third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Detailed section » 3 Botnets<br />
3 Botnets<br />
»<br />
Botnets continue to be a popular tool for cyber criminals<br />
to make money and an active underground economy<br />
has grown up around the tool. The combination of low<br />
detection and on the other hand the major consequences<br />
that can result from the use of botnets demands<br />
a targeted approach.<br />
3.1 Introduction<br />
This detailed section looks in greater depth at the issue of botnets.<br />
It outlines a picture of the current situation and the challenges the<br />
anti-virus industry and detection agencies face in preventing and<br />
combating botnets.<br />
A botnets is a network of collaborating devices, generally private<br />
or business computers known as ‘bots’, which are infected with the<br />
same malware. In addition – although to a lesser degree – servers,<br />
routers, mobile telephones and such like may also be infected.<br />
Criminals can control a botnet centrally to use the bots for their<br />
own purposes<br />
To include a device in a botnet, criminals use malware that is as<br />
inconspicuous as possible to the device’s user because for criminals<br />
it is important that the bot continues to operate for as long as<br />
possible. A user will therefore generally notice little of an infection.<br />
3.2 Background<br />
3.2.1 Actors behind botnets<br />
Botnets are not generally set up, managed and operated by one<br />
individual. Criminals work together each taking on one aspect,<br />
they sell their products and services and there is lively competition<br />
[13: FS 2013]<br />
between them.<br />
To set up a botnet, specific botnet malware is first needed to infect<br />
devices and include them in a botnet. The malware is created by a<br />
developer and may use one of more vulnerabilities and purchased<br />
exploits. The malware developer may choose to spread the malware<br />
himself or to sell his malware to criminals.<br />
Criminals use botnets for a broad range of activities, including<br />
assuring their anonymity. Common options for deploying<br />
botnets are:<br />
»»<br />
sending spam and phishing e-mails;<br />
»»<br />
carrying out DDoS attacks;<br />
»»<br />
click fraud (repeatedly clicking on advertisements where the<br />
advertiser pays per click);<br />
»»<br />
spreading other malware;<br />
»»<br />
eavesdropping for passwords;<br />
»»<br />
intercepting and manipulating (financial) transactions;<br />
»»<br />
brute force attacks, for example to crack encryption.<br />
The actual use of a botnet for criminal purposes is not always by<br />
the administrators themselves. Botnets are often offered for hire,<br />
also known as ‘malware-as-a-service’. [13: FS 2013] See Table 5 for a<br />
sample price list.<br />
Service<br />
Spam (simple)<br />
Spam (verified and/or<br />
localised addresses)<br />
DDoS<br />
Cost of acquiring botnet [121]<br />
Costs<br />
$10 per 1.000.000 e-mails<br />
$50 to $500 per 50,000 to 1,000,000<br />
e-mails<br />
$10 per hour, $50 per day,<br />
$150 per week, $1,200 per month<br />
$200 per 2.000 bots<br />
[51: TM 2012] [121]<br />
Table 5. Sample price list for botnet use (in US dollars)<br />
3.2.2 Technique<br />
In common with all other malware, botnet malware can be spread<br />
in several ways:<br />
»»<br />
As an attachment or hyperlink in a fake e-mail message: large<br />
volumes of spam e-mails are sent with wording that makes it<br />
attractive to open the infected attachment.<br />
»»<br />
On social networks: brief messages are spread through friends’<br />
infected profile pages of with messages such as “is this a picture<br />
of you?” with a link to the malware. [122]<br />
»»<br />
Through infected USB drives: thanks to the increasing effectiveness<br />
of spam filters and security warnings, attention is returning<br />
to this method of spreading.<br />
»»<br />
By using as yet unpublished or unpatched vulnerabilities in<br />
frequently used software: popular websites are sometimes hacked<br />
to position an exploit that creeps in unnoticed through the<br />
vulnerability (also known as ‘drive-by download’).<br />
121 In practice, botnets are seldom offered for sale because operating them is often highly<br />
profitable.<br />
122 http://www.securelist.com/en/blog/208194206/An_avalanche_in_Skype<br />
63