MY TAKE: Necurs vs. Mirai – what ‘classic’ and ‘IoT’ botnets reveal about evolving cyber threats

I’ve written about how botnets arose as the engine of cybercrime, and then evolved into the Swiss Army Knife of cybercrime. It  dawned on me very recently that botnets have now become the bellwether of cybercrime.

This epiphany came after checking in with top experts at Proofpoint, Forcepoint, Cloudflare and Corero — leading vendors that devote significant talent and resources to monitoring and analyzing botnets. I also spoke with SlashNext, a startup that specializes in detecting stealthy botnet activity.

Related article: Russian botnets ignite social media blitz

There’s much we can discern from the distinctive ebb and flow of botnet-borne malicious activity. ‘Classic’ botnets are comprised of vast numbers of infected PCs, servers and virtual computing nodules. One of particular note is called Necurs, a massive botnet-for-hire and the king of delivering phishing email attacks, ransomware campaigns and Banking Trojans.

Then there are any number of smaller, single-purpose botnets owned and operated by nation-state-backed hacking rings. The obvious example: the Russian botnet operators who orchestrated the wave of social media spoofing and propagandizing designed to influence political discourse and meddle in elections in the U.S. and all across Europe. the most recent example: Russian botnets hyped the hyped the #Releasethememo campaign on Twitter to lend credence to Rep. Devin Nunes’, R-Calif.,  secret ‘memo’ purportedly discrediting and disqualifying the FBI from investigating Russia’s meddling in the last U.S. election. That came after Russian botnets fueled wildly conflicting polling results during the 2016 presidential race, and fabricated 6.1 million Twitter followers for then-candidate Trump.


Meanwhile, a new generation of Internet of Things botnets has arrived on the scene. IoT botnets, like Mirai and Reaper, are comprised of infected home routers, surveillance cameras and other IoT devices. Monitoring the badness emanating from the likes of Necurs, Mirai and Reaper can tell us a lot about where cyber criminals’ attention is focused – and where it might turn next. “The cyber threat landscape is constantly changing; fashions come and go,” observes Carl Leonard, principal security analyst at Forcepoint. “Cyber criminals are always seeking to increase their return on investment and they’re only going to perform an activity if it’s worthwhile for them and if they can still continue to see success over time.”

Botnets for hire

Let’s start with a basic definition and take a look at the aforementioned Necurs, a preeminent botnet, in terms of delivering malicious payloads. A bot is a computing nodule infected with a small bit of coding that causes it to obey instructions from a command and control server. A botnet is a network of thousands upon thousands of bots under control of an attacker.

It’s difficult to pin down the number of infected nodes controlled by Necurs. Since 2012, Necurs has been on the leading edge of surging waves of botnet-facilitated cyber attacks. In any given attack, it might wake up and deploy up to a million nodes; the total number of nodes under the controller’s direct command range as high as 6 million.

Necurs was assembled when a deluge of exploit kits hit the Internet wild in 2012-2015.  Exploit kits are nifty packages of malicious coding cyber criminals implant in web browsers and ultimately onto PCs and servers. Exploit kits very efficiently search out any unpatched vulnerabilities in the browser and/or the underlying operating system – and swiftly exploits them – setting up the computing device to perform as a bot.

Once Necurs reached a large enough size, its controllers began leasing the botnet out to  other criminal specialists primarily to blast out email spamming campaigns at high volumes. These spam blasts invariably deliver waves of phishing attacks carrying infected attachments or links to malicious web pages,  in support of  whatever  type of criminal activity the lessor specialized in. On the defensive side of things, filtering these attacks has become a billion dollar industry. Yet with the volume of attacks so high, and with giant botnets like Necurs continually switching up the angles of attack, phishing attacks still get through.

It is by detecting and blocking communications between command-and-control servers and the bots they orchestrated that security vendors get a good sense of the popular criminal endeavor of the moment.


“The largest Necurs campaigns that we’re seeing involve actors distributing Locky ransomware as well as other malware like The Trick banking Trojan and GlobeImposter ransomware,” Kevin Epstein, Proofpoint ‘s vice president of threat operations, told me. “In general, Necurs is being used by financially motivated actors who ‘follow the money.’ The Trick, for example, now includes coin-mining capabilities, giving the actors distributing it a very direct path to monetization.”

Fresh pathways

Thus botnets have become like the mercury in a thermometer.  In a threat report assessing the fourth quarter of 2017, Proofpoint shares intelligence on how ransomware attacks remained prominent in the final three months of last year, while threats accelerated through social media channels. Also in Q4, Banking Trojans attacks reared up again and malicious crypto mining began to ramp up.

Related podcast: Why 2018 will be the year of the CISO?

Botnet operators have discovered a fresh, trouble-free monetization pathway: leverage the stolen processing power that comes with each bot to mine crypto coins. No one in the security community will be surprised to see activity accelerate through the rest of this year.

The beauty of crypto mining, from the attacker’s perspective, is that you don’t have to trick or manipulate anyone or any device into triggering a payoff. The operators of classic botnets, like Necurs, can rather easily cycle over some crypto mining work to their bots, say during slow spamming periods

And for IoT botnet operators, who are assembling botnets magnitudes of order larger, in terms of total nodes, than classic botnets, crypto mining appears to be a perfect fit.


