CarderPlanet
Professional
Nowadays, you won't surprise anyone with a botnet: they are found all the time, and the infection underlying them is easily cleaned out by an antivirus - thanks to the club-handedness of the authors who collect malware on their knees from humus and sticks. But it happens that the pros start writing virus, and then the damage becomes colossal, and the war against malware is protracted and interesting. In this article, I will break down such stories, some of which are not over yet.
Zeus
- Brief Description: Banking Trojan
- Lived: 2007 - present
- Number of infections: over 13 million
- Distribution method: exploit pack
- Distribution: 196 countries
- Damage: over $ 120 million
Our hit parade is opened by Zeus, but not at all the one who sits on Olympus among the gods. This banking Trojan is so widespread that it has become the number one most wanted botnet in America. Sofa analysts estimate that it was used in 90% of all banking fraud cases in the world.
At first, several hundred scattered botnets were created on the basis of Zeus, which were controlled by various gangs of cybercriminals. The author or authors of the bot simply sold the builder to each counter and cross, and they made their own botnets out of it.
Everyone distributed the bot as best they could - for example, in 2009, one of the groups carried out a large-scale Zeus mailing through the Pushdo spam botnet. Damballa estimated that about 3.6 million PCs were infected in the United States alone. In total, since the inception of Zeus, more than 13 million computers have been infected.
The developer Zeus was originally known under the nicknames Slavik and Monstr, and it was he who independently sold and supported the bot in 2007-2010. This continued until version 2.0, when in October 2010 Slavik handed over the raw version 2.0 to the developer of the SpyEye Trojan and, according to legend, stopped development. But, according to RSA, the original author did not go anywhere, and the transfer of the code was a distraction.
In August 2010, that is, two months before the official announcement of the termination of work on Zeus, specialists discovered a botnet created on Zeus version 2.1, which was not sold on any underground forum at that time. From this we can conclude that the author simply changed the business model and decided to form his own botnet, and not sell the bot builder to everyone.
One of the main features in Zeus 2.1 is that the communication scheme with control servers has changed: now server addresses were created using DGA (Domain Generation Algorithms). To protect against interception, the signature of the file downloaded during the update was checked (RSA-1024 signature was used).
Some researchers refer to the innovations of this version as the appearance in September of the Zeus-in-the-Mobile (ZitMo) assembly for Android, Windows Mobile, BlackBerry and even Symbian. The newly minted Trojan worked in conjunction with the "regular" desktop version of Zeus and allowed to bypass the 2FA of online banking. According to Check Point Software and Versafe, by the end of 2012, a ZitMo assembly called Eurograbber brought its owners a profit of about 36 million euros (about 47 million dollars at that time).
Someone was either greedy, or leaked the Zeus 2.0.8.9 source code to the left, but the fact remains: the sources of the almost actual version of Zeus hit the dark web, it was February 2011. And then either there were no buyers, or the seller was hacked - in May the source code was published. This event became, I think, the most significant for the hacker world in 2011.
Separately, it should be said about the HVNC module (H stands for Hidden). This is an implementation of a VNC server, but it interacts with a virtual desktop that the user cannot see. Later, based on the merged sources, the HVNC module was redone into a separate project.
After the leak, "craftsmen" immediately appeared, starting to rivet their Trojans from Zeus sources, which sometimes were Zeus clones a little more than completely, including the admin panel. But there were also more worthwhile crafts - for example, the Citadel project. Its main feature was the creation of an online platform similar to modern GitHub. Here customers could request new features, report bugs, and add custom modules. In short, development became interactive and made a lot of money for its admins. Customers were even provided with technical support - it included, for example, keeping Citadel up to date to bypass fresh antivirus protections.
In the fall of 2011, a researcher named Roman Hussi (who was studying Zeus), while researching one of the Zeus variants, noticed strange UDP traffic. Further analysis showed that the new Zeus variant had several IP addresses in the configuration block and computers with these IPs responded to the infected system. During the day, about 100 thousand unique IP addresses were identified, with which the new modification was contacted, of which most were located in India, Italy and the United States.
It turned out that Zeus has got peer-to-peer update functionality based on the Kademlia protocol. Due to the use of the script name, gameover.php this version was named GameOver.
