Many people use automated software applications, sometimes called “bots,” that automate various mundane tasks and operate without human intervention. Behind the scenes, IT teams routinely use bots called “agents” or “clients” that serve as automated IT administrators to keep the computer patched and updated, enforce security policies, make configuration changes, and regularly report their compliance status to a controller. These bots are incredibly useful to Information Security teams, and they save countless hours over performing these tasks manually. Unfortunately, this same capability can be used by cybercriminals to create malware bots for malicious purposes.
Malware bots can quickly and easily infect devices, turning the device into part of a botnet used to perpetuate disruptive cyberattacks such as ransomware, data exfiltration, data breaches, Distributed Denial of Service (DDoS), and sending phishing and spam email.
To defend against malware bots and botnets, businesses need to understand what they are, how to detect them, and what preventative measures they can take.
What are malicious bots?
Malicious bots are individual devices (commonly called endpoints) infected with botnet malware. Once infected, a malware bot will connect to a command and control (C&C) server operated by a threat actor, also called the “bot master” or “bot herder.” In most cases, botnet malware can self-propagate, infecting a large number of other devices to grow the size of the malware botnet. Botnets can execute large-scale cyberattacks, increasing the risks to businesses and individual users.
The anatomy of a malware bot.
Malware proliferation leads to more bots and larger botnets. Threat actors will spread botnet malware, such as Betabot, Mazar, Qak, or Amadey, through email, fake ads, or social media posts. Infected devices, now malware bots, report to a Command and Control (C2) server and execute commands and scripts sent to them, allowing the botnet herder to control all their bots remotely. Some malware bots can also use peer-to-peer C2 instead of a centralized server.
Throughout its lifecycle, a malware bot remains hidden from legitimate users, and some malware bots can even evade detection from traditional antivirus programs, reinforcing the need for advanced security measures to prevent botnet infections.
Types of malware bots.
The types of malware bots are as varied as the devices they infect. Different types of malware bots include:
Ransomware bots.
Ransomware is one of the greatest cyber threats to modern businesses. Ransomware bots automate the ransomware delivery process, from initial infection through encrypting the data on the endpoint and delivering a ransom demand. Most often, ransomware bots infect a device through email phishing and deploy the ransomware payload after identifying sensitive data and scanning network shared drives. Newer ransomware bots also exfiltrate data to their C2 server so that the bot herder can threaten to publicly disclose data if the ransom is not paid.
Remote Access Trojans (RATs).
RATs are a type of malware that gives attackers complete control over a device and steal information. If you’ve ever declined a suspicious call from “technical support” to fix an urgent computer issue, you’ve likely avoided being infected with a RAT. Because RATs require a user to execute an infected file, they are often spread via social engineering scams, such as fraudulent tech support calls or phishing links.
Data-stealing bots.
Data-stealing bots are stealthy, nefarious bots that infect devices and extract data without the user’s knowledge. Like RATs, data-stealing bots can use keyloggers to capture sensitive data like passwords or credit card numbers, but they do not allow attackers to remotely control a device.
DDoS bots.
DDoS bots are versatile; they allow threat actors to flood a target with traffic or use burst attacks that are harder to mitigate, rendering the target website or services inaccessible. In addition to websites, DDoS attack bots can also target Application Programming Interfaces (APIs), overloading servers and leading to poor response times.
Spam bots.
What do spam bots do? These malware bots are used to send large volumes of spam messages, often via email, although they can operate on other platforms, such as social media. As with email phishing attacks, spam bots try to trick users into installing the malware bot using a false sense of urgency.
Cryptojacking bot.
These malware bots harvest a device’s processing resources and use them to mine cryptocurrency. Because crypto mining performs many complex mathematical equations, it is incredibly resource-intensive and can slow down the performance of impacted devices and increase energy bills.
Malware distribution bots.
Threat actors use malware distribution bots to spread malware to unsuspecting users, including botnet malware, ransomware, trojan bots, or botnet spyware. Fake ads and email phishing links are common delivery methods for malware distribution bots.
Malware bots prey on targets of opportunity.
Malware bots can also find follow-on targets against which to execute additional attacks. For example, once a RAT is deployed within a network, it can scan for additional targets, harvest internal email addresses for potential spam campaigns, or conduct phishing campaigns that appear to be from legitimate sources.
The impact of malware bots on businesses.
