15+ years of botnets

Print Friendly, PDF & Email

As we were preparing to celebrate our 15 year anniversary, news broke that another large botnet is running around infecting home routers.  This time it's an older vulnerability being used that should have been patched years ago:

BCMUPnP_Hunter finds its prey by scanning for vulnerable UPnP on TCP port 5431, followed by UDP port 1900 used by Broadcom’s implementation.

Home routers are a favorite vehicle for botnets because there are a bunch of them online and they are rarely updated or even thought of once they've been installed.  Today's a good day to add “check on router” to your home maintenance checklist.

The BCMUPnP_Hunter #botnet hit the news last week. This blog looks at where it fits into the long and destructive history of malicious botnets. Click To Tweet

The news about BCMUPnP_Hunter caused me to wonder about botnets in general.  How long have we been dealing with them, anyway?  What was the first botnet?  How did it work? 

What is a botnet?

The term botnet is
short for robot network.
A botnet is sometimes
referred to as a
zombie network.

Let's back up for a minute and talk about what a botnet is.  Put simply, a ‘bot' is an application that can execute scripts over the Internet.  These bots perform tasks that are automated because humans simply could not perform the same amount of work in a reasonable way.  For example, chatbots are often used to route online customer service inquiries, and search engine bots crawl through the Internet to analyze what's out there and help us find it on demand. 

These are just basic examples of legitimate bot use; there are many malicious uses of bots, like automated “spambots” that are designed to launch massive spam campaigns from a compromised system.  There are many types of malicious bots, and when they are networked together, the result is a ‘botnet.'

Botnets have a master with a purpose

Botnets are large networks of infected computers, all controlled by a central operator known as a ‘botmaster.'  These operators are criminals attempting to scale up operations to improve their profits on their latest scams.  In the case of BCMUPnP_Hunter, researchers believe the purpose of the botnet is to increase the volume of spam being sent by the operators.  Other botnets like VPNFilter watches for data patterns such as usernames and passwords so that the operator can capture that sensitive data.  Many bots perform Denial of Service and DDoS attacks, which savvy criminals have turned into a profitable service for anyone with enough money to pay

By 1999 bots had expanded beyond IRC to HTTP, ICMP, and other spaces.  In the following year, the first Denial of Service botnet was launched. Click To Tweet

Bots have been around on Internet Relay Chat (IRC) networks since the late 1980's, performing tasks like keep alive services for gaming and chat servers.   By 1999 there were multiple ‘botnets' in action, watching IRC channels for vulnerable machines.  In the following year, the IRC network was spreading ‘Gtbot,' the first Denial of Service botnet.  By this time bots had also expanded beyond IRC to HTTP, ICMP, and other spaces.  The first search engine bot, WebCrawler, was purchased and deployed by AOL in 1995. 

Botnets go big

Botnets didn't gain notoriety in the mainstream business community until around the year 2000 when Khan C. Smith of Tennessee was able to get roughly $3 million in profits from 1.25 billion phishing emails that allowed him to access stolen credit card numbers and passwords from EarthLink users.  This attack resulted in “the largest fraudulent spam judgment since the Internet was created” when a judge ordered Smith to compensate EarthLink Inc. $25 million for the crime.

In 2007 the Internet was hit with the Storm Worm, which was the world's first peer-to-peer botnet.  Although it was called a worm, Storm was actually a botnet that could follow the commands issued by the central criminal controller.  Storm was able to send spam, launch DoS attacks, and more.  The Cutwail botnet was also created in 2007 and at one point was responsible for nearly half the world's spam.  A similar botnet, Grum, was operating with Command & Control (C&C) servers all over the world, making it more difficult for law enforcement to shut them down.  Grum was responsible for 18% of the world's spam by 2012

Botnets get smarter

Botnets continued to grow and get smarter.  Kraken hit the Internet in 2008, infected 10% of the Fortune 500 companies, and was the first botnet observed to use evasion techniques that allowed it to hide from anti-malware software.  It was dismantled by law enforcement but ‘born again' in 2010, this time using a framework called Butterfly, which assisted in the infection process.  Butterfly was also used to build Mariposa, a botnet made up of 12.7 million machines.  For some cool reading on the takedown of Mariposa, read the articles here and here

The massive Mirai botnet was used to take down several huge sites back in 2016.  Rather than attacking the sites directly, Mirai attacked a key piece of infrastructure in such a way that even sites like Reddit, Spotify, and Twitter were inaccessible.  Mirai went after machines beyond the PC, mobile phone, and router.  Internet of Things devices like cameras, baby monitors, and other ‘smart' devices are running on stripped-down versions of Linux.  These things are rarely ‘managed' the way they should be.  Note:  change that checklist item to “check on router and things.”

It's more than spam and DDoS

Botnets like Methbot (2016) and Smominru (2017) use newer methods to steal money for their botmasters.  Methbot was the largest ad-fraud botnet when it was dismantled in 2016, generating between $3-6 million per day in fraudulent pay-per-click (PPC) advertising schemes.  Smominru used EternalBlue and other exploits to install cryptominders on vulnerable machines.  This botnet had illegally mined roughly $2.5 million as of May 2018

Smominru is also the nasty botnet that spread the WannaCry attack in May of 2017.  Unfortunately, WannaCry is still kicking; Kaspersky reports that WannaCry was detected in 28.72% of cryptor attacks in Q3 of 2018

Summing it up

Obviously botnets, spam, and other big bad things were here long before Barracuda arrived on the scene in 2003.  In fact, Barracuda was founded on the premise that spam was growing at an exponential rate and was a tremendous threat to every company's productivity.   The Barracuda Spam Firewall protected companies against botnet spam by fighting it before it ever reached the email server.   Now we offer multiple layers of email security so that the spam doesn't even get to the network.  And we train your users and monitor for real-time social engineering attacks

Barracuda also offers a portfolio of network and application security and data protection solutions that protect your assets from botnets and other attacks, wherever your resources are located.  Visit our corporate site here for more information.  

Scroll to top