Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

01:57 PM
Connect Directly

Botnets Behind Most Modern Malware Infections

Command-and-control conduit in most malware makes infected machines bots

Turns out most modern malware attacks have one thing in common: a botnet communication channel between the attacker and the infected machine.

It used to be that botnets were mainly for spewing benign, but annoying, spam. Many of today's largest botnets still do just that, but they are also now being deployed for more nefarious missions, such as banking fraud via sophisticated Trojans and targeted attacks on businesses. And many of the botnets that go after a business are unknown and small -- a handful to a few hundred bots versus their massive predecessor armies of tens of thousands, or even millions, of bots.

Botnets are networks of infected machines that are controlled by an attacker's command-and-control (C&C) that serves as the attack orders and a conduit for updating the malware on a victim's machine. This attack model has become a handy way for the bad guys to prevent their attacks from being detected or blocked, as well as to keep themselves hidden behind the bot army.

So does that mean most attacks now generated via botnets? If the malware in an attack has a centralized C&C function, then the victim's machine is technically a member of a botnet, security experts say.

"A botnet will have a command and control of some sort -- whether it has an actual server that it connects to in order to receive commands, or a peer-to-peer mechanism where they can send updates or cryptographically signed commands," says Joe Stewart, a researcher with SecureWorks' Counter Threat Unit. "The end goal of many malware attacks are so that bots can be installed, which then can be directed by some command and controller. "

This phenomenon of C&C malware is basically modern malware, and that's a botnet, says Ashar Aziz, CEO of FireEye. "I'm very comfortable calling it a botnet," Aziz says.

That doesn't mean every malware attack comes from a botnet or that every victimized machine is automatically a bot. "There's a lot of classic malware still out there," says Gunter Ollmann, vice president of research for Damballa. "The issuing of commands is what distinguishes a botnet [from a traditional malware infection]."

Ollman doesn't think most malware attacks are executed by botnets. "Drive-by-download attacks are the most frequently encountered sources of malware today -- having overtaken malware attached to spam a couple of years ago -- and many of the techniques used for serial variant production of malware have been refined by the cybercriminals behind these drive-by attacks," he says. "That said, botnets do feature extensively in the drive-by business."

Most malware can be remotely controlled, but turning all of the infected machines into a functional botnet requires centralized C&C management, Ollman says. Meanwhile, if a C&C channel exists on an infected enterprise machine, then it's more than just an infection, he says. "Then you're talking about a breach: You've been hacked," Ollman says. There's a "different contextual relationship" with the enterprise when a C&C channel has been established on the victim's machine, he says.

The botnet model lets an attacker avoid getting shut down via IP address filtering, for instance, and basically gives the attacker a more sustainable model for his attack.

Rohyt Belani, managing partner and co-founder of The Intrepidus Group, says using a botnet helps an attacker evade detection and lets him subtly spread his attack vector across multiple machines in a distributed environment. "Now you have multiple drones all over as bots, conducting activities for you, and you get anonymization," Belani says. "This is a more viable model."

The recently revealed hack of German banks with the sophisticated URLZone Trojan used a botnet for the attack, which pilfered online bank accounts around the world by avoiding any behavior that would trigger a fraud alert and forging the victim's bank statement to cover its tracks. "It's a botnet architecture specifically for bank operations," says Yuval Ben-Itzhak, CTO of Finjan, which discovered the attack. "The main goal of the Trojan is command and control...it wakes up the machine when the user goes to the bank."

And a large amount of phishing attacks use botnets. Intrepidus Group's Belani says once a phisher infects a machine with a zero-day vulnerability in an application, for instance, he can easily automate the phishing process. "He can have phishing emails sent out and sit there, and as people fall victim, collect the shells in an automated manner," Belani says.

The botnet gives the attacker a foothold into a corporate network in a targeted attack. The attacker can have the bots grab files from folders and upload them to his own server, where he can view them offline. "They troll around on their own servers instead of connecting into the [enterprise's] machine. They have a piece of malware designed to suck [the data] and upload it," FireEye's Aziz says.

Some mini-botnets also rely on some hands-on C&C. Damballa's Ollmann says some of these botnets infiltrating enterprises rely on the attacker remotely controlling four or five machines via C&C and issuing commands to navigate network shares, retrieve files, or access databases, he says.

"One interesting thing about small botnets is they are very strongly associated with a lot of insider knowledge," Ollmann says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore...
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass ...
PUBLISHED: 2020-02-25
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
PUBLISHED: 2020-02-24
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
PUBLISHED: 2020-02-24
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...