Just when defenders think they have successfully eliminated a threat, attackers come back with new variants capable of circumventing previous blockades. This is the case with the Mirai Botnet, a self-propagating botnet malware that first started causing wide-spread destruction via home routers in 2016. What is a botnet and how are they evolving to stay ahead of defenders? As Mirai demonstrates as recently as this month, the future of botnets is IoT.

What is a botnet?

A botnet is a group of computers connected in a coordinated fashion for malicious purposes. Botnets are comprised of individual computers —called bots — that have fallen under the control of cyber criminals. Most often, these crooks start with a virus to gain control of individual computers and then connect them into a giant botnet army. Botnets are used to launch expansive criminal activity such as coordinated distributed denial-of-service (DDoS) attacks or large-scale spam campaigns. In many cases, an individual computer owner may not even know their computer is being used for illegal activity – they become Zombie computers or bots.

How botnets are gaining strength

Unlike traditional botnets made up of computers, the Mirai botnet was the idea of some really smart teens who were trying to gain a competitive edge in the game, Minecraft. The idea quickly grew into a connected army of internet of things ‘IoT’ devices such as routers and digital cameras. Then, in the fall of 2016, the Mirai botnet orchestrated a massive distributed denial of service (DDoS) attack against internet domain company, Dyn which resulted in website failures at Twitter, Netflix, CNN and many other big brands in the U.S. and Europe.

Mirai has continued to evolve since then, with new variants popping up regularly. As recently as this month, reports surfaced about a collection of new Mirai malware samples compiled to run for “Altera Nios II, OpenRIC, Tenilica Xtensa and Xilinx MicroBlaze processors.” This, according to researchers, increases the number of devices that can be added to the Mirai botnet.

Even in the three short years since Mirai was first discovered, the number of IoT devices have grown exponentially. Printers, IP cameras, building controls, wearables and many other smart devices are now commonly used both at work and at home. With an internet connection built into each one, they all represent a possibility for botnet control and subsequently, a source for large-scale DDoS attacks and other criminal activity.

Preventing a botnet attack

What can you do to prevent your device from falling into botnet control? First, you need visibility into what devices you have and the security control each has running. Are those controls working? Is the device still where is should be? Another important early step is to change the default password set by the device manufacturer. Customize your devices — all your devices — and boost their security individually.

If you would like more information on botnets and how they work, watch the next episode of our Cybersecurity Insights video below. And while you’re at it, watch and subscribe to our full Cybersecurity Insights video series on YouTube.

Video Transcript:

Hey everyone, it’s Josh from Absolute. We’ve been talking about cyber threats and in today’s episode, we look at one of the shadowy characters: botnets.

The term botnet is a mashed-together term that comes from robot and network.

A botnet is an array of hacked computers, connected together so they can team up to perform cyber-attacks.

Typically, the user is totally unaware that their device has been compromised and joined some rebel army; this is one of that computers inside the botnet are often called ‘zombie computers’.

These zombies are controlled by a number of protocols, including: Telnet, IRC, Peer-to-Peer (P2P), and domain controls.

These control systems allow the cybercriminal to link the hacked machines together for a powerful and coordinated attack.

So what do they do, these botnets?  The most common form of botnet attack is denial of service, which can also be widespread, hitting many of your resources at once. This is called a distributed denial of service attack or DDoS.

When a collection of zombie computers within the botnet send millions of requests to something like a webserver, the webserver can crash…leaving legitimate requesters unable to access the service.

Beyond denial of service attacks, botnets have been observed launching spyware, email spamming, click fraud, and GPU mining; enslaving millions of machines to churn out cryptocurrencies.

In 2018, 37% of botnet zombie computers were endpoints in the United States.

That’s right! Although most botnets are controlled outside the U.S., close to half of the machines are working inside the USA.

We just don’t know it, because most of the time…we lack visibility to every device – especially those off the corporate network.

The largest botnet of all time (so far) was called BredoLab, also known as Oficla, and had more than 30 million zombie computers to do its bidding. Thankfully, BredoLab was dismantled in 2010.

Botnet attacks are dangerous because they don’t come with a return address; you can’t know for sure who’s doing it and when it’ll happen.

Even though we can’t predict botnet attacks, we can reduce their odds of success with ceaseless endpoint visibility and control.

Don’t forget to like and comment below. And remember to subscribe to get more Cybersecurity Insights. I’ll see you next time.