Show logo
Explora todos los episodios

Dawn of the Botnets

  |  Command Line Heroes Team  
Seguridad
Historia de la tecnología

Command Line Heroes • • Dawn of the Botnets | Command Line Heroes

Dawn of the Botnets | Command Line Heroes

About the episode

Overwhelming numbers are scary—even in the best of circumstances. You can plan for them, build up your defenses, and do everything imaginable to prepare. But when that horde of zombies hits, their sheer numbers can still cause devastation.

Botnets are digital zombie hordes. Jamie Tomasello recounts the scale of the Bredolab botnet—and the many malicious kinds of missions it carried out. Martijn Grooten explains how botnets work, and why they can be so difficult to permanently dismantle. And Darren Mott shares some of the successes the FBI had in rounding up some of the world’s most prolific bot herders.

Command Line Heroes Team Red Hat original show

Suscribir

Subscribe here:

Listen on Apple Podcasts Listen on Spotify Subscribe via RSS Feed

Transcripción

Authorities aren't sure if it's a virus alive or dead. There appear to be hundreds, thousands. They're here! Lock the door. Get something in front of it. Don't worry. They're safe, for now anyway. We need more things against the door. But you know how this plays out. When zombies are on the prowl, no defense can last forever. Eventually, zombie hordes will break through the defenses. There's just too many of them. They overwhelm the most prepared group, and this particular army of zombies is especially dangerous because they've got a leader. They're being herded by a villain and that villain has a target. That villain has a plan. Zombies: millions of mindless soldiers that can overwhelm your defenses just by their sheer numbers. You've got The Walking Dead or maybe 28 Days Later in your head. But now, I want you to imagine all those flesh and blood zombies are computers, a botnet of zombified computers. Just like zombies in the movies, these computers don't have free will. They behave as a giant army controlled by a botnet herder who tells them what to do. What's so scary about a botnet of zombie computers? Imagine that zombie attack you just heard was a botnet of computers, overwhelming your website with traffic, a denial of service attack or maybe every zombie computer is conspiring and a global spam campaign. There are a hundred different ways you can mobilize a botnet army and the incredible scale of these botnets really can break down doors. There are literally billions of computers and devices connected to the internet. That's a lot of potential zombies. I'm Saron Yitbarek and this is Command Line Heroes, an original podcast from Red Hat. This season we're featuring security horror stories. If you've been listening since episode one, you'll have learned about viruses and trojan horses and other kinds of malware that threaten our digital lives. This time we're facing up to botnets, figuring out what damage they can do, and how we can start fighting back before they flood through the gates. It's the fall of 2009 and Kenny had just got an email. Looks like it's from a social media platform he uses all the time; one that he trusts and depends on. It has all his family photos. His friends use it to keep in touch. The email says the platform has reset his password for security purposes and he'll need to take action if he wants to get into his account. I don't want to get locked out. The email includes an attachment and it looks like Kenny needs to open that attachment in order to get his new password. That's strange. Don't do it, Kenny. Oh, Kenny. That attachment turned out to be a zip file containing a downloader trojan. It got to work downloading malware onto his computer. And without Kenny ever realizing it, his computer became a zombie. It was now part of a botnet called Bredolab. I know you're thinking, "I wouldn't have been like Kenny. I wouldn't make that mistake." But here's the thing, in 2009, 30 million computers joined that same botnet. Bredolab was huge and it was ready to do some damage. What we had seen is an uptick of messages being reported as spam. Jamie Tomasello is the head of security programs and security governance, risk, and compliance at Gusto. They're a payroll and HR management company. She remembers the Bredolab moment as a point in history, 2009, when social media platforms were starting to get pared down leaving room for just a few mega companies. We were seeing a transition from some social networks that were really popular to now the one that is predominantly used and that we're all familiar with. A consequence of that was if you could design a trojan that fooled people into thinking you were part of that one trusted company, you could get yourself a lot of zombies. All at once. That's what the creator of Bredolab was counting on. Security pros like Tomasello quickly realized that people like Kenny were being dragged into the botnet. Their computers were getting zombified, so the hackers' message was marked as spam and yet... The interesting part here is how many people actually... Once we started marking this message as spam, the number of people that went into their spam box or their junk folder... that point in time eight percent... and pulled it out because they thought it was legitimate. Eight percent of users were falling victim to Bredolab, even after the message went to their spam folders. I guess if a social engineering play is compelling enough it's always going to get some traction. When we think about victim behavior and we think about people's dependency on social media networks, we can tell that the content was very impactful and it resonated with people. A very well-crafted spam message can trigger people to action. It triggers their fear around, "Oh goodness, a password reset confirmation? I need to get back in." The Bredolab botnet was eventually taken down in 2010, but not before it had infected millions of computers worldwide. And Bredolab was just one of many botnets operating at the time. My name is Martijn Grooten. I'm the head of threat intelligence research at Silent Push. Grooten has been tracking botnets for over a decade. He's seen how they've evolved and how they operate. Botnets are essentially networks of compromised computers that are controlled remotely by cybercriminals. The computers in a botnet are often called 'bots' or 'zombies' because they're controlled by someone else without the owner's knowledge. Think of it like a puppet master controlling an army of marionettes. The botnet herder pulls the strings, and all the zombie computers dance to their tune. The way botnets typically work is that malware gets installed on a computer, often through email