In early 2012, another Zeus GameOver variant was discovered: it contained a built-in nginx server to interact with other bots via the HTTP protocol. From that moment on, each bot could act as a proxy for communication with the original C&C, and protection from the distribution of "updates" by specialists on the other side of the barricades was provided by the same file signature. The GameOver version turned out to be very tenacious and is still active.
More than 74,000 hacked FTP servers, spam, fraudulent tech support scams, exploits and even social engineering on social networks were used to distribute the bot. In short, the whole gentleman's set.
Later, information appeared that the FBI, together with specialists from about a dozen countries, revealed the group behind the creation of Zeus. All its participants were put on the wanted list, including the alleged organizer - a certain Evgeny Bogachev. According to the FBI, Bogachev lives in Anapa and owns a yacht. A record amount of 3 million green American rubles is being offered for his head! Since then, little has been heard about Zeus updates: the author, apparently, has gone to the bottom, and there is no progress in the search at all. Let's wait for the news.
Speaking "about the updates can hear a little bit", I mean that the original Zeus virtually ceased to be supported, but in 2015 appeared his new interesting modification - it was called the Sphinx. Its panel is not particularly different, but inside it is a new Trojan, well-revised by unknown authors. Now, due to the coronavirus, it is especially active and is spreading through social engineering. For cover, they used a fake Kaspersky Lab signature and a self-made certificate.
The cure for Zeus is very difficult: it successfully bypasses antiviruses using polymorphic encryption, infects many files, and is constantly updated. The best medicine is to reinstall the infected system, but if you really want to, you can try to find and cure infected files, of course, without any guarantees of success.
Storm
- Brief description: email worm for spam and DDoS
- Lived: 2007-2008
- Number of infections: about 2 million
- Distribution method: spam
Storm (AKA Zhelatin) was first seen in early 2007 and sent out disguised as recordings of the destruction caused by severe storms in Europe. From the very beginning, the bot used social engineering in letters, and even such "news" as the resurrection of Saddam Hussein were indicated as bait in the subject line. But if SI were the only feature of the Storm botnet, it would not have made it into our collection. For its time, Storm was probably the most technologically advanced malware. It implements a decentralized P2P control system based on the Overnet protocol (based on the eDonkey network) and server-side polymorphism.
Server-side polymorphism was previously only used in the Stration botnet, which was first spotted in 2006. Subsequently, there was a short and not particularly interesting war between this botnet and Storm over users' computers. However, at one point, Storm made up 8% of all malware on Windows computers.
In July 2007, at its peak of growth, the botnet generated about 20% of all spam on the Internet, sending it from 1.4 million computers. He was engaged in the promotion of drugs and other medicines: both relatively legal, like Viagra, and prohibited.
At about the same time, attempts were made to split the botnet into several distinct subnets. Perhaps the authors wanted to sell access to the infected machines piece by piece to interested parties. Anyway, nothing came of it.
The botnet was rather brutal in protecting its resources from overly curious researchers. When they found frequent requests from the same address to download bot updates, which anti-virus companies like to do, the bots launched a DDoS attack on this address. In addition, websites of companies that prevented the botnet owners from doing their dirty work were attacked with varying success. So, as a result of DDoS attacks, the operation of the Spamhaus, SURBL (Spam URI Realtime Blocklists) and URIBL (Realtime URI Blacklist) services was disrupted for a short time. This was necessary to prevent anti-spam solutions from updating databases and blocking mailings.
At some point in terms of total performance, the PCs infected by the "Storm" bypassed the then supercomputers. Imagine the power that the owners of the Storm had in their hands! If they decided to do parallel computing instead of spamming ... But let's not talk about sad things. Cryptocurrencies, which you, of course, thought about mining, at that moment were not yet born from the ideas of Satoshi Nakamoto, so there was nothing to mine. It's a pity. In the role of a malicious miner, the botnet would look much more interesting in our selection.
It would have gone on like this, but at the end of 2008, the botnet disappeared as if by magic. Kaspersky Lab believes that this happened due to the closure of the Russian Business Network, a criminal abusive hosting company from Russia. According to another version, which seems more realistic to me, Storm was destroyed by the forces of security researchers. At the Chaos Communication Congress (December 2008), a group of hackers showed the Stormfucker tool, which, using a bug in Storm, independently spread through the Overnet network and cured infected computers. And at Microsoft, as usual, what is happening is interpreted in its own way: they believe that a Windows update helped to get rid of the botnet. The experts did not agree on one thing.
Of course, the place in the sun is usually not empty, and with the demise of Storm, a new botnet from the Waledac Trojan has emerged. Although the code was completely different from its predecessor, Waledac was suspiciously reminiscent of Storm in several ways: the use of Fast Flux C&C hosting, server polymorphism, spamming functions, and a P2P update mechanism. Even the templates for spam emails almost mirrored the templates from Storm. Waledac advertised the same merchandise from the same vendors as Storm. A visual demonstration of how one botnet hides behind and is immediately replaced by a new one.
Storm seemed like a ghost until a new variant was discovered by members of the Honeynet Project in 2010. Approximately two thirds of it consisted of the code of the first variant: 236 out of 310 functions of the worm remained unchanged. The piece responsible for peering flew to the trash heap (it seems, because of Stormfucker), and the protocol for communicating with C&C was changed to HTTP (previously, sockets to TCP). Fortunately, Storm 2.0 was not as widespread as its older brother, which could have happened due to the transfer of the raw first version to another development team.
It was relatively easy to notice the symptoms of infection if you monitored the attempts to start processes. Usually malicious processes were named gameX.exe, where X is a number. The following options are possible:
- game0.exe - backdoor and bootloader in one bottle, this process launched the rest;
- game1.exe - SMTP server for sending spam;
- game2.exe - stealer of email addresses;
- game3.exe - module for sending spam;
- game4.exe - DDoS utility;
- game5.exe - the process of updating the bot.
Also, the rootkit did not hesitate to forge anti-virus programs so that the user would think that the protection was working properly, despite the fact that it did not work at all.
Thus, Storm became one of the first commercial ready-to-use spam tools. Although it did not last long, it showed the way to other attackers who began to act in a similar way.
Mariposa
- Brief Description: Trojan Worm
- Lived: 2009–2011
- Number of infections: 12 + 11 million (two waves)
- Distribution methods: pirated software, self-distribution via flash drives, peer-to-peer networks and MSN messenger
- Distribution: 190 countries
The Mariposa (Spanish for butterfly) botnet appeared in 2009 and was based on the code of the Palevo Trojan, also known as Rimecud. Panda Labs estimates the giant butterfly was 12 million computers in size.
In the code, the bot was called somewhat simpler - Butterfly Bot, but no one forbids anyone to name things as they please, so the antivirus companies came up with their name and issued it as an official one. The author had to come to terms.
The bot could work as a loader for other malware of all stripes, it could extract passwords from Firefox and IE out of the box, and set up HTTP and SOCKS proxies to cover up the attacker. And of course, DDoS, and there are two modules at once: TCP SYN flood and UDP flood.
One of the methods of distribution was flash drives, which were still working in those days autorun.ini. True, this hit the bot a lot (it's not for nothing that it is based on Palevo): Mariposa created a heavily obfuscated autoload file, in which instructions were mixed with a large number of characters of different encodings. Thus, the ini file looked different every time.
The main activity of Mariposa was scam and has already become a traditional DDoS. This included the theft from computers of the affected accounts and their further resale. Then bank accounts were used to pay for services, and social networks were used for all kinds of scams. Spoiler alert: The purpose of the stolen data is now exactly the same.
In terms of protection from exploration, the bot authors tried their best: they included many protections, which, however, still did not help to avoid the botnet being closed. The protective mechanisms include frequent updates and modifications of the binary code, which made it possible to bypass signature analysis, counteraction to launch on virtual machines and in sandboxes, and a new secure protocol for interaction with the command center based on UDP.
Unfortunately for the botnet authors (the DDP Team from Spain directly stated their involvement), in December 2009 Mariposa's career ended. Researchers and police managed to figure out, seize and shut down C&C servers in Spain. And three months later (in February), Spanish law enforcement officers arrested three members of the DDP Team. An interesting detail - none of those arrested knew how to program.
