Over the last several months we have explored a number of attack marketplaces along with the different tools and services offered on the Darknet. In this post we are going to take a deeper look at the different malware and botnet services found on the Darknet.
A botnet is a collection of compromised computers that are often referred to as zombies, slaves, or bots. These devices are infected by malware that allows the attacker to ultimately control the compromised computers. The owner of a botnet is often referred to as a “herder” and is able to control the infected devices through covert channels like an Internet Relay Chat (IRC), that allows the attacker to issue commands. These commands inputted into the Command and Control server (C&C) tell the bots in the botnet what to do, such as performing denial of service attacks, sending spam with ransomware attached or information theft.
We have even seen the rise of smartphone botnets over the last few years. Malware like DroidJack is easily leveraged to target mobile users via malicious 3rd party app stores that are offering popular games like Pokémon Go, but with a surprise waiting for them inside the unverified Android application package, APK. Once infected, devices can perform tasks like record audio and video, take photos, send text messages, open webpages, steal user data, delete files, launch denial of service attacks via HTTP floods and perform web injections if supported.
To compound this problem, not only are computers and mobile devices susceptible to becoming enslaved into a botnet, but so are Internet of Things (IoT) devices like your wearables, remotely managed environmental devices, industrial systems, and even printers and routers. All of these newly connected devices run code on a microprocessor and are all susceptible to becoming enslaved in a botnet. There is little to no oversight or security for these IoT devices and are normally connected to the internet with default conditions. This means any hacker able to scan for these devices can also use simple online tools like RouterPassword.com to check if the device still has its default login, admin:admin. If the device still has default conditions, a hacker can compromise and inject malware into them, bringing them under their control just like a PC or a phone. Many groups like Lizard Squad have successfully done this with routers and most recently with CCTV’s.
All of these methods for creating a botnet have helped contribute to the growth of the attack marketplace found on both the Darknet and the Clearnet. At the rate we are seeing DDoS attacks, ransomware campaigns and information theft, it’s no wonder why there are so many vendors selling botnet-related services. Botnets are big business that lead to financial gain. A few years ago it was very difficult to buy or rent a botnet. Most had to build their own or rely on a friend to help guide them. Today the average 12-year-old armed with their allowance converted to Bitcoin can shop till they can drop a server. At most marketplaces found on the Darknet, a potential attacker can buy anything from DDoS as a Service and botnet rentals to full package botnets and enslaved packages containing thousands of infected computers for just a few bucks. They can even purchase bulletproof hosting to keep their C&C’s well protected.
DiamondFox – Aka Gorynch, is capable of launching DDoS attacks, RAM scraping for credit card information and passwords, checking for VM and researcher detection and contains a USB/Dropbox spreader. This botnet communicated over HTTP to a C&C developed in PHP.
Citadel – Descendent of the Zeus botnet. Capable of file downloads, screen capture, Firefox cookie theft, MoneyPak ransom, and dynamic webinject.
Neutrino – Capable of launching HTTP/HTTPS flood via GET and POST method, AntiDDoS via emulation JS and cookies as well as Slowloris, TCP and UDP attacks. This tool can also detect sandboxes and AV.
Some of the botnet-related malware found on the Darknet today is old or repackaged variants. These packages often sell for just a few dollars in the marketplace due to the software being freely available on the Clearnet. The Darknet marketplace simply offers a one-stop-shop for those who do not or cannot take the time to build a botnet on their own. There are even vendors that will set up a botnet for you, leaving you only with the task of spreading your malicious file to potential zombies.
If you are a more advanced hacker, you can check out one of the many malware repositories found on the Darknet. Darkweb pages like Cerberus offer massive malware libraries for the advanced users to comb through. Attackers can easily abuse this service and download anything from Remote Access Trojans and Worms to Botnet and DOS’er malware to target their victims. These pieces of malware often come with no description and require the user to have advanced knowledge of what to do with each file.
For the most part a non-skilled attacker can easily purchase the required services need to have their own botnet up and running in just a few days. Not only can they find free services or paid setup but they can also rent botnet for temporary use. Botnets can be monetized in more than one way and rentals are a potential windfall. The average rental cost for a large botnet can cost between .025 – .05 BTC per hour depending on its size. One of the latest botnet rental services that we are currently analyzing offers access to 1.2 Million US based devices for $75 per hour. This botnet is capable of producing over 100Gbps attacks and offers multiple attack vectors.
Financial gain is the main motivation behind the evolution and the growth of the attack market place. Vendors are looking to make a quick buck off of the over sensationalized hacking culture and botnet are the main corner stone of the current culture. Everyone wants to be a hacker but many are not willing to put in the effort to become a true hacker. Vendors are praying on this weakness and offering attack services at a lower cost than their competitors. Those that are not willing to learn and are buying these services are only validating the vendor’s objective and encouraging a competitive marketplace. This monetization has led to a much lower buy in and a more competitive market place. Vendors are now the researchers pushing the limits looking for the newest and most efficient vectors of attack.
Price once again in the attack market place is the only limiting factor. Companies are quickly racing to buy bigger pipes in an attempt to combat the growth in botnet based attacks but this is futile attempt. There is now a developing botnet market and those vendors hedging their bets will be purchasing and using the same massive services their targets are using. If you can buy it, so can an attacker.
Learn more about cyber-attack detection and trends in the 2016 Global Application and Network Security Report.
Daniel Smith is an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.