Botnets inflict direct and indirect damage. Ransomware bots can completely disrupt business operations, while data-stealing bots pose a threat to intellectual property or customer data. Over the years, several famous botnet malware have achieved notoriety due to their widespread impact:
TrickBot.
Technology is always evolving —even malware bots. TrickBot started as a banking trojan that infected devices via malicious links. Over time, TrickBot evolved into a precursor for ransomware variants such as Ryuk and Conti. Threat actors used TrickBot to gain initial access to a network and then pivoted to deploy ransomware.
Mazar bot.
The Mazar Bot primarily targeted Android devices. Threat actors had full remote control over infected devices, including sending SMS messages, making calls, and accessing personal data. With this level of control and access, a malicious actor could easily extract sensitive personal or corporate information.
911 S5 botnet.
The “world’s largest botnet” consisted of more than 19 million IP addresses before being taken down by the FBI. The 911 S5 botnet spreads malware through free VPN programs by bundling backdoor software with other software.
Rustock botnet.
The Rustock botnet was one of the largest spam botnets, capable of sending millions of spam emails daily. Rustock was stealthy—it could evade detection by antivirus software. It used redundant C&C servers and peer-to-peer communication to maintain persistence within a network.
Mariposa botnet.
The butterfly botnet, Mariposa, was one of the largest botnets, infecting nearly 13 million computers worldwide primarily via peer-to-peer file sharing and infected USB devices. Mariposa was used for DDoS attacks and information theft, sending credit cards, banking, and other sensitive information back to the threat actor’s C2 server before coordinated law enforcement actions disrupted the botnet.
DNSChanger.
Domain Name System (DNS) is the backbone of internet navigation, and businesses rely on DNS to effectively navigate traffic to and from their websites. DNSChanger was a DNS hijacking trojan that changed a website’s DNS settings, redirecting users to malicious websites. Millions of devices were impacted by DNSChanger before the FBI and other agencies conducted a large-scale operation to dismantle the DNSChanger network.
Mirai botnet.
The infamous Mirai botnet compromised countless Internet of Things (IoT) devices and conducted a large-scale DDoS attack that adversely impacted several high-profile websites and services. The domain name system (DNS) infrastructure company Dyn was one of Mirai’s more notable victims, and its outage impacted several popular websites.
Detection and prevention.
In addition to perpetuating cyberattacks, bots disrupt the user experience and drain business resources. The challenge security and IT teams face is blocking bot traffic without impacting legitimate users. Some strategies for detecting and preventing malware bots from wreaking havoc within your network include:
Use antivirus and update virus definitions.
Antivirus software is a good first line of defense against malicious traffic. Tools like Next-Gen Antivirus (NGAV) can leverage behavioral detection and AI/ML to detect malware that can hide from traditional signature-based antivirus software. As a best practice, be sure to keep virus definitions up to date.
Analyze network traffic.
Monitoring network traffic and DNS queries can help identify unusual patterns or spikes in activity that could indicate botnet communication. Businesses that use intrusion detection systems (IDS) also can look for known malware signatures.
Behavior-based detection and prevention.
Legitimate users are often unaware their device has been hijacked and turned into a malware bot. User behavior analytics can detect abnormal user behaviors that may indicate compromised accounts. Use behavior prevention capabilities on all endpoints to detect suspicious processes, API calls, etc.
Limit software installations.
Malicious downloads are an easy way to spread bots. As a best practice, restrict software installations to only trusted repositories and never download or run executable files sent via email.
Train internal users.
While bots can easily spread via social engineering attacks that trick users, your employees don’t have to be a cyber liability. Effective cybersecurity education should train users to be wary of insecure websites, urgent emails with links and attachments, and other social engineering scams meant to enable data theft. Ensure training documentation is easily accessible and encourage users to report all suspicious behavior.
Protective DNS.
Every online interaction begins with a DNS query. Because of this, a cloud-based filtering DNS resolver makes a very cost-effective and scalable method to block malware bots and their C2 traffic. Vercara’s UltraDDR Protective DNS stops phishing, malware, and ransomware attacks using big data and artificial intelligence (AI) techniques to identify malicious domains.
Stop bot attacks in their tracks.
Malware bots are a risk for businesses of all sizes. Modern businesses need reliable, scalable protection from automated bot attacks. Preventative solutions should be able to identify and block malicious traffic based on known behavioral patterns and analytics.
To learn how Vercara’s UltraDDR can help you detect and manage bots, visit the solution page.
