third Cyber Security Assessment Netherlands - NCSC

Detailed section » 3 Botnets
3 Botnets
»
Botnets continue to be a popular tool for cyber criminals
to make money and an active underground economy
has grown up around the tool. The combination of low
detection and on the other hand the major consequences
that can result from the use of botnets demands
a targeted approach.
3.1 Introduction
This detailed section looks in greater depth at the issue of botnets.
It outlines a picture of the current situation and the challenges the
anti-virus industry and detection agencies face in preventing and
combating botnets.
A botnets is a network of collaborating devices, generally private
or business computers known as ‘bots’, which are infected with the
same malware. In addition – although to a lesser degree – servers,
routers, mobile telephones and such like may also be infected.
Criminals can control a botnet centrally to use the bots for their
own purposes
To include a device in a botnet, criminals use malware that is as
inconspicuous as possible to the device’s user because for criminals
it is important that the bot continues to operate for as long as
possible. A user will therefore generally notice little of an infection.
3.2 Background
3.2.1 Actors behind botnets
Botnets are not generally set up, managed and operated by one
individual. Criminals work together each taking on one aspect,
they sell their products and services and there is lively competition
[13: FS 2013]
between them.
To set up a botnet, specific botnet malware is first needed to infect
devices and include them in a botnet. The malware is created by a
developer and may use one of more vulnerabilities and purchased
exploits. The malware developer may choose to spread the malware
himself or to sell his malware to criminals.
Criminals use botnets for a broad range of activities, including
assuring their anonymity. Common options for deploying
botnets are:
»»
sending spam and phishing e-mails;
»»
carrying out DDoS attacks;
»»
click fraud (repeatedly clicking on advertisements where the
advertiser pays per click);
»»
spreading other malware;
»»
eavesdropping for passwords;
»»
intercepting and manipulating (financial) transactions;
»»
brute force attacks, for example to crack encryption.
The actual use of a botnet for criminal purposes is not always by
the administrators themselves. Botnets are often offered for hire,
also known as ‘malware-as-a-service’. [13: FS 2013] See Table 5 for a
sample price list.
Service
Spam (simple)
Spam (verified and/or
localised addresses)
DDoS
Cost of acquiring botnet [121]
Costs
$10 per 1.000.000 e-mails
$50 to $500 per 50,000 to 1,000,000
e-mails
$10 per hour, $50 per day,
$150 per week, $1,200 per month
$200 per 2.000 bots
[51: TM 2012] [121]
Table 5. Sample price list for botnet use (in US dollars)
3.2.2 Technique
In common with all other malware, botnet malware can be spread
in several ways:
»»
As an attachment or hyperlink in a fake e-mail message: large
volumes of spam e-mails are sent with wording that makes it
attractive to open the infected attachment.
»»
On social networks: brief messages are spread through friends’
infected profile pages of with messages such as “is this a picture
of you?” with a link to the malware. [122]
»»
Through infected USB drives: thanks to the increasing effectiveness
of spam filters and security warnings, attention is returning
to this method of spreading.
»»
By using as yet unpublished or unpatched vulnerabilities in
frequently used software: popular websites are sometimes hacked
to position an exploit that creeps in unnoticed through the
vulnerability (also known as ‘drive-by download’).
121 In practice, botnets are seldom offered for sale because operating them is often highly
profitable.
122 http://www.securelist.com/en/blog/208194206/An_avalanche_in_Skype
63