Tag Archives: botnets

Satori and the Latest Botnets to Wreak Havoc on the IoT

The number of connected devices is increasing at a staggering pace. Statista estimates that by 2025, that number will reach up to 75.4 billion globally, assuring their presence in practically every sector. This rapid increase is creating security concerns, especially in relation to recent botnets like Satori, which infect devices with cryptocurrency mining software.

In this post, we take a look at some of the most dangerous botnets, as well as some of the ways that they can be combatted to protect the IoT.

Risks posed by IP cameras

As we commented in a previous blogpost, the ease of installation and low costs have popularized IP cameras, causing many companies and security providers to opt for them instead of traditional CCTV systems. But like any other IoT device, they are susceptible to being hacked remotely.

This risk is exploited by the Hide ‘N Seek (HNS) botnet. This network of bots is capable of infecting a series of devices through a specific Peer-to-Peer (P2P) protocol, using the Reaper vulnerability. Your current version can receive and execute various types of commands to extract data, execute code, or cause interference in device operations. In an attack detected in January of this year, more than 20,000 infected devices were registered, the majority of them IP cameras.

Stolen cryptocurrencies

Satori is a modified version of the Mirai open source botnet. This botnet is also capable of remotely controlling connected devices. In fact, Mirai was involved in distributed denial of service (DDoS) attacks that paralyzed DNS provider Dyn in 2016. Since Dyn was the provider of companies such as Amazon, Netflix and Twitter, Mirai managed to paralyze much of the internet for a few hours.

But Satori is capable of much more: last January it was discovered that a variant exploits a vulnerability of the Claymore Miner cryptocurrency program. After taking control of the software, Satori replaces the address of the user’s wallet with a wallet controlled by the attacker. The attacker then receives all the user’s cryptocurrencies and the user is none the wiser until they review the software configuration manually.

Hacked routers

The Masuta botnet is another creation of the Satori authors. In this case, Masuta takes advantage of the routers’ vulnerabilities in two different ways. On the one hand, they access devices using the factory configuration credentials, in a similar way to the Mirai botnet. On the other hand, the PureMasuta variant uses an old bug found in the Home Network Administration Protocol (HNAP). Fortunately, fewer and fewer router models maintain this protocol by default.

How to stay protected against botnets

As with any network, our connected devices can never achieve absolute invulnerability, but we can prevent possible attacks and be better prepared for when they are directed at our devices through specific recommendations for each case.

If we want to install a surveillance system, it is advisable to use cameras connected by cables instead of wireless. A wireless network multiplies the options for attackers to introduce some type of malware into the system. It is also preferable to maintain an in-house server to manage the data of the surveillance system (instead of using an externalized server). In this way, the likelihood of unauthorized access to the system is greatly reduced.

With regard to cryptocurrencies, the safest activity to manage them is their storage in a physical wallet (hardware devices similar to a pen drive that are connected by USB). These wallets store private keys and make it possible to sign transactions without exposing them.

As for routers, the best recommendation against attacks by botnets that use old vulnerabilities is to make sure that they have the latest firmware updates and use more modern and secure protocols, such as the upcoming WPA3.

Finally, as a general recommendation, it is necessary to monitor the traffic of your company’s network at all times to avoid unauthorized access. For this, solutions such as Panda Adaptive Defense 360 give you absolute control of all data on the corporate network, monitoring, registering, and categorizing 100% of all active processes. The best way to avoid being attacked by a botnet is to have visibility of everything that happens on your company, minimizing attack vectors.

The post Satori and the Latest Botnets to Wreak Havoc on the IoT appeared first on Panda Security Mediacenter.

Read More

What is a botnet?

Botnets have become one of the biggest threats to security systems today. Their growing popularity among cybercriminals comes from their ability to infiltrate almost any internet-connected device, from DVR players to corporate mainframes.

Botnets are also becoming a larger part of cultural discussions around cyber security. Facebook’s fake ad controversy and the Twitter bot fiasco during the 2016 presidential election worry many politicians and citizens about the disruptive potential of botnets. Recently published studies from MIT have concluded that social media bots and automated accounts play a major role in spreading fake news.

The use of botnets to mine cryptocurrencies like Bitcoin is a growing business for cyber criminals. It’s predicted the trend will continue, resulting in more computers infected with mining software and more digital wallets stolen.

Aside from being tools for influencing elections and mining cryptocurrencies, botnets are also dangerous to corporations and consumers because they’re used to deploy malware, initiate attacks on websites, steal personal information, and defraud advertisers.

It’s clear botnets are bad, but what are they exactly? And how can you protect your personal information and devices? Step one is understanding how bots work. Step two is taking preventative actions.

How Do Botnets Work?

To better understand how botnets function, consider that the name itself is a blending of the words “robot” and “network”. In a broad sense, that’s exactly what botnets are: a network of robots used to commit cyber crime. The cyber criminals controlling them are called botmasters or bot herders.

