms of botnet size

At the end of 2018, Russia entered the top three countries in terms of botnet size. This is stated in a study conducted by SonicWall (specializing in network protection and traffic control technologies) and released at the end of March 2019.

According to experts for 2018, there are 7% of devices and computers connected to botnets in Russia. More only in China (13%) and the United States (47%).

As noted in SonicWall, botnets are growing, which is largely facilitated by the inclusion of IoT equipment in them. IoT devices are increasingly connected to computer networks with running bots, since their users often do not change the default settings set by manufacturers - this is what cybercriminals use.

According to the calculations of experts, in 2018 the number of hacker attacks on the Internet of things tripled and reached 32.7 million. It is expected that by 2020 there will be more than 31 billion IoT devices in the world, so the problem of their security will become even more acute.

One section of SonicWall's research is devoted. In to viruses extortioners 2018, they participated in 206.4 million, cyber attacks which is 11% more than a year earlier. Malware, WannaCry Cerber and Nemucod were most often used.

The average ransom amount that victims pay was $6,733. However, experts stipulate that the exact financial damage is difficult to calculate, as many companies, especially large ones, fearing blows to reputation and business relations, try to keep silent about attacks.

There are both serious ransomware and quite primitive ones that only overwrite the main boot record and demand a ransom in Monero cryptocurrency.

Although files can be easily restored by mounting the file system using a running operating system running using a memory card, most users are likely to believe that their files are missing and perform a complete reinstallation. Interestingly, no contact information is provided to restore the system, and there are no ways to check whether the problem will be solved if you pay $200 to Monero, the report says.

Attacks with "harmless" ransomware viruses do not often end in luck for attackers. For example, one of the cryptocurrency wallets indicated by fraudsters was not replenished for a year.

In addition, attackers do not try to hide the functionality of the fake ransomware. The viruses detected are written in Delphi and are so simple that a simple representation of strings in binary format instantly reveals pseudo-hacker ideas.

But attackers are increasingly using non-standard ports to infect viruses - they accounted for 19.2% of attacks in 2018 against 8.7% in 2017. The spread of illegitimate traffic is growing through HTTP and HTTPS ports other than 80 and 443, as well as through FTP ports other than 20, 21 and 22.

Companies do not defend against this vector of attacks in the same way as they do with standard ports. Because there are many monitoring capabilities, traditional proxy-based firewalls cannot mitigate attacks on non-standard ports. This applies to both encrypted and unencrypted traffic, noted in SonicWall.

The total number of cyber attacks in the world in 2018 reached a record 10.52 billion. Among them, the proportion of more targeted attacks has grown. In addition, almost 75 thousand new types of attacks were identified, as well as threats of more than 47 thousand. PDF files and 51,000 Microsoft Office documents.^[12]

18% of organizations in the world were attacked by bots

On January 30, 2019, it became known that Check Point Software Technologies Ltd. released the first part of the 2019 Security Report, which reveals the main trends and methods of malware that Check Point researchers observed in 2018. According to the document, bots were the third most common type of malware: 18% of organizations were attacked by bots that are used to launch DDoS attacks and distribute other malware. Almost half (49%) of organizations subjected to DDoS attacks in 2018 were infected with botnets. Read more here.

Nokia Threat Intelligence Report: IoT bots will continue to grow with the spread of 5G

In November 2018, Nokia published a report according to which the share of IoT botnets among all malware in the networks of communication service providers in 2018 increased to 78%. This is more than twice the figures in 2016, when botnets began to be talked about as a significant threat. It is predicted that in 2019 the situation will only worsen.

We have not yet solved this problem, "says Kevin McNamee, director of the Nokia Threat Intelligence Lab and one of the authors of the report. - We will see that IoT botnets will become more complicated and begin to cause more damage.

The report also indicates that among all compromised devices in the networks of cloud service providers, 16% are infected with IoT bots. In 2017, there were 3.5%. IoT devices are usually not protected by firewalls and antivirus software, which makes them easily vulnerable.

At the same time, the report noted a decrease in the number of attacks on mobile and fixed networks in 2018 compared to previous years. One reason is that cybercriminals are now more focused on IoT devices, not smartphones.

