Threat Management, Breach, Threat Intelligence, Data Security, Malware, Network Security, Vulnerability Management

The shadowy world of the advanced persistent threat and botnets


When the term botnet was coined a few years back, it was predominately a Russian criminal threat.

The criminal underground developed botnets because they were going for volume. They needed centralized control to improve efficiency and harvest information. The information market was proven largely with digital identity theft. 

Back then, botnets traditionally were not associated with state-sponsored attacks (sometimes called advanced persistent threats, or APT). While that characterization may have worked five years ago, it is completely outmoded for today's threat landscape.  

Botnets have evolved to become generic remote-access frameworks.

In the beginning, some botnets were hard-coded to perform very specific tasks, such as redirecting ad clicks. In that case, you could tell from the malware code itself the intent of the attacker. Today, determining intent from the malware code itself is much more difficult.  

Botnet products have evolved to become general-purpose — allowing plugins, generic access to the command line, download-and-execute capability, botnet-wide file searching, and basic keylogging and credential stealing. 

Some established botnets have evolved over time. For example, Damballa reported that Monkif, one of the most well-known botnets, has evolved from a generic trojan downloader to having advanced/generalized command-and-control.

Zeus, a botnet traditionally associated with banking fraud, now has a plugin architecture, so any capability is possible. The base source code of Zeus, also known as Zbot, readily is available, and attackers can easily customize the system for any purpose. There are hundreds of custom variations of Zeus in operation today.

Today botnet systems can be purchased and operated by anyone — this type of attack is no longer reserved for Russian mobsters alone.

State-sponsored actors can use botnet capabilities, even buy compromised machines. Offensive attack and exploitation have become part of the military and foreign intelligence infrastructure of many nations. These organizations will have very specific mission objectives that are not necessarily financially motivated. In these situations, any and all means will be used to achieve an objective. And the objective may just be a piece of a larger mission. In this context, any attack could be part of APT, even those that are leveraged through botnets.

Botnet software can be purchased in the underground. There are hundreds of packages available. As a threat actor, you can purchase one of these botnet systems as if it were legitimate enterprise software. Some software is quite advanced.

For example, Zeus' enterprise console rivals some of those you would see on the RSA Conference vendor floor. Once you own a botnet product, you can then set it up and begin exploiting target machines. Once you have a large number of nodes under management, you could use the infected machines for almost any purpose imaginable, including theft of intellectual property.

A market has emerged for the remote access offered by established botnets. Operators can lease their botnets and sell access to third parties.

Every enterprise is infected with multiple botnets. For starters, nine out of ten enterprises show evidence of Zeus botnet activity, according to a recent RSA study. The big ones, Zeus, Conficker, Swizzor, and Koobface are easy to recognize.

There are underground trading sites where access can be bought and sold. Finjan, now M86 Security, exposed one such trading post, the 'Golden Cash' network, in its 2009 Cybercrime Intelligence Report. 

In 2008, Abreo Neto was indicted on charges of leasing his 100,000-node-strong botnet for 25,000 Euros.  Kaspersky Lab revealed that the Shadow botnet, created by a 19-year-old in Holland, had over 100,000 nodes and was put on sale for $36,000. In 2009, the BBC program "Click" purchased a botnet of 25,000 machines just to show how easy it was. Botnet owners can advertise access to specific industry segments, or offer to download and execute a payload of your choice. 

Imagine this IRC message:

#access: I have 343 machines at XXX Oil Inc., 200+ at XXX Petro and Gas, 57 at XXX, Inc., selling access at 10,000 USD for 30 days, will dl an exe and run it for you, $100 per machine, any site.

State-sponsored threats may take advantage of this marketplace in established access. And, if they don't want to purchase access, they can reverse-exploit and take over an existing botnet (as security researchers already have proven possible). 

Established botnets offer access to more than just the Fortune 500 — consider that last year, a botnet of 1.9 million nodes was discovered to include access to 77 government domains in the United States, U.K. and other countries. 

Using a botnet for access may be a starting point for a larger attack. The APT is known to maintain multiple and varied forms of access into a single organization. This reduces the risk that access will be eliminated if any single form of access is discovered. The botnet may be one of many systems in place at a given site.

Beyond the threat to information, the APT can also use botnets to launch secondary attacks. As such, a botnet can be used to hide the country of origin for an attack. The APT have and will continue to purchase and use attack kits, including generic botnet platforms. On numerous occasions they have used malware toolkits as opposed to hand-written malware. From an attribution perspective, this approach also makes sense since it is harder to attribute a toolkit-generated malware than it is for something that was compiled natively.

In conclusion, most malware has the potential to be used by APT, and all malware puts an organization at risk.  

In my day-to-day interaction with some of the top global Fortune 500 and government agencies, I have found that some organizations want to ignore so-called "generic malware" and focus only on "APT malware" — almost to the point where if they drop a malware into virus-total and it comes back with a named-label given by an anti-virus vendor, then they immediately assume it is not APT.

I think this is an irresponsible and potentially dangerous approach. We need to treat any malware that has generic attack capabilities with respect. 

In most cases, we won't know who is behind the keyboard at the other end. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.