According to the Spanish police, the botanists fired in a very childish way: they connected as admins to C&C from their home IP, instead of using a VPN or proxy. Nevertheless, it was not possible to bring the criminals to justice, largely due to the fact that running a botnet at that time was not considered a crime in Spain at all, and for a criminal case, the police would have to prove that they stole information and then used it for profit. ... According to official information, with the help of Mariposa, private data were stolen from more than 800 thousand people in 190 countries - however, it was not possible to use this in the investigation for lack of solid evidence.
As a result, the investigation came to a standstill, and the Mariposa admins who were released after a couple of months visited the office of Panda Security, which largely had a hand in their capture, and began to ask to hire them: according to them , they were completely without money after how the infrastructure of Mariposa was destroyed. They left, of course, with nothing.
Despite the destruction of C&C Mariposa, since the end of 2010 the number of its detections began to grow again, and six months later, another botnet based on the same Palevo, numbering about 11 million machines, was found. They called it Metulji ("butterfly" in Slovenian).
Literally one and a half to two months after the discovery of the botnet, its operators, residents of Serbian Bosnia, were identified. The guys also did not bother and wasted money left and right. They were arrested by the joint efforts of the Slovenian police, the FBI and Interpol. Since then, Palevo and its derivatives have disappeared from the list of top threats.
As you can see, even kulkhackers with minimal knowledge can collect botnets that are not sickly in number, even without using spam and exploit packs. Twelve million out of the blue is a serious result.
ZeroAccess
- Brief description: Trojan downloader, spammer and miner
- Lived: 2009–2013
- Number of infections: 9 million
- Distribution method: exploit pack
The history of ZeroAccess in the rootkit chronicle began in June 2009. At that time, an interesting sample was found, in the rootkit driver of which there was a line F:\VC5\release\ZeroAccess.pdb. So the name ZeroAccess is copyrighted. He had others, of course: ZeroAccess is also known as Smiscer and Sirefef.
An interesting feature of ZeroAccess is "live bait fishing" for breaking off antivirus software. In addition to its main rootkit driver, the bot had an additional kernel driver for creating a decoy - an object that antiviruses and other supposedly protective mechanisms pecked at. This driver created the device \Device\svchost.exe and saved the dummy binary at \Device\svchost.exe\svchost.exe. Access to this pseudo-file was monitored by a rootkit. If something touched the bait, ZeroAccess would kill the process by injecting the code that it called into it ExitProcess(). And to prevent subsequent launches of the program that came across, ZeroAccess reset the ACL for its executable file to prohibit reading and execution. Thus, once caught, the antivirus could no longer start.
In January 2010, the creators of ZeroAccess rolled out an update that enriched ZeroAccess with new features. For this (surprise!) The resources of the Russian Business Network were used. In this version, the obvious borrowing of ideas from the older TDL-3 rootkit became more noticeable: the launch was now performed through infecting the driver, and hidden storage in a separate section of the hard disk was used to store the rootkit components.
Until April 2011, 64-bit versions of Windows were relatively safe and not infected with ZeroAccess. However, in May, with the next update, this annoying omission was corrected, but not to say very technologically. The fact is that in the 32-bit version the rootkit worked at the kernel level, while in the 64-bit environment everything worked in user space. Apparently, the authors decided not to bother with bypassing the driver signature verification and made such a crutch.
To increase survivability, we added a TCP-based P2P to distribute our modules, as well as an initial peer list that contained 256 supernode IP addresses. Antivirus analysts note that this version began to load two types of payload - for click fraud and mining.
Time passed. More and more people are switching to 64-bit operating systems, for which the development of a nuclear rootkit is difficult. In May 2012, the kernel driver was closed and now all work was done in usermode. The peer-to-peer network operation algorithm also changed slightly, and the RSA key length was doubled - from 512 to 1024 bits. If earlier peer-to-peer connections went only via TCP, now the list of IP addresses was requested via UDP, and the list of modules - via TCP. As before, there was a division according to the type of payload: there was a click fraud or mining module to choose from.
