Q&A: The caring, feeding and replenishing of modern-day botnets

By Byron V. Acohido

Part of the reason cyber attacks remain unstoppable is because our own computing devices help supply the bad guys’ processing power—as part of botnets.

A bot is a computing nodule with a small bit of coding that causes it to obey instructions from a command and control server. A botnet is a network of thousands upon thousands of bots under control of an attacker.

Related video: What you should know about battling botnets

Bots actually derive from two primary sources. The classic source — so-called “pwned” PCs. Infections lurk everywhere: in email-borne attachments and web links; in social media postings; on popular and obscure web pages. A pwned PC operates normally for the unwitting user, though he or she may notice performance lags when it is silently carrying out the botnet operator’s commands.

Just in the past couple of years a secondary source has arisen:  virtual instances of computing devices stood up by the thousands by tapping into public cloud services, namely Amazon Web Services, Microsoft Azure and Google Cloud. Criminals can set up these instance of virtual bots very stealthily — and very cost effectively — thus boosting the horsepower of their botnets, on the cheap.

Botnets are continually replenished. The care, feeding and deployment of botnets has grown into a multibillion-dollar criminal enterprise. Criminal rings use botnets to spread spam, distribute phishing scams, launch denial of service attacks, infiltrate and plunder networks, execute wire fraud and more. Botnets are the engine of cyber crime.

ThirdCertainty recently asked Rami Essaid, CEO of Distil Networks, about the current state of botnet activities. Distil is in the vanguard of security start-ups focused on monitoring and deterring botnet traffic. This text has been edited for clarity and length.

3C: Distil is focused on detecting bots operating in browsers. Can you tell us about that?

Essaid: Bots have gotten to be a lot more sophisticated. Instead of just being a script on the computer that’s running in the background, they’re now embedded in the actual web browser, which gives them access to things like the cookies, running Java script. They can even emulate mouse movements in certain cases. And so what ends up happening is they become much harder to detect.

Acohido and Essaid

3C: What does this enable the attacker to accomplish?

Essaid: The biggest spike we saw in 2016 was in account takeovers. So think about the past couple of years; you’ve had Ashley Madison, Target, LinkedIn, all these different breaches. There’s literally close to a billion user names and passwords out there in the wild. The bad guys are not going through them one by one; they’re loading them up in the bots, and seeing what else they can access … not just on social media, but on bank accounts, on e-commerce sites, on all these different institutions. Account fraud is going through the roof.

3C: Can you walk us through it?

Essaid: I’ll give you a real-life customer example. StubHub, they’re a subsidiary of eBay. They have tickets on their website. They have money in people’s accounts. What the bad guys are doing is trying to get access to that money, that cash balance that’s sitting in those accounts. So they try user names and passwords. They load them up to distributed bots, and then they run those bots to see which accounts those bots can get into. Once they can get in, then it kicks it off to another team and there is an automated bot that is responsible for clearing out the account. And they do it in a very, very intelligent way.

3C: Two separate botnets working in tandem?

Essaid: Yes. It’s a systemized process. One is an account checker, one is an account emptier.

3C: Aren’t botnets also used to steal the logons in the first place?

Essaid: Oftentimes bots are doing the data theft to get these user names and passwords. It’s like the 15 degrees of bots. Any direction you go, it leads back to this tool that’s at the centerpiece of it all.

3C: What’s being done to mitigate botnets?

Essaid: It’s an arms race. The bots are getting smarter every day. So we as a vendor have to continue to add more engineering resources to this fight. We are seeing traffic across not just one customer but our entire network. We’re correlating that information. We’re looking for anomalies. Something feels off.

The machine learning algorithms will intercept that traffic and challenge it with some sort of test. We’re talking about dozens of different data points that are all being correlated together with a couple of different machine learning algorithms to find a high likelihood that we will feel really confident that it’s a bot.

3C: What about the human component?


Essaid: We have data scientists who are building new classifiers. They’re constantly looking for new patterns, new things that we can key off of to try to find bots. Then we have analysts who look at web traffic and work with our biggest customers. And they try to find things our system missed. They uncover certain patterns, and they kick that over to the data science team or they can write custom rules and deploy that networkwide. When they find a bot that we haven’t seen before, they can write an instant patch for our entire system and push that out globally.

3C: Will the good guys gain ground, moving ahead?

Essaid: Well, the bad guys are evolving, and we as a company have a really good handle on web applications. Unfortunately, the OTA did a survey of all the big sites out there and they found that very few of them have sophisticated bot detections. So we have a lot of work to do on our end.

More stories about botnets and ransomware:
Why more attacks leveraging the Internet of Things are inevitable
Hackers manipulate domain names to spread malware
Despite precautions, DDoS attacks becoming more dire, damaging


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone