Next-Gen Botnets

Botnets, once limited to computer networks, are expanding and changing as more devices are connected to the Internet—and becoming much harder to detect and destroy.

The term botnet—a contraction for robotic networks—conjures up the days when it was just a collection of computers that were largely autonomous, on a local network and usually assigned to repetitive tasks. But that is changing fast with the /Everything/Anything and the cloud. Today, with everything being connected to everything else, the potential havoc botnets can wreak is orders of magnitude higher than before.

“Very little thought has been given to this problem,” said Chowdary Yanamadala, vice president of business development at Chaologix. “And the new environment of the IoX is one of the areas where cyber-risk can quickly turn into physical risk. IoX botnets can use smart devices to snoop out information, or as gateways to other networks and device, so the threat from the next generation of botnets is much greater than the previous generations.”

Nir Krakowski, CEO of Metapacket, agrees: “We have, potentially, a lot of problems ahead of us if we don’t change how we look at IoX security. We are used to designing things go be functional, and then you take care of security.”

That approach will not work going forward, because it’s not just computers anymore. Everything has an IP address, so now it is possible to create IoX botnets that can be made up of anything from toasters to routers to wearables to vehicles.

“In the last couple of years, we have had known botnets that have taken over SoC-style routers,” said Wayne Crowder, director of threat intelligence at RiskAnalytics. “All a hijacker has to do is get a hold of the credential for such devices (a smart TV, for example) and man-in-the-middle the update process. If the attacker can keep the persistence of the update process, they can even load their own firmware on the device.”

So if the end users aren’t aware of any of this, the device, and any other identical devices that have been compromised can make up a botnet that can wreak havoc on an entire ecosystem of its users. While this isn’t common yet, once the IoX becomes more widespread, the potential ratchets up in probability.

Botnets defined
The general definition of a botnet is a where a network of computers is linked together and controlled from a single source. Bots allow attackers to take control of any number of computers simultaneously, and turn them into what are now being called “zombie” computers. And today just about everything has a compute element of one sort or another, so advanced botnets can make a hackers dream come true.

The process to create botnets involves the attacker initiating an automated malware program that has instructions to scan blocks of network addresses. If it finds one, or more unprotected or vulnerable units, it infects those computers with a bot that is usually reconfigured to “phone home” to the central command and control, at which time it registers itself as a botnet member and awaits instructions. Such networks can number in the hundreds, thousands, and with the IoX, potentially even millions. And each of these computers becomes connected to the command-and-control server operated by the hacker.

Today, most botnets are used for spamming purposes, virus proliferation, attacks on servers, clogging bandwidth, and other nefarious activities. Some examples include proxy and spam services, denial of service attacks, spreading viruses, clickfraud, identity theft, keylogging, password theft, and attacking Internet servers. Worse, they also can be used for covert intelligence gathering and for destructive purposes such as disrupting critical infrastructure services when the time is right.

So what are the challenges to contain botnets, especially as they morph into IoX botnets, (also known as thingbots and thingnets)?

“The big challenge surrounding such nets as they evolve is how to create technology that can detect and secure them,” said Hans Ashlock, director of marketing and engineering for QualiSystems. “The good news is that each of these botnets has a particular type of signature.”

That is a metric that can be used to help security architects to design countermeasures as these botnets evolve to the IoX. But there is still a skills gap to developing those countermeasures.

“Many of people designing this hardware simply don’t have enough of an understanding of the complexities of the threats out there and how to protect networks, existing and evolving,” said Metapacket’s Krakowski.

A good example is the well-publicized Juniper Networks breach that was discovered last year.

“Another big problem is that so many devices today that will be part of the IoX are running software that was once current, but no longer is,” said Noah Dunker, director of security labs at RiskAnalytics. “Many times the software is never updated, or there isn’t even a mechanism to do that with these devices.” A second problem is that even with devices that can do updates, often they are not cryptographically signed or the update channel is not secure, so virtually anything can be downloaded to these devices by anyone.

This has become problematic recently for home and business routers. “We have seen such routers participate in botnets,” Dunker said. So in today’s landscape, things that are directly on the Internet are the more likely targets. But that is today. Expect the device landscape to expand as more and more devices become connected via the IoX.

Botnets vs. single vectors
The unique thing about botnets is that their signature is one of a massive number of machines, which is unlike most threats. “That makes it a rather unique situation, and modeling that is very different than, say a threat from a single node where it is an algorithm that is the threat,” said Quali’s Ashlock.

So considering that botnets do have a much different type of signature, that is perhaps the biggest advantage security architects have to deal with the next generation of botnets.