The ZeroAccess example well illustrates Occam's razor principle - do not multiply entities unnecessarily, or, in a simple way, do not complicate. ZeroAccess began as a technological development, then in the course of evolution, the rootkit fell off from it, but the botnet continued to live and even acquired such fashionable features as P2P.
According to Sophos estimates, the number of computers by the bot at the end of summer 2012 was over 9 million, and there were about a million active infections. According to experts, the ZeroAccess botnet was the most active in 2012.
Antivirus companies, of course, did not ignore the existence of the botnet and actively looked for intrusion methods through the peer-to-peer ZeroAccess protocol to disable it. In March 2013, engineers from Symantec got down to business and successfully discovered a vulnerability in the botnet protocol that allowed, albeit with great difficulty, to disrupt its work.
At the same time, monitoring of botnet activity continued, and on June 29, Symantec specialists noticed that a new version of ZeroAccess was being distributed through the peer-to-peer network. The updated version contained certain changes that closed the vulnerability found earlier. It seems that this prompted the operation to hijack the botnet, which started on July 16. The researchers tried to manage to take over before the update came to all nodes. As a result, more than half a million bots left the botnet.
But even more successes were achieved by whiteheads from Microsoft: in December 2013, together with law enforcement agencies of different countries, they disrupted the work of ZeroAccess, taking control of C&C. Law enforcement officers received warrants to search and seize servers that responded to 18 IP addresses and from which the botnet was controlled. After this operation, the bots received the last update from the authors with a WHITE FLAG message. In short, the botnet gave up.
Principle of operation
Technically, the botnet is still alive, but it will never receive updates, as the C&C servers have sunk into oblivion. The bot is not updated, the detection is constantly growing, and more and more antiviruses are neutralizing it. But it cannot be ruled out that the developers are now working on a new version of ZeroAccess.
Dridex
- Brief Description: Banking Trojan
- Lived: 2011 - present
- Number of infections: unknown
- Distribution methods: spam, social engineering, free software
The Dridex banking Trojan has been one of the top financial cyber threats since Zeus left office. In 2015, his damage was estimated at more than $ 40 million.
Dridex (then Cridex) first appeared around September 2011. The bot already then knew how to use web injections to steal money on the Internet, and could also infect USB drives. Therefore, it was initially classified not as a Trojan, but as a worm. Web injections turned out to be suspiciously similar in style to Zeus - this could have been facilitated by the leak of the source code of the latter in 2011. Later, in 2012, the attackers abandoned the USB infection.
The similarities between Zeus and Dridex web injections are not the only thing that unites them. Specifically, with the GameOver Zeus version, the mechanisms for working with regular expressions, the distribution method (mail spam), some aspects of the installer's work (the main body of the virus and the bootloader), as well as the set of available components on the infected system turned out to be in common. These include SOCKS proxies and a hidden VNC, apparently borrowed from Zeus.
By the beginning of 2015, even a kind of peer-to-peer network appeared in Dridex, which again resembles GameOver Zeus. This cannot be called fair P2P, because not all network nodes were equal. Instead, there were supernodes, whose addresses were specified in the trojan's configuration file, in the XML section <nodes>. Also, encryption of the communication protocol with the command center appeared.
The network grew rapidly and the criminals seemed elusive, but on August 28, 2015, one of the Dridex administrators was found and arrested. Some of the bots (they were divided into subnets) disappeared from the network, but after a short time they not only returned, but also brought new ones. It looks like other admins took control of the arrested comrade's subnets and continued working without him.
Following the arrest, precautions were immediately tightened: filtering by geographic location based on IP was introduced. If the country was not included in the list, then the bot received an error message. This, of course, did not interfere with the study of the Trojan. A couple of months later, the network owners rolled out an update to the trojan downloader, in which the XML config was replaced with a binary one. In fact, this solution was already used in early versions of the then Cridex, so this move was intended to confuse researchers rather than make the Trojan more convenient.
Another interesting version was found in early 2017. In terms of its capabilities, it was similar to the third, but the analysis of new samples is now greatly complicated by the fact that the loader works for a maximum of a couple of days. Again, the solution is not new: it was about the same with the Lurk trojan, only there the bootloader worked for only a few hours. When the bootloader lifetime ends, the encryption keys change and the old samples become useless. All legacy instances receive a 404 error from the server.
