Having debuted in the early 2000s as rudimentary spam-only tools, botnets have since extended their reach in terms of exploitation scenarios. Today, this malware-backed phenomenon has been at the core of much more impactful attacks, such as DDoS, covert coin mining, email scraping, credential stuffing, comment spam, click frauds, and data theft.
The peril might not hit the headlines as much as ransomware and data breaches do, but it’s definitely not an underdog in the cybercrime arena. According to Imperva, so-called bad bots accounted for 27.7% of global internet traffic in 2022.
Enterprises often end up in the crosshairs of botnet operators, and for good reason. By gaining a foothold in an organization’s network, intruders try to move laterally and infect multiple devices in one fell swoop. These endpoints are then parasitized to orchestrate cyberattacks.
Most employees have no idea that their devices are potentially plagued by malicious code that surreptitiously fulfills commands from a remote server. Higher-than-normal processor load and network usage are typically the only conspicuous giveaways, but the average layman will overlook or ignore this abnormality.
Recent botnets that keep companies on their toes
The words Dridex and Zeus are most likely in every CISO’s vocabulary. These are botnets that dexterously steal users’ e-banking credentials and other sensitive data on a massive scale. Another infamous example called Mirai enslaves IoT devices to mount hefty DDoS attacks.
This threat landscape has been changing as new powerful botnets step in. The one dubbed Meris fits the mold of a game-changer. Discovered in the summer of 2021, it has become a catalyst for the largest DDoS attacks to date.
Meris uses an army of more than 250,000 bots, most of which are switches, routers, and IoT gateways. It stands out from the crowd because it fires volumetric (or application layer) denial-of-service onslaughts against organizations. This DDoS spin-off is extremely rare and hadn’t been observed in the wild for at least five years before Meris splashed onto the scene.
Contrary to most incursions that try to congest a target network’s bandwidth with malformed traffic packets, this offensive strategy has been geared toward swamping a server’s CPU and memory with an insanely large number of requests. The power of such an attack gets measured in requests per second (rps).
In August 2021, Cloudflare mitigated a Meris onslaught that reached 17.2 million rps. It was three times more powerful than any volumetric attack recorded before. Later that month, analysts observed one more outbreak that beat the previous record, peaking at 21.8 million rps.
It’s very problematic to curb such botnets because they zero-in on IoT devices, many of which are notoriously insecure. These bots stay under perpetrators’ control until users change the default admin console passwords or update the firmware. Unfortunately, some network admins neglect to take these precautions, only to leave their digital ecosystems exposed indefinitely.
How to avoid botnet malware
No matter how vanilla it may sound, proactive security can stop these attacks in their tracks. Since some IT teams find this concept opaque, let’s get into specifics:
- Take updates seriously. Malicious programs that sustain botnet activity often leverage software vulnerabilities to compromise systems. Timely software updates close most of these security gaps for good.
- Make the most of antivirus software. Choose a product that comes with a fusion of signature-based and behavioral analysis. This will ensure an accurate detection of both mainstream malware and polymorphic threats whose footprint is permanently changing.
- Ignore suspicious emails. Phishing has emerged as one of the top techniques used by botnet makers to plague devices. Employees should be leery of emails that ask them to open an attachment or follow a link.
- Enable a firewall. When botnet malware crops up in a system, it receives commands from its operators and sends out the harvested data. A firewall pulls the plug on dubious internet traffic spawned during this sketchy network communication, breaking the attack cycle. One type called the web application firewall (WAF) can thwart DDoS raids by filtering rogue incoming traffic.
- Stick to official software. It’s risky to use pirated applications. Most of them don’t get security updates and therefore turn systems into low-hanging fruit. Furthermore, some cracked programs available on dodgy software marketplaces are malware in disguise or trojanized versions of legitimate utilities.
- Step up the company’s authentication practices. Two-factor authentication (2FA) is important because some botnet deployers try to brute-force users’ credentials to get in and expand the attack surface. Combined with the use of a wildcard SSL certificate that encrypts communications flowing from all corporate subdomains, 2FA raises the bar for unauthorized sign-in attempts and password theft.
- Limit user access rights. In enterprise environments, zero-trust and the principle of least privilege make a huge difference. Don’t give employees more permissions to access corporate assets than they need for their work.
- Make security awareness a top ally. Botnet authors think outside the box to master new methods for penetrating networks and getting around protection tools. Therefore, hone your teams’ knowledge about emerging attack vectors through regular security awareness training.
To recap, botnets pose a two-pronged threat to enterprises. First, attackers can use an infected corporate network as a launch pad for cyberattacks. Second, many organizations are on the receiving end of botnet-triggered DDoS and other attacks themselves. To avoid botnet attacks leverage a mix of these recommendations and bear in mind that security requires continuous effort.
David Balaban, owner, Privacy-PC
