In the fight against cyber crime, it makes sense for companies to be familiar with the meshes of cyber criminals, such as botnets. This includes, among other things, knowing what a botnet is - and Guardicore now wants to achieve this with a botnet encyclopedia. The information in this knowledge database should be continuously updated so that current and past botnet campaigns are optimally documented.
Botnet - infected, hijacked and abused
Botnet and botnet are two synonymously used terms for the same process: A botnet consists of a network of hijacked computers. The owners of these hijacked computers usually have no idea. First, the target computer that is to be integrated into the botnet is infected with malware. Thanks to this malware, the attacker can take control of the system - the computer reacts like a robot, hence a “bot”.
Hijacked computers can be controlled via so-called command and control servers (C&C servers). The attackers themselves who control botnets are known as bot herders or masters. In fact, taking over a computer as part of the botnet is the result of a poorly secured computer: the attacker can then take on the role of administrator. Data can then be viewed, misused and manipulated, and the computer with all its functions and services can be misused for criminal purposes.
Mobile devices such as smartphones or tablets are also at risk
Thus, the users of hijacked computers unintentionally become part of these criminal activities. The remote-controlled computers are used for various activities: spamming, for storing illegal files, for distributing malware or even for DDoS attacks.
Incidentally, not only computers are at risk of becoming part of botnets, but also every networked device with access to the Internet. Here we refer in particular to IoT devices, which are generally very far removed from the level of protection offered by common computers. But mobile devices such as smartphones or tablets can also be hijacked and botnets added.
Botnets: Tips & Protective Measures
Due to the immense and ever increasing distribution of networked devices, the probability is high that the risk of botnets spreading is also increasing. As you have read, devices such as computers or smartphones can be taken over by security gaps in software or by inattentive or poorly informed users. In conclusion, this means that a combination of awareness and technical measures reduces the likelihood of becoming part of a botnet unintentionally. On the technical side, there are these measures:
- Updates: Always run updates promptly on all your devices; ideally, you automate the execution of updates so that there are as few open security gaps as possible in the software.
- Firewall: The firewall protects a network from unwanted external access. The firewall is usually integrated in the router and protects network-wide.
AV software: Use anti-virus software that is always up-to-date. Choose a professional anti-malware solution with signature and behavior-based malware detection. - Monitoring: Check systems and network traffic at regular intervals to uncover any infections as quickly as possible. Suspicious activity, such as the following, could indicate that the device is part of a botnet:
- Unusually high internet and network loads
- Extremely high volume of outgoing emails
- Significantly delayed sending of e-mails, significantly delayed computing power
- Massive external scanning of one or more ports
- Complaints from third parties about spam emails alleged to have originated from their own email server
It makes sense for companies to be fundamentally protected against DDoS attacks and spamming. It is also cheap - both for private individuals and for companies - to take a close look at the IoT devices used. Anti-malware solutions that are stored locally on the respective IoT device hardly exist. So a solution has to be found that is able to detect malware before it can reach the device and that also shields external vulnerabilities. Here, for example, virtual patching would be an option: A Web Application Firewall (WAF) can be used to regulate who is allowed to access the relevant application and how; The applications to be protected are thus shielded from unwanted and / or malicious access. Basically, however, patching - i.e. patching vulnerabilities - is better than virtual patching - locking out unauthorized third parties instead of patching a vulnerability.
Guardicore botnet encyclopedia
Guardicore is an Israeli data center and cloud security company. The in-house botnet encyclopedia is intended to summarize threats to companies in a central and freely accessible location. This botnet encyclopedia is based on the Guardicore Global Sensors Network; a network of detection sensors that are used in data centers and cloud environments around the world.
These sensors can not only fully record attack streams, but also evaluate them. All of this knowledge flows into the botnet encyclopedia, which can be used by IT departments, security teams, researchers or the cybersecurity community to better understand and protect the threats. Interested parties can find botnets using a free text search or search the entries using indicators of compromise (IoC); for example by IP address, file name or service name.
More on this in the PSW-Group.de blog