The encryption remains the same as that of its ancestor - RC4 with a static key in the body of the Trojan. Encryption was needed to protect against detection in traffic, and not to block research, since RC4 is a symmetric algorithm and easily amenable to brute force cracking, but traffic analysis systems are powerless in front of such a pseudo-random data stream.
Geography of Dridex distribution
Most of the victims are in Europe. Most of the infections were recorded in the UK, followed by Germany and France. Dridex does not infect Russian computers: C&C servers do not respond to requests from Russian IPs.
Over the years of Dridex's existence, white-hats and law enforcement agencies from different countries have repeatedly and unsuccessfully tried to stop the botnet's activity. In 2009, the US Department of Justice filed accusations against two Russians who, according to their information, are behind the development of Dridex malware and not only.
The indictment says that 32-year-old Maxim Yakubets and 38-year-old Igor Turashev were the developers of the famous banking Trojan Dridex, and Yakubets was the leader of the group. In addition, Yakubets is also accused of developing and distributing Zeus.
But so far, Dridex is just getting more and more User Account Control (UAC) bypass techniques to stay afloat and keep infecting Windows machines. The damage is difficult to name, but even according to the most benign estimates, it is measured in hundreds of millions of dollars.
Emotet
Brief description: banker, downloader- Lived: 2014 - present
- Number of infections: unknown
- Distribution methods: spam, SI
Emotet is another tech banking Trojan. The first versions stole the banking data of just a few banks, but the botnet was rapidly improving and now it is also in the top 3 most active and dangerous, although it first appeared relatively recently - in 2014.
Infection actively occurs through spam: messages contain a malicious attachment with a macro. The macro is simply not executed, but by social engineering it forces the victim to launch himself, which leads to infection.
At the turn of 2016 and 2017, the creators repurposed the botnet, and now it primarily acts as a downloader for other malware of all stripes. However, it is not worth deleting it from the list of bankers just yet.
The botnet is marketed as IaaS or MaaS (malware as a service) to other cybercriminal groups. In particular, Emotet often works in tandem with Ryuk.
In the second half of 2019, the number of Emotet infections skyrocketed. The bootloader suddenly saw a burst of activity. In September, after a short four-month pause, Emotet began to act again with increasing force. In total, 27,150 Emotets were discovered in the second half of 2019 (an increase of 913% over last year). During this attack, more than 1000 unique IP addresses were recorded at which C&C Emotet were located. The graph below shows the number of Emotet samples found for the second half of 2018 and 2019. A colossal difference is visible.
In 2020, a new feature was discovered: Emotet behaves like a worm, breaking into poorly covered Wi-Fi networks and spreading there. Another demonstration of how cybercriminals are inventing new techniques in the name of more effective infection.
With regard to the geography of distribution, Germany, the USA, India and Russia have suffered the most. The top affected countries also include China, Italy and Poland. Emotet is still active, so the infection pattern is constantly changing and may even change by the time this article is published.
Until now, nothing is known about the creators of Emotet, so there will be no fascinating story of the idiocy of the developers and the resourcefulness of law enforcement officers. It's a pity.
3ve
- Brief description: click fraud botnet
- Lived: 2013–2018
- Number of infections: ~ 1.7 million
- Distribution methods: spam, SI
- Damage: about $ 30 million
I think you are already tired of the banking Trojans in this collection. However, this bot belongs to a different family - click fraud botnets. 3ve ("Eve") does not steal banking data when infected, but clicks tons of ads on fake websites. Of course, the user does not notice anything, since everything happens secretly. The bot contained many mechanisms to bypass the detection in order to bring maximum profit to its creators. 3ve is considered the most advanced click fraud botnet.
It was distributed by 3ve through the botnets Methbot and Kovter and had several schemes of work.
One of the schemes received the identifier 3ve.1, but WhiteOps specialists first discovered it and named it MethBot. The campaign was also monitored by experts from Symantec and ESET, under the names Miuref and Boaxxe, respectively. Naturally, no one knew then that this operation was just a small piece of a larger ad fraud.
