Journey of a ‘Hacked Computer’ : From Torrents to Botnets

Pierluigi Paganini May 07, 2016

One out of every three websites were involved in transmitting malware to their users, which was found attached to their digital content.

Suppose, there is a movie, released last month. You didn’t have the time to watch it in the theatre and you also want to save some money. What would you do? Go to any one of the torrent sites and download it.It’s THAT simple. Isn’t it?

Have you ever wondered why is that is so simple? Here’s the answer.

It’s all about money. When you downloaded a movie/a cracked software or any kind of pirated material for free from torrent sites. They may provide you that cracked software or a 1080p HD movie and a malware bound with it. This malware is mostly ‘Trojans’ which steal every sensitive information they can, from your computer including your passwords, pictures from webcam, other documents and can also lock your computer in exchange for a ransom or mine bitcoins using your computer!

Apart from stealing critical information, this malware are capable of making your device part of a ‘Botnet Army’ along with millions of other victims like you. Botnets are controlled by their command and control servers, also called as ‘C&C Servers’ or ‘C2 Servers’. Access to these millions of devices is also given to the black hats for rent .The rent depends upon the number of systems, their hardware configuration, operating systems and the duration of their usage. Black hats / cyber-criminal groups such as ‘APT29’ use them as digital slaves for spamming, performing DDOS attacks, harvesting credentials and for other malicious operations.

According to RiskIQ, a San Francisco-based cybersecurity company, which was authorized by the Digital Citizens Alliance (DCA) to conduct the study titled as “Digital Bait” which scanned 800 websites with pirated content.” It was realized, one out of every three websites were involved in transmitting malware to their users, which was found attached to their digital content”.

The earning of these pirate websites is estimated to be around $70 Million a year.once a device is a part of the ‘botnet army’, also called as a ‘zombie’ it can be used for many malicious activities such as DDOS attack, spreading of other malware etc. without the user’s consent. The banking information stolen from these victims are sold in the ‘black market’ for around $2 – $130 per credential.

Here are some screenshots, I acquired from social media that may give you an idea on the working of botnets and their command and control servers.

hacker botnets

hacker botnets

Typical botnet topologies include:

  • Star, in which the bots are controlled by a central server.
  • Multi-server, in which there are multiple C&C servers for redundancy.
  • Hierarchical, in which there are multiple C&C servers.They are organized into tiered groups.
  • Random, in which there is no C&C server at all. Co-opted computers communicate as a peer-to-peer botnet (P2P botnet).

For example, The SpyEye and Zeus botnets have also been extremely profitable and widespread for their commanders. Both steal banking credentials from victims and automate the process of grabbing money from accounts. The creators of Zeus botnet sold it to various criminal gangs who infected more than 13 million computers with it from 2008 on, and used it to steal more than $100 million. The cyber security firms estimate that botnets, over time, have resulted in more than $110 Billion in losses to victims all over the world. An estimated 500 Million computer devices are infected via botnet attackers annually, which is around 18 victims infected per second.

There is always a ray of hope. According to Symantec’s Internet Security Threat Report, Volume 21 (Apr 2016), There are 1.1M bots in 2015, decreased 42%, while comparing to the number of bots in 2014, which was 1.9M.

Various CERTs,IT security firms and law enforcement agencies are working together to fight global cyber crime. In December,2015 the INTERPOL took down a ‘Dorkbot’ botnet in coordination with Microsoft,CERT Polska, ESET,US Department of Homeland Security’s United States Computer Emergency Readiness Team(US-CERT), the Indian Central Bureau of Investigation(CBI), Europol, Canadian Radio-television and Telecommunications Commission, US Federal Bureau of Investigation(FBI), the Royal Canadian Mounted Police, National Central Bureau in Russia, the Russian Ministry of Interior Department K and the Turkish National Police.

Dorkbot was used to carry out the following activities using its victims’ computers.

  • Stealing keystrokes from banking websites or online payment websites.
  • Performing Distributed denial of service attacks.
  • Providing a mechanism to download other dangerous malwares.

Same as many botnets, Dorkbot was spread via USB Flash drives, social networks and instant messaging software,you are advised to scan your computers with anti-virus software regularly.

Just like Dorkbot,there are several botnets taken down by joint efforts of the law enforcement agencies and cyber security companies.which involves takedown of Simda botnet,Dridex botnet and Ramnit botnet.some of them may continue to propagate.

You can always stay safe using up-to-date anti-virus software, firewalls etc.if you suspect a file to be malicious, always use a sandbox to execute it. According to the industry’s estimated infection reports, in the few minutes it took you to read this article, more than 3,000 new computers have joined the botnet army.

Written by: Ashutosh Barot

Ashutosh Barot hacker botnetAshutosh Barot is a Security Researcher, Information Security Analyst, Bug Hunter, Environmentalist, Technology Enthusiast, pursuing M.Tech in Cyber Security and Incident Response from Gujarat Forensic Sciences University. Ashutosh has been acknowledged by various companies like Verizon Commu­­nications,AVG Technologies, Trend Micro,ESET,JPMorgan Chase and Go Airlines for finding security flaws in their websites. Currently he is looking for an internship. Follow his twitter bot @cybersec_feed, which tweets about latest cyber security stuff. He also writes about security issues in his blog www.cyberworldmirror.com

 

[adrotate banner=”9″]

Edited by Pierluigi Paganini

(Security Affairs – Botnets, cybercrime)



you might also like

leave a comment