attachments, malicious websites, or software vulnerabilities. Once installed, this malware connects back to a command and control server, which is operated by the cybercriminals. That command and control server is like the brain of the operation. It's where the botnet herder sends out instructions to all the zombie computers. Through this command and control infrastructure, the cybercriminals can instruct all the infected computers to perform various malicious activities. This could be sending spam emails, launching distributed denial-of-service attacks, stealing personal information, or even mining cryptocurrency. The scale of some botnets is truly staggering. We're talking about networks that can include millions of infected computers all working together. The Conficker botnet, for example, infected an estimated 10 to 15 million computers worldwide. The Storm botnet was thought to have infected around 50 million computers at its peak. These are massive networks with incredible computing power at the disposal of cybercriminals. And the damage they can cause is proportional to their size. A botnet with millions of zombie computers can generate enormous amounts of spam, overwhelm websites with traffic, or steal massive amounts of personal data. What makes botnets particularly dangerous is their versatility. The same botnet that's used to send spam today could be used to launch a DDoS attack tomorrow or to steal banking credentials next week. The cybercriminals can essentially rent out portions of their botnet to other criminals for different purposes. It's like having a massive army that you can deploy for different missions at will. And that flexibility makes botnets incredibly valuable to cybercriminals. The business model around botnets has become quite sophisticated. There are botnet-as-a-service operations where criminals can rent access to infected computers. There are specialized groups that focus on different aspects of the operation - some focus on the initial infection, others on maintaining the command and control infrastructure, and still others on monetizing the botnet. This professionalization of cybercrime has made botnets more resilient and harder to take down. When law enforcement shuts down one part of the operation, other parts can quickly adapt and continue functioning. Modern botnets also use sophisticated techniques to avoid detection. They might use encrypted communications, frequently change their command and control servers, or use peer-to-peer networking instead of centralized servers. These evasion techniques make it much harder for security researchers and law enforcement to track and dismantle botnets. One of the biggest challenges in fighting botnets is that taking down the command and control infrastructure doesn't necessarily kill the botnet. The malware is still on all those infected computers, and the criminals can often re-establish control using backup servers or alternative communication methods. It's like cutting off the head of a hydra - two more heads might grow back in its place. That's why many security experts focus on disruption rather than complete elimination. The goal is to make it more expensive and difficult for cybercriminals to operate their botnets, even if you can't completely destroy them. But law enforcement has had some notable successes in taking down major botnets. The takedown of the Bredolab botnet in 2010 was a significant victory. The Bredolab takedown was a coordinated international effort involving law enforcement agencies from multiple countries. They managed to seize the command and control servers and arrest the person behind the botnet. These international cooperations are crucial because botnets are global operations. The person controlling the botnet might be in one country, the command and control servers in another, and the infected computers spread across the globe. That global nature of botnets makes them challenging to investigate and prosecute. You need cooperation between law enforcement agencies, internet service providers, and security researchers from multiple countries. Despite these challenges, there have been some major victories. The takedown of the Dridex botnet, the disruption of the Mirai botnet, and the ongoing efforts to combat various other botnets show that it is possible to fight back. Each successful takedown also provides valuable intelligence that can be used to understand how these operations work and how to better defend against them in the future. But the fight against botnets isn't just up to law enforcement and security professionals. Individual users play a crucial role in preventing their computers from becoming part of a botnet. The best defense against botnets starts with good security hygiene. Keep your operating system and software up to date, use reputable antivirus software, be cautious about email attachments and links, and avoid downloading software from untrusted sources. These might seem like basic recommendations, but they're incredibly effective. Most botnet infections happen because of known vulnerabilities that have already been patched or through social engineering attacks that prey on human psychology. Education is also key. If more people understand how botnets work and how to recognize the signs of infection, we can collectively reduce the number of computers that get compromised. And if you suspect your computer might be infected, it's important to take action quickly. Disconnect from the internet, run a full system scan with updated antivirus software, and consider seeking help from a security professional. The sooner an infection is detected and cleaned up, the less damage it can do and the less value it provides to the cybercriminals. Organizations also have a responsibility to protect their networks and educate their employees about the risks. A single infected computer in a corporate network can potentially compromise the entire organization. Corporate networks are often attractive targets for botnet operators because they typically have faster internet connections and are always online, making the infected computers more valuable. The fight against botnets is ongoing and evolving. As security measures improve, cybercriminals develop new techniques. As law enforcement gets better at tracking them down, they find new ways to hide. It's an arms race, but it's one where the good guys are making progress. The key is to stay vigilant, stay informed, and work together to make it as difficult as possible for cybercriminals to succeed. Now let's hear from someone who's been on the front lines of this fight - an FBI agent who's dedicated his career to taking down the people behind these massive botnet operations. I