Industry analysts expect that with the spread of 5G, the adoption of IoT devices will accelerate significantly. High data speeds, wide coverage and low latency values ​ ​ of 5G networks allow billions of things to be connected to the Internet. But the backlog of many modern IoT devices in terms of protection and increased technical complexity will give attackers more opportunities to carry out attacks.

In this regard, Nokia's report discusses security solutions and best practices. The authors recommend tracking network traffic to ensure normal device behavior. In addition, secure communication should be provided for IoT devices in terms of authentication, integrity and privacy. If a device is compromised, it must be isolated from the rest of the network.

The data for Nokia's annual report was collected as a result of monitoring network traffic on more than 150 million devices worldwide, where the Nokia NetGuard Endpoint Security application is installed.^[13]

Microsoft Security Intelligence Report

The corporation Microsoft published information security the Security Intelligence Report in April 2018 for the period from February 2017. It is based on data obtained by the company's security programs and services (Data on the number of detected threats, and not on cases of infection). The information was provided by corporate and private users who agreed to share it with geolocation binding.

The widespread use of botnets and ransomware viruses has led to the fact that the number of devices in Russia that faced cyber threats between February 2017 and January 2018 reached 25-30% on average per month, while the same figure in the first quarter of 2017 was almost half that - 15%. The highest rates were recorded in Pakistan, Nepal, Bangladesh and Ukraine (33.2% or higher), the lowest - in Finland, Denmark, Ireland and the United States (11.4% or lower).

According to Windows Defender Security Intelligence, Trojans have become the most common category of unwanted software. The percentage of their distribution from February 2017 to January 2018 increased from 6% to 10%. Indicators of other types of malware (droppers, obfuscators, ransomware viruses, etc.) amounted to less than 1%.

In November 2017, together with ESET and law enforcement agencies, Microsoft destroyed the command infrastructure of one of the largest malware distribution networks - the Gamarue botnet, also known as Andromeda; this is a hacker tool that was distributed as a paid service for cybercriminals. Microsoft's Digital Crimes Unit (DCU) analyzed more than 44,000 samples of malicious code and found that Gamarue had more than 80 different types of malware in its arsenal. The three main classes of malware distributed through the Gamarue botnet were ransomware (in particular Petya), Trojans and backdoors. With the help of Gamarue viruses, attackers could steal account data, run other malware on infected systems, track what is happening on the monitor (mouse movement or typed characters on the victim's keyboard), and much more.

Due to the disruption of this infrastructure, in the next three months the number of infected devices decreased by 30% (from 17 to 12 million). The number of IP addresses related to the Gamarue network and redirected to the sinkhole server created jointly with law enforcement agencies in Russia amounted to 22.5 thousand. In total, the number of such IP addresses in the world amounted to 29.48 million.

However, botnets continue to be a major threat to users around the world. Microsoft is actively helping users of infected devices as part of the Virus Information Alliance, as well as constantly improving the security mechanisms of its products, using machine learning to proactively block new types of attacks.

Interesting facts

• The largest botnet, recorded at the time of mid-2009, used 1.9 million computers in its structure.^[14]
• To create an 80,000-machine botnet, about one million computers need to be infected. ^[15]

A third of Internet traffic falls on bots

Artificially created traffic is becoming a serious problem for advertisers. So, 36% of web traffic was generated using hacked computers, writes The Wall Street Journal , citing an assessment by Interactive Advertising Bureau (IAB). Botnets, fake sites, as well as intermediaries, whose identities are almost impossible to establish, are used for fake traffic.

Fake traffic leads to deceiving advertisers, as the latter pay for the number of calls to advertising material, regardless of whether visitors to the web page are real people.

WSJ sources report that L'Oréal, General Motors and Verizon Communications corporations have faced deception during advertising campaigns. It is noted that fake traffic undermines advertisers' confidence in the Internet compared to traditional media outlets, including compared to television. Roxanne Baretto, assistant vice president of digital marketing at L'Oréal, reveals that 'delay represents a missed opportunity to build connections with our core audience'.

It is difficult to estimate the size of online fraud, but White Ops calculated that in 2013 American advertisers suffered losses in the amount of $6 billion. In addition, many factors affect the size of advertising digital budgets, including not only fraud, but also difficulties in assessing the size of the audience.

Recall that in the United States, according to forecasts, the online advertising market, including social networks and mobile Internet, will grow by 17% and reach $50 billion this year. In general, the share of Digital Signage will be 28% of total advertising spending.

Notes