How to Stop Cyberattackers from Turning Your Organization’s Computers Into Botnet
Security researchers at Deep Instinct have recently discovered a new malicious software (malware) campaign that turns Windows-based computers into a botnet. Researchers dubbed this sophisticated, never-before-seen in the wild botnet as “Mylobot”, named after one of the researcher’s dog.
What is a Botnet?
A botnet is a group of computers that are infected by a malware and controlled by an attacker using command and control servers without the computer owners’ knowledge.
When computers are turned as part of a botnet, an attacker takes full control of the computers, using them according to his whim. An attacker can download additional malware from the command and control servers, turning the controlled computers as botnet army for distributed denial of service (DDoS) attacks.
Other than for the purpose of DDoS attacks, an attacker may download from the command and control servers ransomware (malware that infects and restricts access to a computer until a ransom is paid); banking trojan (malware designed to gain access to confidential information processed or stored through online banking systems); keylogger (malware that records every keystroke made by a computer user) or other types of malware.
What Can Mylobot Do?
Like other botnets, Mylobot can do anything – depending on the additional malware downloaded by the attacker. The additional malware could be for the purpose of participating in DDoS attacks. Attackers can also download a ransomware, banking trojan, keylogger or other types of malware.
What’s new about Mylobot is its ability to evade detection. It employs the following evasion techniques:
- Anti-virtual machine techniques: Used to thwart attempts at analysis.
- Anti-sandbox techniques: Used to detect automatic analysis and avoid engines that report malware behavior.
- Anti-debugging techniques: Used to ensure that a malware isn’t running under a debugger, and if that’s the case, to change the debugger’s behavior correspondingly.
- It wraps its internal parts with an encrypted resource file.
- It accesses its command and control servers only after 14 days of infection.
In addition to the above-mentioned evasion techniques, Mylobot uses Reflective EXE, which runs EXE files directly from memory, without having them on disk. “The fact that everything takes place in memory (while executing the main business logic of the botnet in an external process using code injection) makes it even harder to detect and trace,” Tom Nipravsky, Deep Instinct security researcher, said in a blog post.
Another notable feature of Mylobot is its ability to delete other competing malware. This malware, in particular, looks for the competing malware DorkBot and once it finds this competing malware, immediately terminates it and deletes its file.
Once installed, Mylobot turns off Windows Defender and Windows Update while blocking additional ports on the Firewall.
Nipravsky told ZDNetthat the delivery method of Mylobot is currently unknown, but it appears this botnet has a connection to other malware programs, including DorkBot, Locky and Ramdo. “According to our research, the IP of the C&C [command and control] server was first seen on November 2015, and is linked to DorkBot, Locky and Ramdo,” Nipravsky said.
DorkBot: Another Windows-based Botnet
DorkBot is another malware that turns Windows-based computers into a botnet. According to Microsoft and the United States Computer Emergency Readiness Team (US-CERT), DorkBot infected more than one million computers in over 190 countries in 2015.
DorkBot is used to deliver malware to victims’ computer, including a malware that steals usernames and passwords, participate in DDoS attacks and deliver other types of malware. It also blocks websites that are related to security updates.
According to Microsoft, attackers distribute DorkBot through USB flash drives, instant messaging programs and social networks. Windows Defender can detect and remove DorkBot.
The botnet damage depends on the additional malware that’s downloaded by the attacker. If the attacker decides to download a ransomware, this could lead to loss of tremendous amount of data if ransom isn’t paid or if the attackers couldn’t unlock the computers despite ransom payment. The need to shut down computers for recovery purposes could also unnecessary cause downtime which spells disasters in enterprises.
If the attacker decides to use organization’s computers to participate in DDoS attacks, this could eat up a lot of the computing powers resulting in the slow performance of computer programs.
While not directly at fault, owners of computers used as botnet army for DDoS attacks contribute to the woes of others. In a DDoS attack, computers of victims are forced to send huge amounts of data, for instance, to a website, rendering the website inaccessible to its customers.
To prevent botnet infections, the following security measures are recommended:
- Multi-Layered Approach and Protection
Put in place a multi-layered approach and protection for your organization’s computers to prevent, detect and remove threats from the gateway to the endpoints.
- Employ network segmentation and data categorization
- Backup Important Files
Regularly back up your organization’s files. Practice the 3-2-1 backup system to minimize or mitigate data loss. Keep 3 copies of any important file: 1 primary and 2 backups.
- Disable Autorun
Botnets like Dorkbot use the Windows Autorun function to propagate via removable drives (USB flash drive). To stop this type of threat from spreading, disable autorun.
- Use and Maintain Anti-Virus Software
Even though botnets are designed to evade detection, anti-virus software companies are continuously updating their software to counter these types of threats. If you suspect you may be a victim of a botnet, update your anti-virus software and run a full-system scan.
- Keep Operating System and Application Software Up-to-Date
Install software updates in a timely manner so that attackers can’t take advantage of known cybersecurity vulnerabilities in order to infect your organization’s computers.
You don’t have to face security uncertainties alone. At GenX, our team is ready to help and is a phone call away. With a guaranteed 30-minute response time, you are in good hands. Call today (416) 920-3000