Botnet Advancements – The latest trends in botnet activities

In my previous post I discussed the basics of a botnet in which we included an infographic giving you a visual representation of how botnets are formed, how they work, and how to not become a zombie. In this new post, I’m going to dive a bit deeper into the latest trends we’ve seen with cybercriminals use of botnets and some of the latest statistics we’ve gathered over the first half of this year.

The one thing we can count on with regards to the cybercriminals is that they will continuously evolve their tools and techniques in committing cybercrimes or targeted attacks. As such, one of the most important aspects of their cybercriminal activities today is to maintain a persistent access to compromised hosts in order to maintain their botnets. This requires them to regularly update the hosts with new malicious code as well as allow them access to the system when they need to perform remote access control. This year, we’ve seen a number of modifications and new techniques used by the hackers to maintain this persistence. Note, the term campaign below is used to describe an attack against organizations and just like a marketing campaign performed by a legitimate organizations, criminals also run their own attack campaign whereby the monitor all aspects of their attack to identify what works and what doesn’t.

1) Siesta Campaign – We first saw this attack earlier this year where the major characteristic of the Command & Control (C&C) for this campaign is that the commands (i.e. instructions) are being served within html pages using different keywords.  Without an in-depth investigation, the html pages can appear as normal aside from a very small/tiny piece of malicious data hidden in the html pages.  The criminals originally instruct the compromised host to access these html pages which will then instruct the host to perform a new activity, say a DDOS or spam run.

2) Antifulai Campaign – We uncovered this attack against organizations within Japan whereby the attacker utilized information about the attacked organization to help them identify if they had successfully breached the target.  The attacker set up the communication between the compromised host and their C&C server using http.  Within the http string they added an acronym of the target company and if the host accessed their webpage they knew they were successful in breaching the organization.  An example of the http request is as follows:

	http://[C&C server domain]/[acronym of target company]/(com.php|update.html)

3) Cloud Apps for C&C – We seen several instances where the botnet herder will use legitimate cloud apps like Evernote and Dropbox to communicate with the compromised hosts.  In the first one, the criminals communicated through an Evernote account within the notes saved in the account.  The second one we just recently found the hackers using Dropbox to update the config file, which instructs the host on what activities to perform.  The use of these cloud applications is to hide their communications within legitimate traffic within most organizations or consumer systems.

As you can see, the criminals managing these botnets (a bot herder) will evolve their techniques over time. This as I stated earlier is the main goal of these hackers which is to maintain a persistent connection between themselves and their zombies.

I mentioned in my earlier post that Trend Micro has been tracking C&C activity for a number of years now, and you can see our global botnet map which shows the most recent activity we’ve seen. I checked with our threat research team who monitors the botnet data and from Jan. 1, 2014 through June 22, 2014 we’ve found the following information.

The total number of unique C&C servers identified was 37,054 with an average of 3,000 new, unique C&C servers added weekly. The total number of victims we found communicating with C&C servers during this period was 1,671,352 with an average number of victims per C&C at about 400.  Note though this was an average as we found one C&C had more than 50,000 victims associated with it. We also track where the victims are located, and for this period the top countries were the United States, Japan, and Taiwan.

As you can see above, the criminals are adding new C&C servers regularly and this is due to the fact that security vendors like Trend Micro are actively identifying and blocking these for our customers. One technique that is becoming more utilized by bot herders is the use of Domain Generated Algorithm (DGA) based C&C servers. What this means is the hacker will install a DGA on the compromised host which automatically generates a new domain if and when the host cannot access an earlier one used as a C&C server. This requires some new technology and use of Big Data on our end. Fortunately for our customers, we’ve been using and developing our Big Data engines since 2005 which are used within the Trend Micro Smart Protection Network™.

As I stated in my previous post, you don’t want to become a zombie and be associated with the living dead on the Internet, so install our free tool RUBotted now. Be assured that as the cybercriminals techniques change, Trend Micro threat researchers will be uncovering them and ensuring we protect our customers from their new threats.