Botnets: Just Another Phish in the Sea…

By Max Thibodeaux

It’s been more than a decade since Mark Bowden published a fine anatomy of a botnet. His book Worm: The First Digital World War detailed a little known and much misunderstood anonymous effort to infect as much of the internet as possible with a self-propagating piece of software. This software possessed the ability to harness whichever devices it infected for Lord knows what deeds — either for the betterment or demise of humanity and/or the internet. That book scared the bejesus out of me at the time, and there is little to indicate that things have gotten much better.  

In fact, the prevalence of evilry, theft, highjacking, and extortion via the medium of the internet has only gotten worse. And we consumers, and we professionals both, have to be on guard for the kind of phishing that can make matters even worse— providing a vector or medium for leveraging the internet’s raw power and bandwidth.  

What do I mean by evilry? 

What do IT service companies, fuel distributors, and global meat providers all have in common? They are all companies that are fair game for ransomware, and they can pay big dividends in the form of ransom. So whether you compare this historically to stage coaches traveling town to town carrying gold bars, or Somali pirates taking a bite out of the sea traffic that nears their shores, it’s a vexing problem.  

If you happen to be in the health care or education industries, you should be worried about a nasty botnet called win32.banker.qakbot that has been around since 2009 and is still active. According to one Global Internet Threat Insights Dashboard, it’s the most prevalent current botnet, and it does a decent job of stealing corporate banking credentials. 

From whence does this evilry come? 

Even if the evils of ransomware and aggressive botnets are all around us, one often hears that ransomware is a problem that is at least solvable — well at least for those with good backup and data/disaster recovery programs. Instead of trying to protect one’s data from being mopped up and encrypted beyond reach, companies and individuals can always rest assured that their cloud and on-premises physical backups will save their bacon in a pinch. 

Botnets might not be so easy to tame. One thing that makes botnets interesting is that they leverage unsuspecting people as a kind of host or phish in the sea. The phish pitch comes in the form of inexpensive, dare I say cheap, electronic gadgets. The kind of things that make your home smart by connecting stuff in it to the internet.  

At one time, you could probably count the number of devices accessing the internet from your home on one hand, but no more. How many people even know the number of end points on their home network? It’s >50 for me by the way. The sheer number of devices and end points greatly increases the surface area for stolen access harnessed into the botnet grid. 

So, how are botnets connected to the internet of things? Well, they leverage insecure electronics like house-plugs, cameras, and digital scanners, televisions, and other items that are able to throw their digital weight around the internet… to tie down some unsuspecting giant for profit or politics. 

But how is this achieved without our knowledge and consent?  

Doesn’t your firewall protect you and your devices? While your firewall watches for attacks from the outside in, sometimes your devices are phoning home from the inside out. And because botnets operate by high jacking devices, sometimes even before they make it into your home, this remains a problem alongside the opening of spiked emails and visiting of infected web addresses.    

For example, the Mirai botnet marshaled millions of devices spread out in large, disparate address blocks on the internet to take its victims down. According to the internet site ZScaler, the most recent prevalent device leveraged for a botnet is a handheld grocery scanner. 

What do botnets look like? 

Imagine a million tiny arrows flying toward you from all directions. That’s what a web server sees coming at it when a botnet attacks. There are some cool internet illustrations of botnets here and here. Notice how they start slow, build and then take down servers like Lilliputians holding down Gulliver. 

Also imaging being on the receiving end as an internet service device. You’re just trying to do your job of serving out Amazon web pages or delivering the news to people, and wham– now you’re trying to serve up so many pages that your hardware is bogged down to the point of failure. 

What can we do to stop evil? 

Whether or not you can be phished up into a botnet scheme depends on how you conduct your commercial and internet affairs. If you’re price conscious, then yeah, you might take home that inexpensive internet device that’s vulnerable to a botnet takeover before you read the reddit reviews of Tuya, Smart Life and the like. The way that smart botnets work is to scour the public internet for those kinds of devices. When found, they’re taken over for evil purposes. Or maybe they start out with callback software installed. 

So what can you do? Although the industry has a large part of the blame, there are things that you can do to take care of your home network and rest assured that you are not contributing to botnet dominance. 

  1. Make sure your devices are not reachable from the internet (place them on a VLAN if you’re savvy or just put them in a pen with Circle App or some other home internet security solution). 
  2. Make sure you change the default password on the devices you have attached to the internet. 
  3. If you’re even more tech savvy, you can set up a monitor like Little Snitch or Wireshark to let you know when you’re part of a larger intrigue, or find directions on the internet that allow you to flash your devices with clean, open source code (be careful here). 

In any case, the future of the internet holds many unforeseeable twists and turns. The search for raw, internet power is a fact of life. Ransomware is the threat du jour, and it’s interesting, but botnets are fascinating, and although they’re lower stakes at this time for individuals, there is much to say and do to keep them out of the front pages. According to Deloitte, over 90% of cyber attacks start with a phish. Therefore, I encourage you and everyone to be part of the solution by practicing responsible internetting this month and always. 

Leave a comment