Size Matters

To build a botnet, botmasters need as many infected online devices or “bots” under their command as possible. The more bots connected, the bigger the botnet. The bigger the botnet, the bigger the impact. So size matters. The criminal’s ultimate goal is often financial gain, malware propagation, or just general disruption of the internet.

Imagine the following: You’ve enlisted ten of your friends to call the Department of Motor Vehicles at the same time on the same day. Aside from the deafening sounds of ringing phones and the scurrying of State employees, not much else would happen. Now, imagine you wrangled 100 of your friends, to do the same thing. The simultaneous influx of such a large number of signals, pings, and requests would overload the DMV’s phone system, likely shutting it down completely.

Cybercriminals use botnets to create a similar disruption on the internet. They command their infected bot army to overload a website to the point that it stops functioning and/or access is denied. Such an attack is called a denial of service or DDoS.

Botnet Infections

Botnets aren’t typically created to compromise just one individual computer; they’re designed to infect millions of devices. Bot herders often deploy botnets onto computers through a trojan horse virus. The strategy typically requires users to infect their own systems by opening email attachments, clicking on malicious pop up ads, or downloading dangerous software from a website. After infecting devices, botnets are then free to access and modify personal information, attack other computers, and commit other crimes.

More complex botnets can even self-propagate, finding and infecting devices automatically. Such autonomous bots carry out seek-and-infect missions, constantly searching the web for vulnerable internet-connected devices lacking operating system updates or antivirus software.

Botnets are difficult to detect. They use only small amounts of computing power to avoid disrupting normal device functions and alerting the user. More advanced botnets are even designed to update their behavior so as to thwart detection by cybersecurity software. Users are unaware they’re connected device is being controlled by cyber criminals. What’s worse, botnet design continues to evolve, making newer versions harder to find.

Botnets take time to grow. Many will lay dormant within devices waiting for the botmaster to call them to action for a DDoS attack or for spam dissemination.

Vulnerable Devices

Botnets can infect almost any device connected directly or wirelessly to the internet. PCs, laptops, mobile devices, DVR’s, smartwatches, security cameras, and smart kitchen appliances can all fall within the web of a botnet.

Although it seems absurd to think of a refrigerator or coffee maker becoming the unwitting participant in a cyber crime, it happens more often than most people realize. Often appliance manufacturers use unsecure passwords to guard entry into their devices, making them easy for autonomous bots scouring the internet to find and exploit.

As the never-ending growth of the Internet of Things brings more devices online, cyber criminals have greater opportunities to grow their botnets, and with it, the level of impact.

In 2016, a large DDoS attack hit the internet infrastructure company Dyn. The attack used a botnet comprised of security cameras and DVRs. The DDoS disrupted internet service for large sections of the country, creating problems for many popular websites like Twitter and Amazon.

Botnet Attacks

Aside from DDoS attacks, botmasters also employ botnets for other malicious purposes.

Ad Fraud

Cybercriminals can use the combined processing power of botnets to run fraudulent schemes. For example, botmasters build ad fraud schemes by commanding thousands of infected devices to visit fraudulent websites and “click” on ads placed there. For every click, the hacker then gets a percentage of the advertising fees.

Selling and Renting Botnets

Botnets can even be sold or rented on the internet. After infecting and wrangling thousands of devices, botmasters look for other cybercriminals interested in using them to propagate malware. Botnet buyers then carry out cyber attacks, spread ransomware, or steal personal information.

Laws surrounding botnets and cybercrime continue to evolve. As botnets become bigger threats to internet infrastructure, communications systems, and electrical grids, users will be required to ensure their devices are adequately protected from infection. It’s likely cyber laws will begin to hold users more responsible for crimes committed by their own devices.

Botnet Structures

Botnet structures usually take one of two forms, and each structure is designed to give the botmaster as much control as possible.

Client-server model

The client-server botnet structure is set up like a basic network with one main server controlling the transmission of information from each client. The botmaster uses special software to establish command and control (C&C) servers to relay instructions to each client device.

While the client-server model works well for taking and maintaining control over the botnet, it has several downsides: it’s relatively easy for law enforcement official to location of the C&C server, and it has only one control point. Destroy the server, and the botnet is dead.


Rather than relying on one centralized C&C server, newer botnets have evolved to use the more interconnected peer-to-peer (P2P) structure. In a P2P botnet, each infected device functions as a client and a server. Individual bots have a list of other infected devices and will seek them out to update and to transmit information between them.

P2P botnet structures make it harder for law enforcement to locate any centralized source. The lack of a single C&C server also makes P2P botnets harder to disrupt. Like the mythological Hydra, cutting off the head won’t kill the beast. It has many others to keep it alive.

