Botnets consist of millions of devices and behave like invincible monsters. Combating them is easier said than done. Remove one and thousands more takes its place.
Part of the Internet suddenly vanished. One rainy day in October 2016 Internet giants such as Amazon, CNN, the Guardian, Netflix, Spotify, and Twitter seemed to have been erased from the Net for hours. The cause: an attack on the Internet service provider Dyn, which handles access to the companies’ Web servers. The attacker: the botnet Mirai
, a combination of around 600.000 computers and connected devices such as routers or IP-enabled cameras.
Overloading by DDoS Attacks
The attacks were so-called DDoS (Distributed Denial of-Service) attacks in which cybercriminals used hijacked devices to simultaneously send so many inquiries to the Dyn servers for a period of hours that they were simply overloaded and crashed. And even if individual devices are “rescued” from the botnet, the rest is soon joined, Hydra-like, by thousands and thousands of new devices infected by malware.
Tempting Security Vulnerabilities
Criminal computer networks are hard to combat. Conventional virus scanners or antivirus programs are soon overburdened by the task of maintaining a defense against botnet malware. With so many hijacked devices it is virtually impossible to eliminate all viruses by means of antivirus protection. Furthermore, cybercriminals are, as a rule, quick to develop malware and make use of one new security vulnerability after another. The Mirai botnet mainly infected misconfigured devices without a user-defined password. Since then, this gap has been largely plugged, but the Mirai successor Satori has been using other vulnerabilities for a long time already.
Locating Infected Servers
There is a way to combat the botnet threat, however. Each botnet has one or more servers for remote control and further infection. By means of precise analysis of the malware and the data traffic that an infected device generates these servers can be located and switched off. That sounds easier than it is. In 2015 it took coordinated action
by security providers and Interpol to destroy a botnet of over 770,000 bots and various servers in 14 countries.
Honeypots and Hacker Traps
No easy task, then. The first step is to analyze the botnet software’s data traffic. To ensure that no serious damage is done, IT security experts use honeypots – computers that simulate devices with security vulnerabilities to tempt cybercriminals to target them. This is time-consuming work that requires the skills of experts in fighting cybercrime. It is a little easier with a sensor network that distributes honeypots around as many endangered subnets as possible and relays the data to a central server. This approach is used by the Honeysens project developed by the Technical University in Dresden, Germany, in collaboration with T-Systems for the state administration of the German state of Saxony.
The hacker trap is an inconspicuous box with two antennas on top of it. The boxes are distributed evenly in a LAN or a WLAN but are not connected to it. Their purpose is solely to attract hackers via their Internet connection. They glean a great deal of information that is of interest for security experts, enabling them to swiftly identify the control servers and methods that the hackers use. That way, access to the control servers can even be wrested from the cybercriminals.
Learning from Cybercriminals
To do so the security experts use some of the tricks they have learnt from the hackers. They reroute control data from and to the bots so that they can no longer undertake illegal activities. To finally succeed, however, it is important to identify the criminals themselves. That is a time-consuming task because the operators of botnets operate anonymously and can take months of painstaking research to identify. The men behind the Mirai botnet – three U.S. students – took weeks to identify. They received five-year jail sentences.