Educational CyberPlayGround ®

Botnets explained

Ransomware programs,
Distributed denial of service, or DDoS, attack

The Fix:
Educate Network Operators to reconfigure their networks - Shut down misconfigured servers — called open resolvers.

Internet engineers said the attack was made possible by a combination of defects, loopholes and sloppy configuration of Internet routing equipment. Indeed, a number of computer security specialists pointed out that the attacks would have been impossible if the world's major Internet firms simply checked that outgoing data packets truly were being sent by their customers, rather than botnets. Unfortunately, a relatively small number of Internet companies actually perform this kind of check.

"Rules of the road" and “Best current practices"
to follow to defeat a threat known as "I.P. address spoofing", [ which is the ability for an attacker to hide behind a faked address that is crucial for denial-of-service attacks ]

is all laid out in a document known as BCP 38, but followed by a relatively small number of companies.

Organizations like the DNS Measurement Factory published a survey of top offenders by network, and more recently the Open Resolver Project published a full list of the 27 million open servers online.

4/3/18 Announcing 1.1.1.1: the fastest, privacy-first consumer DNS service
Cloudflare public DNS resolver uses the open-source Knot Resolver. This has aggressive caching and "negative caching" to improve performance. The first uses a distributed cache to improve the odds that, when you search for a popular site, Knot will already have the IP address ready to deliver to you. The second, based on RFC 8198, caches popular mistakes --wwww instead of www for example -- so minimal time is used in returning an error message. While 1.1.1.1 is fast, it's biggest improvements comes with protecting your privacy. When the Federal Communications Commission gutted net neutrality, it also opened the door for ISPs to track all your internet searches. ISPs can, and are, selling your browsing data.

2015

Ransomware programs based on encryptor Trojans

Trojan-Ransom.Win32.Scraper lands on users' computers via the Andromeda botnet and encrypts the victim's documents and demands a ransom ($300 or greater) to decrypt them. Although Scraper (TorLocker) encrypts all files with AES-256 + RSA-2048, in 70%+ cases they can be decrypted Tweet The file to be protected is encrypted by XORing with a certain key, and then injected into the protector's process. A large array of random bytes is stored in the protector's overlay. Kaspersky Lab has developed the ScraperDecryptor utility, which can be downloaded from Kaspersky Lab's technical support website.

TorLocker victims can decrypt most files without paying ransom.

 

"Utilities And Education The Most Bot-Infested Sectors."
Bot infestations pace breach disclosures.
http://www.darkreading.com/endpoint/utilities-and-education-the-most-bot-infested-sectors/d/d-id/1319863

2013 Ragebooter.net
DDoS-for-hire service owned by Justin Poland of Memphis, Tennessee accepts payment in exchange for knocking other sites offline and is perfectly legal. It also contains a backdoor that's actively monitored by the FBI. Ragebooter.net floods sites with huge amounts of junk traffic. The site, which accepts payment by PayPal, uses so-called DNS reflection attacks to amplify the torrents of junk traffic. The technique requires the attacker to spoof the IP address of lookup requests and bounce them off open domain name system servers. This can generate data floods directed at a target that are 50 times bigger than the original request. http://arstechnica.com/

2013 Attacks Used the Internet Against Itself to Clog Traffic How can such attacks be stopped? Not easily. The data stream grew from 10 billion bits per second last week to as much as 300 billion bits per second this week, the largest such attack ever reported, causing what CloudFlare estimated to be hundreds of millions of people to experience delays and error messages across the Web. "From our perspective, the attacks had the largest effect on London exchange, known as LINX” said Matthew Prince, CloudFlare's chief executive. [more]

Dos Attack Explained Denial-of-service (DoS) attacks are very common. They are used for extortion, political protest, revenge, or just LULz.

Criminals commanding such "botnets" can demand money from the companies inexchange for not crippling their online business.

Botnets were cracking the passwords and using them to commandeer Twitter accounts and send spam.

Use a firewall program that warns you about outgoing connections that botnets make to communicate with control software.

3/2012 'Non-Humans' Account for 51% of All Internet Traffic. "Hackers, spambots, botnets, scrapers and spies of sorts collecting proprietary business information and customer data from unsuspecting websites." "Hackers" (5 %) refers to hacking software that visits site to swipe credit-card information or crash sites (think of the ubiquitous DDoS attacks). "Scrapers" (another 5 %) refer to bots that copy content from other sites and post it on their own, to get search-engine traffic. Altogether, the robotic ne'er-do-wells cited above constitutes 31 % of all web traffic. The other 20 percent is the search engines themselves, the Googles and Bings of the Interwebbed world, whose servers work 'round-the-clock to index the Internet for our browsing pleasure.

2012 Top kingpins behind the some of the biggest spam botnets. Never-before-published information on “Google,” the lead hacker behind the world's busiest spam botnet — Cutwail.

 

BotNets

David Dagon, a Georgia Institute of Technology researcher who is a co-founder of Damballa, a start-up company focusing on controlling botnets, said the consensus among scientists is that botnet programs are present on about 11 percent of the more than 650 million computers attached to the Internet. Plagues of viruses and other malicious programs have periodically swept through the Internet since 1988, when there were only 60,000 computers online. Each time, computer security managers and users have cleaned up the damage and patched holes in systems. In recent years, however, such attacks have increasingly become endemic, forcing increasingly stringent security responses. And the emergence of botnets has alarmed not just computer security experts, but also specialists who created the early Internet infrastructure. According to the annual intelligence report of MessageLabs, a New York-based computer security firm, more than 80 percent of all spam now originates from botnets. Last month, for the first time ever, a single Internet service provider generated more than one billion spam e-mail messages in a 24-hour period, according to a ranking system maintained by Trend Micro, the computer security firm.
So far botnets have predominantly infected Windows-based computers, although there have been scattered reports of botnet-related attacks on computers running the Linux and Macintosh operating systems. The programs are often created by small groups of code writers in Eastern Europe and elsewhere and distributed in a variety of ways, including e-mail attachments and downloads by users who do not know they are getting something malicious. They can even be present in pirated software sold on online auction sites. Once installed on Internet-connected PCs, they can be controlled using a widely available communications system called Internet Relay Chat, or I.R.C. There are more than 250,000 new botnet infections daily - 2007