Zerobot is a self-sustaining botnet. Its main function is to reproduce, moving through vulnerable hosts to turn them into zombie devices that are subjugated to its will. Each recruit spreads to a nearby host, blindly grabbing the next module it can infect. Over time, its designers hope the botnet will spread exponentially, expanding to span hundreds of thousands, if not millions, of devices.
This process may not always go smoothly: botnets can be exhausted at any time when other criminals discover the same poorly secured devices, whether internet routers, door cameras or smart refrigerators, and reset them to start any existing malware. “Some devices change owners two or three times a day,” says Bogdan Botezatu, director of threat research at BitDefender. But once a botnet has grown large enough, the gang controlling it can deploy Distributed Denial of Service (DDoS) attacks to extort businesses to restore their online presence, or use the infected IoT modules to gain open access to blows. heart of an organization so that others can deploy ransomware to its most critical systems.
There are fleets of zombie devices written in Java and Golang used by cybercriminals around the world. Worse still, the malware they deploy is becoming increasingly sophisticated, expanding the types of devices that “botmasters” can bend to their will. Zerobot, for example, can now overcome firewalls, routers and CCTV cameras, regularly adding new features and expanding its device coverage and therefore its potential power. Regulations are being drafted that require demand security to be built into IoT devices when they are manufactured – but for those already in the wild, it may already be too late.
Botnet Zerobot and Enterprise IoT
Zerobot is an example in this regard. A powerful and scalable threat written in the Go programming language, a Windows research report recently said the botnet malware tests devices for up to seven known vulnerabilities in each device. Unlike some other IoT-focused malware, Zerobot is a DDoS for hire, or “booter,” where power to large botnets is sold and priced by the hour across multiple domains across the web. These sites, reads a recent US Department of Justice bulletin, “have been used to launch millions of actual or attempted DDoS attacks.” Despite a crackdown by the FBI in December, the botnet is still at large.
The actual cost of using a botnet can vary wildly, ranging from $5 for a simple test to a full DDoS attack priced at $6,500. The gain from using these botnets to bridge demand and supply of popular services can more than justify the initial cost. “Take the World Cup,” says Botezatu. “Everyone is betting online when suddenly a botnet hits agency websites. The criminals say they will prevent further bets from being placed until they receive $100,000 in bitcoins.
Botnets can also provide lucrative access to corporate systems, much like an Initial Access Broker (IAB) in a ransomware gang. “Cybercriminals know what kind of hosts they have compromised, so they will sell access to infected devices to criminals who want to take the attack even further,” says Botezatu.
A notorious IoT botnet called Mirai provided the blueprints for most current IoT DDoS. At its peak, the botnet had infected over 600,000 vulnerable IoT devices. In September 2016, it was used to suppress internet access across most of the US East Coast, compromising Dyn, an internet infrastructure based in New Hampshire. At noon that day, the company was hit by a second DDoS attack, and another wave four hours later, choking internet traffic across the region.
This is a situation that has the potential to get much worse. Most IoT devices were designed to prioritize functionality over security, thanks to the lack of strict standards isolating them from malware. Thus, large swaths of the estimated 15.1 billion IoT connections embedded in homes, offices and warehouses are vulnerable to hacking by criminal gangs. Such devices are also at risk of being taken over by state actors – a threat that looms more when you consider that around 14.7 billion IoT devices will provide vital, industry-specific services in the areas of energy, transport, retail and healthcare.
Content from our partners
Somewhat belatedly, the UK, EU and US have all passed, or are about to pass, legislation imposing stricter cybersecurity standards for IoT networks. However, this does not prevent citizens from buying unsafe products abroad, necessitating the need for international standards. Singapore has proven to be a leader in this regard, concluding an agreement in October 2021 with Finland providing for mutual recognition of each other’s IoT security standards. The following year, Singapore embarked on a similar partnership with Germany, before signing a tripartite agreement with the UK and Canada on IoT security. “Our three governments are working together to promote and support the development of international standards and industry guidance,” the statement read.
International agreements such as these will naturally take time to implement. Until that happens, consumers and businesses will be plagued by the dangers of unsecured IoT devices. The best way for CISOs to maintain security in the meantime, says David Emm, threat researcher at Kaspersky, is to “engage in active monitoring of their networks.” This may require the use of machine learning algorithms for large enterprises.
“There are products that will allow companies to monitor their environment in this way,” adds Emm. “These products and services use machine learning to provide effective threat analysis and detection.”
They will certainly be busy. Part of the reason botnets have become so sophisticated in recent years, Botezatu explains, is due to malicious innovation by nation states competing to undermine each other’s systems. The power of malware spread by Zerobot or Emotet, for example, has its roots in the current war in Ukraine, with code written by apex predator hackers based in Moscow and Kyiv filtering the food chain down to variety hackers. common integrated. in criminal gangs. Companies should therefore not be surprised to discover that the malware infecting their camera systems and security barriers originated in a desperate military operation in the heart of Donbass.