Botnet Prevention

It should be clear by now that preventing botnet infection requires a comprehensive strategy; one that includes good surfing habits and antivirus protection. Now that you’ve armed yourself with the knowledge of how botnets work, here are some ways to keep botnets at bay.

Update your operating system

One of the tips always topping the list of malware preventative measures is keeping your OS updated. Software developers actively combat malware; they know early on when threats arise. Set your OS to update automatically and make sure you’re running the latest version.

Avoid email attachments from suspicious or unknown sources

Email attachments are a favorite source of infection for many types of viruses. Don’t open an attachment from an unknown source. Even scrutinize emails sent from friends and family. Bots regularly use contact lists to compose and send spam and infected emails. That email from your mother may actually be a botnet in disguise.

Avoid downloads from P2P and file sharing networks

Botnets use P2P networks and file sharing services to infect computers. Scan any downloads before executing the files or find safer alternatives for transferring files.

Don’t click on suspicious links

Links to malicious websites are common infection points, so avoid clicking them without a thorough examination. Hover your cursor over the hypertext and check to see where the URL actually goes. Malicious links like to live in message boards, YouTube comments, pop up ads, and the like.

Get Antivirus Software

Getting antivirus software is the best way to avoid and eliminate botnets. Look for antivirus protection that’s designed to cover all of your devices, not just your computer. Remember, botnets sneak into all types of devices, so look software that’s comprehensive in scope.

With the Internet of Things increasing, so too does the potential for botnet size and power. Laws will eventually change to hold users more responsible for the actions of their devices. Taking preventative action now will protect your identity, data, and devices.

The post What is a botnet? appeared first on Panda Security Mediacenter.

Read More

Linux Trojan Using Hacked IoT Devices to Send Spam Emails

Linux Trojan Using Hacked IoT Devices to Send Spam Emails

Botnets, like Mirai, that are capable of infecting Linux-based internet-of-things (IoT) devices are constantly increasing and are mainly designed to conduct Distributed Denial of Service (DDoS) attacks, but researchers have discovered that cybercriminals are using botnets for mass spam mailings.

New research conducted by Russian security firm Doctor Web has revealed that a Linux Trojan, dubbed Linux.ProxyM that cybercriminals use to ensure their online anonymity has recently been updated to add mas spam sending capabilities to earn money.

The Linux.ProxyM Linux Trojan, initially discovered by the security firm in February this year, runs a SOCKS proxy server on an infected IoT device and is capable of detecting honeypots in order to hide from malware researchers.

Linux.ProxyM can operate on almost all Linux device, including routers, set-top boxes, and other equipment having the following architectures: x86, MIPS, PowerPC, MIPSEL, ARM, Motorola 68000, Superh and SPARC.

Here’s How this Linux Trojan Works:

Once infected with Linux.ProxyM, the device connects to a command and control (C&C) server and downloads the addresses of two Internet nodes:

  • The first provides a list of logins and passwords
  • The second one is needed for the SOCKS proxy server to operate

The C&C server also sends a command containing an SMTP server address, the credentials used to access it, a list of email addresses, and a message template, which contains advertising for various adult-content sites.

A typical email sent using devices infected with this Trojan contains a message that reads:

Subject: Kendra asked if you like hipster girls
A new girl is waiting to meet you.
And she is a hottie!
Go here to see if you want to date this hottie
(Copy and paste the link to your browser)
Check out sexy dating profiles
There are a LOT of hotties waiting to meet you if we are being honest!

On an average, each infected device sends out 400 of such emails per day.

Although the total number of devices infected with this Trojan is unknown, Doctor Web analysts believe the number changed over the months.

According to the Linux.ProxyM attacks launched during the past 30 days, the majority of infected devices is located in Brazil and the US, followed by Russia, India, Mexico, Italy, Turkey, Poland, France and Argentina.

“We can presume that the range of functions implemented by Linux Trojans will be expanded in the future,” Dr Web researchers say. 

“The Internet of things has long been a focal point for cybercriminals. The wide distribution of malicious Linux programs capable of infecting devices possessing various hardware architectures serves as proof of that.”

In order to protect your smart devices from getting hacked, you can head on to this article: How to Protect All Your Internet-Connected Home Devices From Hackers.

Powered by WPeMatico

1 Million Computers Hacked for making big Money from Adsense

A group of cyber criminals has infected as much as 1 Million computers around the world over the past two years with a piece of malware that hijacks search results pages using a local proxy.

Security researchers from Romania-based security firm Bitdefender revealed the presence of this massive click-fraud botnet, which the researchers named Million-Machine Campaign.

For those unaware,

Read More

Botnets: remote controls for cybercriminals

As promised in our post about the European Cyber Security Month during October, we are publishing about Botnets and Exploits this week. Even though we had the Poodle flaw in the web encryption standard a few days ago, we are using this week to explain what are botnets and exploits and how they work.

The post Botnets: remote controls for cybercriminals appeared first on We Live Security.

Read More