was a high school teacher before becoming an FBI agent. Darren Mott spent 20 years working on cyber crime at the FBI. Back when he started out, most of the FBI's field offices didn't even have cyber squads. The Bureau's Cyber Division didn't exist before 2002 and by the time those huge attacks, Storm, Kraken, Conficker, were coming around, the FBI was able to respond. In 2007, they started something called Operation Bot Roast, their biggest effort to hunt down the bot herders and end their game. If you could get access to a compromised machine that was still working, you could then monitor it and see where the command and control center was coming from. So from that, you could backtrack and say, "Here's the command and control for this botnet. Where's that located?" Hunting down botnet herders requires international cooperation: not an easy task, especially in cases where countries don't have treaties. In most cases, a lot of the command and control was not in the United States, so we had to get assistance from foreign partners. And at the time, the best foreign partner we really had were the Dutch. That's because a lot of criminals were using Dutch infrastructure. Maybe they'd have gone elsewhere though if they knew how easy it is to get wiretaps in the Netherlands, much simpler than it is in the States. The Dutch don't have those restrictions. It's a lot easier for them to say, "We're going to go monitor that machine right there." Between wiretapping and human informants, the FBI started to get a hold of this vast international ring of botnet herders. And when they made their arrests, they did it in one fell swoop. As soon as the first search warrant or arrest warrant would've happened, all the other botnet people would've changed their techniques and we would've lost a lot of intelligence; they would've moved infrastructure; they would've destroyed evidence. So they wanted to do it all at once. Bot Roast was so successful, resulting in actual convictions and botnet dismantling that the FBI ran Bot Roast II just a couple years later. Their work-disrupting botnets ramped up and continues to this day. It's not like the bots are going away. Bots still exist today. There are still plenty of botnets out there doing bad things. These days, Mott says the FBI is less likely to find individual bot herders like 27-year-old Avanesov who is running the Bredolab botnet. Things are more organized. Do you have individual bot herders still? I'm sure you do. Not looking for those. Looking for those organized criminal enterprises, largely coming out of Eastern Europe. So the goal is to get as high – it's like any other investigation. How high up the chain can you get? And those higher ups are getting better and better at hiding. It's harder now than it was 15 years ago, simply because their operational security has gotten better. So on the dark web, they can communicate and they can sell. I'm sure there's botnet as a service you can buy on the dark web, and there's communication platforms where they communicate about all this stuff. Internet service providers, ISPs, at this point, have a relatively easy time identifying botnets. They're going to notice some crazy changes in traffic. They can recognize the botnet signatures, but that doesn't cut off the serpent's head. If you can find the leaders, they're the ones benefiting the most from this doing the most damage and they're the ones you want to get. So, the biggest challenge is attribution, trying to give attribution to who's doing it, especially now with encrypted communications, trying to get into these channels to talk. The encrypted traffic they use to do their command and control makes it very hard. Something we've discovered this season is that cyber criminals and security teams are in a kind of arms race. Everyone is trying to up their encryption, up their decryption, make use of bleeding edge technology to out-maneuver each other. Because in the cyber world, you have to be creative in what it is you do to infiltrate these groups to come up with operations to identify the evidence you need to figure out who's running this bot now. Taking down those command and control servers can feel like a game of Whack-A-Mole. You take one down, but the code is still at large and another variation pops up somewhere else, but you're at least forcing the bot herders to find new infrastructure. You're making it expensive for them to keep running their scam. From Mott's perspective, the FBI and other security forces are in the business of making bot herding more painful, but they know there's no endpoint, no silver bullet. There is good news. Spam has actually been decreasing in recent years. The battle against botnets has done that much at least and we each can make a difference in that fight by keeping software up-to-date, or just staying skeptical of dodgy emails and their attachments. Vigilance is the key because each botnet you've heard about in this episode, Bredolab, Storm, Kraken, they're all just sets of code that can always be reanimated to tweaked just enough to slip through the gates. Our job is to remember that every computer, no matter how innocent its user, could become a weapon if we let in a botnet's code. Keeping a simple laptop safe can protect the whole world from the botnet zombie armies that may come marching tomorrow. I'm Saron Yitbarek and this is Command Line Heroes, an original podcast from Red Hat. Next time on the show, we're learning about another terrifying attack style, the machine in the middle where interlopers get between you and your bank, you and your friend, you and your government. It's eavesdropping on steroids. Until then, keep on coding.

More about security

Security for modern systems is defined by its adaptability to newer attacks, and its integration into infrastructure and product lifecycles.

Publicación en blog

Respuesta de Red Hat ante los puntos vulnerables de OpenPrinting CUPS: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 y CVE-2024-47177

26 de septiembre de 2024  |  

...

Linux
Seguridad

Publicación en blog

La seguridad de Kubernetes en 2024

26 de junio de 2024  |  

...

Seguridad

shows originales

The One About DevSecOps | Command Line Heroes

DevOps
Seguridad
Automatización de la seguridad
Historia de la tecnología

shows originales

Steve Wozniak | Command Line Heroes

Historia de la tecnología

Sobre el podcast

Command Line Heroes

During its run from 2018 to 2022, Command Line Heroes shared the epic true stories of developers, programmers, hackers, geeks, and open source rebels, and how they revolutionized the technology landscape. Relive our journey through tech history, and use #CommandLinePod to share your favorite episodes.