Botnet command and control tools and technology
The infrastructure that hackers use to control botnets is fairly sophisticated. The command and control function must be able to manage bot agents on a large number of machines, perhaps scattered globally. They must also be stealthy and avoid detection. To accomplish that requires a host of technologies and tactics that the hacker must implement.
Typically, botnet command-and-control technologies use one of four topologies:

• Star — This topology uses a centralized, single, command-and-control facility to communicate with its agents. All agents are controlled, directly, from this facility.
• Random — This is a much more fluid and autonomous methodology. Using random topology, which usually consists of a peer-to-peer relationship or a dynamic master-slave association, are minus the centralized command-and-control infrastructure. Instead, what makes this such a desired topology is that commands can be injected in to the botnet from any other agent. This topology allows the use of “signed” commands, which are authoritative and tell the agent to automatically propagate the commands to all other agents in the botnet. The big advantage to this methodology is that random botnets lack centralized command and control. That makes them extremely resilient to hijacking and shut down. This methodology implements multiple communication paths between agents so detection is difficult. There is a downside, however. These agents can be easy to spot because one can monitor a single infected host and observe which external hosts it communicates with. Finally, due to the distributed nature of this topology, command latency is a problem. But the multiple communication link protocol among agents helps that so that this approach is still very efficient.
• Multi-server — This topology is a dynamic way to control the botnet. As the topology implies, it uses multiple, linked servers to communicate with the agents. Distributed systems such as these can cover a lot of territory. Servers can be scattered across the globe and configured to work with local protocols. This is a relatively intelligent platform because multiple command systems are linked and able to communicate with each other to optimally manage the botnet. The selling point here is redundancy. If one server fails, or is discovered and locked out, the remaining servers can still maintain control of the botnet. The downside is that this topology requires more planning, effort and oversight.
• Hierarchical — This is perhaps the most dynamic because it reflects an awareness of the methods used in the compromise, and subsequently the propagation of the agents themselves. In this topology, the agents can proxy new command and control instructions to previously propagated progeny agents. As the name implies, hierarchical topologies offer a variety of sub-propagation tactics. A typical scenario is that once the initial drive-by download infection is installed, further compromises such as worms can be spawned inside the network. The advantage of this topology is that no single agent is aware of the location or extent of the full botnet. Therefore, it is difficult for investigating entities to acquire a comprehensive understanding of the extent of the botnet. This type of botnet also can be sliced into sub-botnets that can be used by other botnet operators. Its major challenge is that this method requires a great deal of overhead to keep track of everything that is going on at the various levels. Therefore, updating command instructions suffers latency issues, which affect the ability to make real-time decision.
• Mesh networks —This is the newest network topology, which is being leveraged by the professional criminals to attack the wider landscape that is emerging. Mesh nets are capable of compromising vast numbers of computers – much larger than the other technologies. Such nets are becoming black market cloud operations, utilizing the latest double-fluxing techniques.

Keeping it all together
Without the capability of the agents to remain attached to the net, botnets could not exist. Therefore, they must be continually linked to the command-and-control infrastructure, regardless of the topologies used. In that regard, agents must have some sort of connections resilience. There are a few ways that attackers add bulletproofing to bot nets.

One method is to use embedded instructions. That doesn’t require any connection back to the central command and control. In this case, the agent simply follows its embedded instruction set as long as it can. The bots are sent out to do what they are programmed to, as long as they can. Because this is a static type of operational mode without any dynamic type of reconfigurability, such agents and their nets are fairly easy to uncover.

The preferred way is to use some sort of technology that the agents can use to keep in touch with the centralized command and control. There are a number of options, including periodic polling of the command and control system by the thingbots, or blasts by the command and control that will be heard by the listening thingbots, for example. This kind of intermittent communication is difficult to uncover and gives them the ability to be dynamic and reconfigure based on random two-way communication with the command and control infrastructure. This also makes such botnets difficult to discover and shut down.

These methodologies work across the board. They give botnets a measure of anonymity and autonomy – which is the key to botnet survival. With the IoX, this is only going to become more prolific. Both embedded instruction sets and connected thingbots will be able to cruise various networks—especially mesh networks—with impunity because the early IoX infrastructure will be rife with devices that will have little or no security. It will be a challenge for the security industry to get a handle on all of this for some time to come.

Missive
The botnet threat isn’t going away, and new vectors come in all the time. Devices such as smart TVs, with capabilities to autonomously update regularly, are just one example. So if it is hijacked, it can become a node on a thingnet. This sheer number of new devices, all with IP addresses, will become a real challenge for security architects to protect.

Perpetrators will be harder to discover. They will be able to use a laptop connected to a public or unsecured private network, using Web interfaces such as The Onion Router (TOR) and encryption to run the botnets and make them less traceable.

Fast fluxing will be highly implemented and highly effective with mesh networks because of their default configuration, many-to-many device relationships vs. the one-to-many generally seen today. Infected devices can now, potentially, be anything with an IP address and some sort of processing capability. The implications are staggering.

The next generation of thingbots and thingnets are just beginning to emerge. It is still early, for both the IoX and thingnets, but it is one of the many new and difficult challenges the IoX will present. And much of this next generation of thingnets will be managed by a much higher levels of skilled, dedicated, and organized hacking groups. Let’s just hope the industry is ready to respond when the time comes.

Related Stories
Unexpected Security Holes
As more things are connected, security holes are showing up in places no one considered.
The Race To Secure The Car
Connectivity and complexity are raising concerns about safety and reliability.
Inside Mesh Networks
Ad-hoc wireless mesh networks will be the great enabler for future devices.
Super Wi-FI For The IoE
White space may be the best solution for additional spectrum, but using it isn’t so simple.