The Botnet Scoop

Botnets have been plaguing the world for a couple of decades now. They never fail to surprise security analysts and law enforcement.

What’s going on?

Avast Security, in a detailed blog post, explained how two DVB boxes are prone to both ransomware and botnet attacks. These boxes are Philips DTR3502BFTA and Thomson THT741FTA. The vulnerability is mainly because of the lack of encryption in these devices. Moreover, the Telnet protocol was spotted exposing infection from the Mirai botnet.

What does this imply?

  • Attackers can tamper with the content exhibited to the user through RSS feed and weather applications.
  • Adversaries can display a ransomware message, informing victims that their TV has been hijacked.
  • In addition, researchers discovered that the DNS hijack could be transferred to the device. Thus, implying that attackers can store malware payloads and persist through reboots and resets.

Recent botnet attacks

  • Recently, NCR Corporation discovered malware-infected computers on its network. The malware was detected as Lethic botnet and its capabilities include remote access, lateral movement, and downloading of additional payloads.
  • A novel ad fraud botnet was found to be distributed via the lure of free items. The campaign, dubbed TERRACOTTA, spoofed more than 5,000 apps.
  • The Dracula botnet was identified to be pushing pro-Chinese political scam, with 3,000 accounts.

A game of hide and seek

  • Fast flux is a popular method employed by botnet operators to turn communication domain names into virtual ghosts.
  • This DNS technique is used to hide phishing and malware delivery sites behind a network of compromised hosts functioning as proxies.
  • This technique is mainly used in phishing and attacks on social networks.

What to look out for?

Implementation of botnet defenses is no more an option, rather a necessity. Botnets are constantly evolving and are anticipated to thrive for quite some time. Although every environment is different, some general recommendations that can be followed include implementing multi-factor authentication, quarantining infected endpoints, and detecting traffic directed to malicious websites or Tor network, among others.