Two security researchers that go online only by their nicknames, 2sec4u and MalwareTech, have been tracking some of these Mirai-based botnets via the @MiraiAttacks Twitter account and the MalwareTech Botnet Tracker.
"You can see when they [massive botnet operators] launch DDoS attacks because the graph on my tracker drops by more than half," MalwareTech told Bleeping Computer. "They have more bots than all the other Mirai botnets put together."
The hacker behind this botnet is BestBuy, also known as Popopret, the same hacker behind the GovRAT malware that was used to breach and steal data from countless of US companies. More details about their previous endeavors are available in an InfoArmor report relesed this autumn. BestBuy is part of a core group of hackers that were active on the infamous Hell hacking forum, considered at one point the main meeting place for many elite hackers.
"DDoS cooldown" is a term that refers to the time between consecutive DDoS attacks. DDoS botnets use cooldown times to avoid maxing out connections, filling and wasting bandwidth, but also preventing devices from pinging out and disconnecting during prolonged attack waves.
The original Mirai botnet was limited to only 200,000 bots. As security researcher 2sec4u told Bleeping Computer, this was because the Mirai malware only came with support for launching brute-force attacks via Telnet, and with a hardcoded list of 60 username & password combinations.
The same feature was seen by MalwareTech, who tweeted about it three days ago. In a private conversation, MalwareTech confirmed that the big Mirai botnet they were tracking was capable of bypassing DDoS mitigation systems.
In private conversations with BestBuy, the hacker respectfully declined to provide evidence of their botnet's capabilities. Bleeping Computer asked the hacker to run a demo DDoS attack on a test server or at least a screenshot of their backend.
The two also declined to take credit for any DDoS attack that might tie their botnet's infrastructure to previous attacks. When asked if their botnet was used in any high-profile attacks, Popopret said: "we do not monitor our clients."
Popopret was very aware that 2sec4u and MalwareTech were tracking his botnet. Despite the hacker refusing to carry out a test DDoS attack, their reputation, their reluctance to expose their infrastruture in any way, clues in their XMPP ad, and the observations of security researchers, point to the fact that BestBuy is most likely the operator of the largest Mirai botnet known today.
While the two appear to be in charge of the most developed Mirai botnet after the original died down, other botnets have evolved with their own set of features as well, albeit not as complex as Botnet #14. For example, Incapsula detected a Mirai botnet capable of launching DDoS attacks via STOMP, a messaging protocol generally used by servers.
Criminals have found more and more ways to illegally make money through botnets. Law enforcement officers now frequently ascertain that creators and operators of botnets not only use botnets for their own illicit purposes, but also sell or even rent to other criminals access to the infected computers. The criminals who purchase access to botnets then go on to use the infected computers for various crimes, including theft of personal or financial information, the dissemination of spam, for use as proxies to conceal other crimes, or in distributed denial of service (DDoS) attacks on computers or networks. Think about it: your computer may be hacked by one criminal, and that criminal may rent surreptitious access to your computer to another criminal. Americans are suffering extensive, pervasive invasions of privacy and financial losses at the hands of these hackers.
The Cyclops Blink botnet is thought to be the work of an Advanced Persistent Threat (APT) from Russia, and seems to be limited to Watchguard and Asus devices. The normal three and four letter agencies publicized their findings back in February, and urged everyone with potentially vulnerable devices to go through the steps to verify and disinfect them if needed. About a month later, in March, over half the botnet was still online and functioning, so law enforcement took a drastic step to disrupt the network. After reverse-engineering the malware itself, and getting a judge to sign off on the plan, the FBI remotely broke in to 13 of the Watchguard devices that were working as Command and Control nodes. They disinfected those nodes and closed the vulnerable ports, effectively knocking a very large chunk of the botnet offline.
There are two elements of this story that I found particularly baffling. First, this botnet infects routers using a vulnerability that was first reported by Defensecode over five years ago, in 2013! The second oddity is the wide range of devices that are vulnerable and are now part of the botnet. Dozens of brands and at least 116 models have been found to be infected.
As alleged in the unsealed warrant, FBI investigators used undercover purchases to obtain access to the RSOCKS botnet in order to identify its backend infrastructure and its victims. The initial undercover purchase in early 2017 identified approximately 325,000 compromised victim devices throughout the world with numerous devices located within San Diego County. Through analysis of the victim devices, investigators determined that the RSOCKS botnet compromised the victim device by conducting brute force attacks. The RSOCKS backend servers maintained a persistent connection to the compromised device. Several large public and private entities have been victims of the RSOCKS botnet, including a university, a hotel, a television studio, and an electronics manufacturer, as well as home businesses and individuals. At three of the victim locations, with consent, investigators replaced the compromised devices with government-controlled computers (i.e., honeypots), and all three were subsequently compromised by RSOCKS. The FBI identified at least six victims in San Diego.
Individual botnet devices can be compromised simultaneously by multiple perpetrators. Each of these devices uses it for a different type of attack and sometimes even at the same time. A malware-infected personal computer, for example, can be ordered to access a website as part of a larger DDoS attack. It could also perform vulnerability scans at the same time, while its owner browsing the web. The owners are almost always unaware of both occurrences.
DDoS means distributed denial of service. A DDoS attack is a malicious attack that makes servers or a network resource unavailable to their users. This occurs when a service is saturated, resulting in its temporary suspension or interruption. A DDoS attack differs from a DoS attack (Denial of Service) because it utilizes multiple connected devices. The attack is then often executed by botnets or individuals.
Over the last several months we have explored a number of attack marketplaces along with the different tools and services offered on the Darknet. In this post we are going to take a deeper look at the different malware and botnet services found on the Darknet.
We have even seen the rise of smartphone botnets over the last few years. Malware like DroidJack is easily leveraged to target mobile users via malicious 3rd party app stores that are offering popular games like Pokémon Go, but with a surprise waiting for them inside the unverified Android application package, APK. Once infected, devices can perform tasks like record audio and video, take photos, send text messages, open webpages, steal user data, delete files, launch denial of service attacks via HTTP floods and perform web injections if supported.
Some of the botnet-related malware found on the Darknet today is old or repackaged variants. These packages often sell for just a few dollars in the marketplace due to the software being freely available on the Clearnet. The Darknet marketplace simply offers a one-stop-shop for those who do not or cannot take the time to build a botnet on their own. There are even vendors that will set up a botnet for you, leaving you only with the task of spreading your malicious file to potential zombies.
Price once again in the attack market place is the only limiting factor. Companies are quickly racing to buy bigger pipes in an attempt to combat the growth in botnet based attacks but this is futile attempt. There is now a developing botnet market and those vendors hedging their bets will be purchasing and using the same massive services their targets are using. If you can buy it, so can an attacker.
The BBC would not discuss what the botnet cost or the exact methods the Click team used to obtain the botnet. Still, some questioned whether or not the demonstration was worth putting money into the hands of hackers.
The only reason I've seen customers use both is to satisfy an auditor who's interested in checking the box that says "is botnet filter installed" and won't listen to the explanation that the FirePOWER module accomplishes this function more thoroughly.
For reference, the previous record was 20 million requests per second. And it was also similarly impressive that they only needed 5,000 devices to do so. The attackers accomplished this by focusing on the quality of the devices leveraged for the botnet, rather than the quantity of devices. A lot of other botnets are focused on IoT devices, but in this case the attackers sought out virtual hosts with a lot of CPU and RAM computing resources. In this way, each individual device could send a lot more requests, compared to a normal botnet.
The infected routers have a high capacity for RPS, and it is currently thought that attackers can proxy requests from many devices to the infected routers to help hide the origin of the attack. Additionally, the Meris botnet is known to take advantage of HTTP pipelining, which allows a single connection to send multiple requests without waiting for a server to send a response. This technique helps inflate the RPS the botnet is capable of. 041b061a72