The Mindset of Criminal Botnet Operators

Change the perspective of thinking to secure Internet of Things infrastructure.

In my 2nd posting I want to have a deeper look into the mindset of Botnet operators to get a better understanding on their motivation. Or in other words, let’s join a journey to think as a criminal. By that you get insights to strengthen your own infrastructure and to secure the weak points.

Currently we face two types of Botnet operators: first the ones which are setup by intelligence and second by criminals. Of course, the intelligence services also using criminal infrastructure, neither by hijacking or by renting. But for our journey its important the we focus on criminals as intelligence service have a different motivation and other capabilities on resources as manpower, computing power and money.

Let’s have a look on the criminal side of Botnet operators

The main motivation of criminal activities in the botnet scene is simple described in one word: money. You can extend this may to two words: more money. Yes, it’s rather simple. Operating a Botnet is all about earning money. And there are different ways a Botnet operator can create revenue streams:

  • Provide the Botnet capabilities in a Software as a Service model. This means that a 3rd Party can rent the Botnet for own purposes, as distribution of spyware or firing DDoS attacks.
  • Using the Botnet for own revenues for distribution of Ransomware, Mininer, DDoS or selling the infrastructure with Zombie army to other parties.

As criminal operators have limited resource, they choose their tools and targets wisely to create a maximum impact for growing a Botnet. The acquisition of Zombies has to be automated. Otherwise you can’t grow fast a massive army of a few hundred thousand of Zombies. This leads to focus on wide distributed device types with rather common unpatched vulnerabilities. For e.g. the Mirai Botnet focused on IP Cameras with open ports and well known 61 manufactory setting passwords to get admin access on the device. Other common targets are routers or webservers running widely distributed content management or data base management interfaces. Also, the vulnerability needs to be simple in misuse, as the attacks have to be done automated. Botnet operator’s scripts are scanning IP-Addresses, device types and ports, testing them for common vulnerabilities, changing configuration files on the victim’s device to capture and get control on it. Last but not least attackers have to “secure” their device changes to keep control on the new Zombie.

Botnet operators “secure” their Zombies

Ey, what they secure the captured device? Yes of course. Every device of the botnet is important and an operators wants to safe their “investment”. For them it’s necessary to prevent from other botnet operators to capture the device as well or that the owner of the device gets easily back the control on it. This leads in the absurd situation that botnet operators will fix the vulnerabilities of the device after they captured it. Also, they are cutting off the device from owner’s tools to reset or they are implementing tools to auto configuration back to botnet control. Disturbing the vendors capability to re-patch infected devices is an important action for Botnet operators.

Lessons for operators and vendors

From sight of a device operator or vendor you need to focus on four areas:

  1. Device security: close vulnerablities by continuous updates and patches
  2. Identify devices with “uncommon” behavior and settings to “heal” them by factory reset and patch
  3. Protect the updating and patch distribution service from being blocked, misused or captured
  4. Provide resilient services to fix devices in case of ongoing botnet capture attacks

At asvin.io my team is working on all 4 aspects. It’s our mission to provide good answers for vendors and operators on this four action points.