Botnets overshadowed by ransomware: Page 3 of 3

Necurs: an example to follow closely

Necurs, the world’s largest spam botnet with nearly 5 million infected bots, of which one million are active each day, has added a new module that can be used to launch DDoS attacks. The module was added in 2016, but was only recently spotted by security researchers and investigated.

Should the Necurs botnet operators really launch a full-size DDoS attack, it would be by far the biggest one ever. However, this news hasn’t raised much attention. Why? Necurs was a stable part of the spam scene and considered a global leader in ransomware distribution. However, since December 2016, Necurs has jumped into another type of cyber criminality when it started to distribute financial stock scam-spam emails with fake news on selected stocks. These were used to inflate the price of the targeted stocks and then cash in on them later.

Evolving from ransomware to the stock-scam and on to DDoS over the course of a few months – the speed at which the Necurs operators change their botnet’s utilization illustrates that there are dramatic developments on the botnet scene. With the exception of the DDoS capability, all the currently deployed botnet business models bet on long-term sustainability. Understandably, setting the botnet up is the hardest part of the criminals’ efforts and the very last thing they need is to attract the attention of the authorities, risk having their servers sinkholed or even seized, and ultimately finding themselves in jail.

Apparently, large botnet operators’ focus on sustainability actually prevents them from taking part in spectacular DDoS attacks. However, should they – for whatever reason – opt for some bigger bang, we should expect something exceptional. Hopefully it would only be a record-breaking DDoS attack. Worse, would be a ransomware attack – this time encrypting the bots themselves instead of merely distributing emails with infected attachments.

Under-estimated threat: whole botnets held ransom

These threats support the claim that botnets are more dangerous than the ransomware campaigns that the internet has suffered so far. Compare the scale: the latest major ransomware outbreak, WannaCry, affected some 350 thousands computers. Botnets overall contain hundreds of millions computers (according to US police, FBI, ca. 500 million computers are infected globally each year). Large botnets tend to have millions. Not only that, but each and every one of them may be encrypted. Not to mention that if the operators one day decide to do so, they could simply distribute a ransomware payload of their choice. It would be as easy as providing the botnet with a new set of instructions to distribute spam or use it to attack a number of targets with a flood of requests. In another words, an operation to encrypt all active computers in a botnet would likely reach a 100% success rate, with nothing to stand in its way.

Botnet protection: a needed solution

Even without the ultimate threat of encrypting all the bots, botnets are a clear threat and present danger. Thus, both consumers and organizations should work to avoid falling victim to botnet malware. Sure, the ultimate goal is to prevent any malware from crossing the perimeter or from executing its malicious tasks or – at the very last line of defense – containing the damage. To achieve this goal, a full range of security tools and methods should be deployed – from security training to implementing endpoint and network security solutions to data protection and backup/recovery solutions.

As for protection from botnets and preventing falling victim to this kind of attacks, a specialized layer of protection should be deployed. Leading vendors – amongst them ESET – offer Botnet Protection as an additional security layer. In the case of ESET Endpoint Security, the Botnet Protection is part of the core technology, fully integrated into the product. It works at a network layer: its key function is to detect malicious or suspicious communications used by botnets; any such communication is blocked and reported to the user.

Ransomware is a pretty visible and painful issue; however, botnets pose a hidden threat – which, if it were ever to materialize, are quite capable of paralyzing the internet.