Another scheme used primarily servers in data centers, and not computers of ordinary users - bots imitated the behavior of living users of mobile and stationary devices. According to the FBI, 3ve's operators used about 1,900 servers in commercial data centers, and had about 5,000 advertising sites at their disposal.
Operators 3ve got caught up after they began to forge BGP and allocated blocks of IP addresses belonging to real customers in order to disguise fraudulent activity. When ad networks started blocking addresses associated with the 3ve.1 scheme, operators simply rented infected machines from the Kovter botnet. New bots opened hidden browser windows and proceeded according to the old scheme.
In the third scheme, everything remained the same, but instead of a huge number of low-power bots, several powerful servers and many rented proxies to hide servers participated in the campaign.
At its peak, the 3ve botnet generated nearly 3 billion fraudulent requests every day, used 10,000 fake websites to serve ads, had over 1,000 bot servers in data centers, and controlled over a million IP addresses needed to hide bots.
The botnet was closed by the joint efforts of Google, the FBI, Adobe, Amazon, ESET, Malwarebytes and other companies. There were eight authors, thirteen criminal cases were opened against them. Six authors are Russians, two more are Kazakhs. Sometimes legends about Russian hackers don't lie!
According to Google, after the 3ve infrastructure was blacklisted and used against it, there was a real lull in ad fraud. While the people in the epaulettes have not named the group's exact earnings, experts estimate 3ve's earnings to be at least $ 30 million.
Mirai
- Brief description: DDoS botnet
- Lived: 2016 - present
- Number of infections: more than 560 thousand
- Distribution methods: brute force
It would be strange if we did not remember such a famous bot. He is the king of botnets that attack IoT devices, and although he himself has long faded, his many descendants still haunt security people. First discovered in 2016, it quickly and efficiently hijacked smart home devices (and sometimes not only them) with weak passwords on Telnet.
This botnet was developed by students who for some reason got angry with their own university and wanted to organize DDoS attacks on it. But they miscalculated something, and now it is the largest IoT botnet, considering all its clones.
The botnet grew quietly at first, but after several attacks it was noticed and the hunt for its creators began. They didn’t come up with anything smarter than just publishing the source. Like, we are not necessarily the authors: it could be anyone, the source code is open. This trick with their ears did not help them, and the authors were found. Unfortunately, it was already too late: other factions got a powerful and dangerous tool for free. The number of botnets based on Mirai (and sometimes its complete clones) has exceeded one hundred and continues to grow.
In September 2016, after Brian Krebs published an article about DDoS botnet sellers, Krebs himself fell victim to an unusually strong DDoS attack, which peaked at 665 GB / s. This attack has generally become one of the most powerful known. The hoster hated this anymore, and the site temporarily lay down until a new hoster was found.
A month later, a powerful attack was launched against DynDNS. It passed in two waves, about an hour and a half each. Despite the prompt reaction and measures taken to repel the attack, it still affected users. The consequences were visible until the evening of the same day. Remarkably, not one server was attacked, but many around the world. The engineers clearly did not expect such a feed and could not react normally. As a result, at least Twitter, GitHub, SoundCloud, Spotify and Heroku were affected.
Ironically, DNS queries were used to attack the DNS provider. The traffic exceeded normal by almost two orders of magnitude, and this is not counting the fact that the system administrators urgently introduced filtering. At that time, DNS amplification was already described, but was not taken seriously. The attack on Dyn corrected the situation, so that there were not so many servers vulnerable to this technique.
According to the investigation, only about 100,000 overly “smart” devices were involved in the attack. Nevertheless, the attack was impressive in scale.
Inside Mirai there is a small and clean code, which, however, was not very technologically advanced. Only 31 login-password pairs were used for distribution, but even that was enough to capture more than half a million devices.
Output
Powerful botnets come and go: as soon as information security researchers and law enforcement officers close one network (and sometimes its owners), the next one appears on the horizon, often even more threatening. For mere mortals, the moral here is very simple: put strong passwords on all your devices and update the firmware, and then your computer, router and too smart refrigerator will not start working for a criminal gang.
Last edited by a moderator:
