Blocking Botnets – a Coup

Botnets exploit various weaknesses in computer systems and networks. They commonly target unpatched software vulnerabilities, outdated operating systems, and inadequately secured networks. Internet of Things (IoT) devices, such as smart cameras and routers, are frequent targets due to their weak or default passwords. Additionally, botnets capitalize on insufficient network monitoring and the lack of robust cybersecurity protocols, allowing them to infiltrate and spread undetected.

A botnet is a network of infected computers, known as “bots” or “zombies,” controlled by a hacker, often called a “botmaster.” These bots are typically compromised through malware that allows the botmaster to remotely control them. Botnets can be used for various malicious activities, including distributed denial-of-service (DDoS) attacks, data theft, spamming, and spreading other malware. The power of a botnet lies in its ability to leverage the collective computing resources of its bots to execute large-scale attacks.

What are some famous botnets?

One notorious botnet from before 2019 is the Mirai botnet. Mirai primarily targeted IoT devices, using a list of default usernames and passwords to gain access. Once it controlled a large number of devices, it launched DDoS attacks, including a massive attack on Dyn in 2016, which disrupted major websites like Twitter, Netflix, and Reddit. This attack highlighted the vulnerabilities of IoT devices and caused significant financial losses due to service outages and security responses.

Another significant botnet is the Zeus botnet. Zeus, active since around 2007, is designed to steal banking information by logging keystrokes and capturing sensitive data. It infected millions of computers worldwide and caused substantial financial losses, particularly in the banking sector. By 2013, it was estimated that Zeus and its variants had stolen over $100 million from various financial institutions and businesses.

The largest takedown in recent memory

Organizations employ several strategies to counteract the threat of botnets. One common response is implementing robust cybersecurity practices, including regular software updates and patch management to fix vulnerabilities that botnets might exploit. Network segmentation and the use of firewalls and intrusion detection systems (IDS) help to prevent the spread of botnets within a network.

Additionally, organizations often invest in employee training to recognize phishing attempts and other common malware delivery methods. They may also use endpoint security solutions that can detect and remove botnet malware from individual devices. Collaboration with internet service providers (ISPs) and other organizations is another critical strategy, as it can help identify and mitigate botnet activities on a larger scale.

Law enforcement agencies and cybersecurity firms work together to take down botnet infrastructures. This often involves tracking the command and control (C&C) servers used by botmasters to communicate with their bots and disrupting their operations. Successful takedowns of botnets like Mirai and Zeus demonstrate the effectiveness of coordinated efforts in combating these threats.

On May 29, 2024, the U.S. Department of Justice (DOJ) announced the arrest of the alleged operator of 911 S5, which the FBI director described as “likely the world’s largest botnet ever.” The authorities seized the 911 S5 website and its infrastructure, which turned computers running various “free VPN” products into Internet traffic relays, facilitating billions of dollars in online fraud and cybercrime.

On May 24, Singaporean authorities arrested YunHe Wang, a 35-year-old Chinese national and the alleged creator of 911 S5. The DOJ stated that 911 S5 enabled cybercriminals to bypass financial fraud detection systems, leading to the theft of billions of dollars from financial institutions, credit card issuers, and federal lending programs. The DOJ estimates that 560,000 fraudulent unemployment insurance claims, resulting in over $5.9 billion in confirmed fraudulent losses, originated from compromised Internet addresses.

The DOJ also highlighted the Economic Injury Disaster Loan (EIDL) program, with more than 47,000 fraudulent applications originating from IP addresses compromised by 911 S5. Financial institutions in the U.S. identified millions of dollars in losses originating from these compromised addresses. From 2015 to July 2022, 911 S5 sold access to hundreds of thousands of compromised Microsoft Windows computers daily, offering proxies that allowed customers to route their Internet traffic through PCs worldwide, predominantly in the United States.

911 S5 built its proxy network by offering “free” virtual private networking (VPN) services. While the VPNs functioned as advertised, providing anonymous web surfing, they also quietly turned users’ computers into traffic relays for paying customers. The service’s reliability and low prices made it a favorite among cybercriminals, providing a way to route malicious traffic through geographically proximate computers.

In July 2022, KrebsOnSecurity identified YunHe Wang as the operator of 911 S5. Their investigation revealed that 911 S5 bundled its software with other programs, including fake security updates and pirated software, to increase its network. Shortly after this revelation, 911 S5 claimed to have been hacked and ceased operations, only to reemerge as Cloud Router.

Following Wang’s arrest, the U.S. Department of the Treasury sanctioned him, two associates, and several companies allegedly used to launder nearly $100 million in proceeds from 911 S5 and Cloud Router customers. The FBI and international authorities seized about $30 million in assets, including luxury cars, bank accounts, cryptocurrency wallets, wristwatches, and real estate.

Wang faces charges including conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. If convicted, he could face up to 65 years in prison. The DOJ is working with the Singaporean government on his extradition to the United States.

Brett Leatherman, deputy assistant director of the FBI’s Cyber Division, emphasized the need for public awareness about the use of compromised IP addresses in cybercrimes. The FBI has launched a webpage to help individuals determine if their computers were part of the 911 S5 botnet, which spanned over 19 million computers in at least 190 countries.

911 S5 and Cloud Router used several “free VPN” brands to lure consumers, including MaskVPN, DewVPN, PaladinVPN, Proxygate, Shield VPN, and ShineVPN. Many users were unaware that their IP addresses were being used for cybercrimes, highlighting the importance of vigilance and cybersecurity education.

The DOJ’s efforts to dismantle 911 S5 involved cooperation with authorities in Singapore, Thailand, and Germany. These coordinated actions demonstrate the global nature of cybercrime and the necessity for international collaboration in combating such threats.

How do we deal with botnets?

Defending against botnet attacks requires a multifaceted approach. Regular software updates and patch management are crucial to close vulnerabilities that botnets exploit to infiltrate systems. Implementing and enforcing strong password policies ensures that default passwords are changed, especially on IoT devices, and encourages the use of complex, unique passwords combined with multi-factor authentication (MFA). Network segmentation helps to limit the spread of infections by isolating different parts of the network, preventing a compromised device from infecting the entire network. Using VLANs and firewalls to create these segments is also recommended.

Deploying intrusion detection and prevention systems (IDS/IPS) is essential to monitor network traffic for suspicious activity and block malicious actions. These systems help detect and prevent botnet communications and can mitigate attacks before they cause significant damage. Additionally, educating employees about cybersecurity best practices, such as recognizing phishing emails and avoiding suspicious downloads, can reduce the risk of inadvertently contributing to botnet infections.

Implementing these strategies can significantly enhance defenses against botnet attacks and protect networks from being compromised.

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.