With full-fledged PCs and servers filling out its battalions of bots, Necurs is outfitted to jump from one type of sophisticated attack to the next, says Luke Somerville, Forcepoint’s, head of special investigations.  Whereas comparatively low-powered IoT nodes, amassed in sprawling divisions, ala Mirai and Reaper, are more suited to repetitive tasks, such as DDoS attacks and crypto mining, he says.

“It’s organized crime so you’re dealing with evolution, most of the time, rather than revolution,” says Somerville. “It’s all about seeing a return for any investment you’re putting into this botnet, or this piece of malware, then necessarily branching out and trying something shatteringly new.”

Detection-resistance payloads

Clearly a significant chunk of criminals’ investment is going into R&D; specifically to study the latest, greatest defenses companies put in place, and then to innovate clever ways to bypass those defenses , thereby enhancing stealth.

In response to sinkholing and sandboxing technologies rising to the fore, for instance, elite botnet operators have now shifted to phishing trickery that gets the human victim to cooperate in ways that doesn’t involve uploading a malware, thus removing malicious binary files that are  detectable by antivirus suites out of the picture.

Threat actors haven’t given up on emailing viral attachments and nefarious weblinks, by any means; they’ve recrafted these malicious payloads to resist detection.


“The bad guys were quickly able to figure out how to mount an attack that evades the sandbox,” says Jack Miller, CISO at security startup SlashNext, which supplies Internet threat detection systems. One workaround was to figure out how long the sandbox holds a suspicious file in quarantine before releasing it (usually 5 minutes) and then tweaking the malware to wait at least 30 minutes after arrival in the target system before executing. Another was to have the malware initially determine the number of cores running on the targeted system —  to ascertain if a virtual machine was running, a sure sign a sandbox was in play, says Miller.

Or the bad code might just sit and wait for a mouse movement, indicating a human working on the target endpoint. Sandboxes generally do not try to emulate a person sitting there. “So if there’s no mouse movement the file won’t execute,” says Miller.

DDoS devastation

Another realm of malicious botnet activity revolves around disrupting continuity of connections, i.e. Distributed Denial of Service attacks. DDoS attacks continue to morph and advance in sophistication. At their root they involve directing botnets to overwhelm a targeted website or hosting system with nuisance traffic, thereby rendering the targeted system inaccessible.

How often does this happen? Everyday — on a steadily increasing basis. Research firm MarketsandMarkets estimates that by 2021 will spend $2.2 billion on defending DDoS attacks, up from $824 million in 2016, a compound annual growth rate of 21.3%.


Who would do this? Often it’s a business rival out to disrupt the online operations of a competing site. “The uptime of a site is really critical to securing e-commerce revenue, so if you can slow your competitor’s site down or take them off line, their reputation will decrease and perhaps your traffic will increase,” notes Patrick Donahue, security engineering product lead at Cloudflare.

Related article: Mirai DDoS attack first of its kind

DDoS attacks are also a favorite tool of hacktivists and political idealogues wishing to assert a political stance, and in the past they were launched as a means to extort owners of the targeted site, although ransomware has now taken over the cyber extortion space.

Because of the wide availability of for-hire botnets, DDoS attacks are not very expensive to launch. And the price points could go even lower as IoT botnets with massive numbers of bots to throw into an attack become more established. “The asymmetry of these attacks are really a challenge,” Donahue says. “It’s inexpensive to launch a DDoS attack — and it can be very expensive to defend it.”

Just recently the U.S. Securities and Exchange Commission issued formal guidance on what it expects from publicly held companies with respect to detecting and reporting DDoS attacks.  Going forward, public companies must hit by a DDoS attack must supply an assessment of  the consequences of the DDoS incident.


“It will no longer be sufficient for companies to simply acknowledge the potential risk of a future DDoS attack,” says Corero CEO Ashley Stephenson. “This welcome clarification will lead to a better understanding of the true costs of DDoS attacks and, by association, the benefits of proactively protecting against this type of cyber threat.”

Stephenson says he expects Wall Street to “reward companies that take an aggressive approach to protecting their online presence and enterprise reputation against DDoS.”

Solution lies within

In one sense, shoring up company defenses to withstand a DDoS attack is much more straightforward exercise than trying to protect against email-borne botnet attacks, especially as barrages from the likes of Necurs and Mirai continue to intensify and get ever stealthier. Companies can acquire stout DDoS defenses  from specialists like Cloudflare and Corero and a dozen other vendors, including giant platform services providers such as Cisco, F5 and Akamai.

But how do you slow or reverse the ever-shifting waves of malicious email that sweep across the Internet in stifling waves. And what can be done about the political propaganda pushed out by bots swarming all over Twitter and Facebook?

The first step has to be companies looking inward to make sure their PCs, servers and IoT devices aren’t part of the problem. The second is to continually monitor and mitigate Internet traffic, with an eye toward cleansing botnet traffic. Cleansing business networks, as much as possible, from malicious botnet activity isn’t easy or convenient. But it has become as vital as maintaining buildings and equipment in good working order, and keeping employees safe from physical injury.

This is a Security Bloggers Network syndicated blog post authored by bacohido. Read the original post at: The Last Watchdog