The business of botnet building is precisely that – a business. When organizations look to the threat from a compromised asset perspective they too often fail to appreciate whats really happening. A typical reaction is thus “why are they targeting me?”
If you step back a little – somewhere between the proverbial 10,000ft and the weeds – you’ll begin to notice some of the intricacies of whats happening in the criminal botnet building world. Granted, there’s a lot of confusion as the security vendors throw about various threat terminology and often use them interchangeably depending upon their perspective, but in reality it’s not too complicated.
First off, don’t take it personally. The criminals aren’t necessarily targeting your organization because they’ve developed a certain dislike for who you are, rather they’re after the things your organization (and many others) contains. For example, rather than being focused upon stealing the digital keys to your particular corporate banking account – they’re after any keys they can find, and if they happen to stumble upon the mother lode then that’s damned lucky on their part. In all likelihood though they may not even recognize that they’ve obtained the keys until much later. You see, the vast majority of botnet building is automated and, as such, the successful criminal operators harvest so much information they often struggle to sift out the really valuable nuggets. That’s not to say that you can count on them to not recognize the inherent value of what they’ve obtained.
A critical component of modern “commercial” botnet building lies with “campaigns”. While some newbie or highly specialized botnet builders will seek to construct a botnet through a single vector (e.g. drive-by downloads from a cluster of Web sites they maintain), the majority of professional botnet building criminals launch and run multiple campaigns. These campaigns tend to use different delivery vehicles (e.g. drive-by downloads, spam, malicious binary seeding) and often leverage different campaign “themes” (e.g. pharmaceutical, keygens, free videos).
The purpose of launching multiple campaigns – most of which are launched and executed in parallel to one another – is to effectively “carpet bomb” a series of targeted organizations. The multiple vectors for exploitation and themes are there to increase the probability that some of the botnet malware agents will make it inside the targeted organizations – and it doesn’t matter which delivery vehicle or was successful. Well, actually, the delivery vehicles and campaigns do matter – but only in the sense of tuning future campaigns against other targets.
While the onslaught of multiple campaigns can be confusing to the victim organization, it can be just as confusing to the security vendors as they sift through threat intelligence harvested from malware samples, spam traps, sinkholes, domain registrations, Web scan results, etc. As such, many of the successes in understanding the campaigns associated with a particular botnet operator occur after the campaigns have been underway for a few days.
Example of botnet building campaigns…
The diagram above depicts the complexity in understanding the various campaigns run by a team of professional botnet builders.
(A) The criminals have created a cache of new botnet agents. Each agent is unique and has be quality assured to guarantee that common host-based security defenses (e.g. anti-virus, IPS, behavioral engines, etc.) cannot currently detect them.
From their secure location, the criminals VPN in to a couple of hosting facilities (B) and (C). These hosting facilities have been chosen because they offer services that make it difficult for law enforcement to prosecute or takedown the servers that (A) are using. More than likely, the servers are hosted in multiple locations around the world.
Hosting facility (B) has its own local cache of botnet agents ready for deployment, and is currently running three campaigns in parallel. Two campaigns are spear phishing related, with the third executing a targeted Search Engine Optimization (SEO) campaign. Meanwhile, over at the (C) facility, two additional campaigns are underway – a pair of drive-by download sites (supported by social network related phishing messages).
Each of the 5 campaigns (D) are seeking to deliver the botnet agents and subsequently breach the targets network and host-based defenses. Once successful, the various botnet agents will connect to their command and control (CnC) servers and consequently become part of the criminals botnet. The CnC servers aren’t depicted in the diagram above. In most cases the CnC’s are situated within hosting infrastructures independent of (B) and (C) - for added resilience and flexibility.
Interestingly enough, while the targeted organization may have observed components of the 5 campaigns, it is unlikely that they would have initially been associated with a single criminal attack.The malware being used would have provided no hints to the nature of the real attack – in fact there’s a high probability that the various malware components would not have been attributed to the same (single) campaign, given how different they are from each other (read our paper on the topic of Serial Variant production).
Trying to track back a particular campaign (in isolation) would have just identified the particular hosting facility. Tracking back the CnC’s used by the botnet agents fortunately provides the glue to understanding the linkages between the various campaigns and makes it easier to understand the objectives of the criminals – which subsequently allows organizations to prioritize and order its remediation steps.
– Gunter Ollmann, VP Research
[...] From: Damballa.com. [...]