As people’s lives become more attached to the internet, cyber attacks will have more of an impact. One of the most pressing threats is the growth of botnets, or networks of compromised computers that can be leveraged for a variety of nefarious purposes. The Cipher Brief spoke with Omri Iluz, the CEO and Co-founder of PerimeterX, about the evolution of bots, the threat they pose, and how industry is looking to mitigate the harm they create.
The Cipher Brief: We hear a lot about bots spreading “fake news” on social media platforms. Could you describe what bots are and how they go about disseminating disinformation?
Omri Iluz: Bots are essentially just software that has evolved through the years. We like to categorize them into four generations. The first generation bot is very simple and might be able to scrape data off of your website. A second-generation bot is a little bit smarter. It knows how to log in. We see them trying to attack every day, essentially trying to take over an account. A third-generation bot is starting to look like a normal machine. It can do anything on any website, such as post comments on Facebook. But you can still identify it because it doesn’t come from a user machine.
A fourth-generation bot is a user infected with malware that is simply controlling the user’s browser. They don’t need to take over your email, because you log in to your email yourself, and the bot now has access to it. It can send and receive emails in the background. Once it infects you, it doesn’t need to break your password. It just lives inside of your computer.
From the perspective of the defenders on the websites, the activity appears to be a normal machine, with a normal user and a normal browser. It is much harder to distinguish normal activity from a bot. For example, the bot would wait for you to login to Facebook and bypass all the security checks. Then it would post in your name.
What we see now is botnets, or networks of bots, that generate fake users. They will take your Google information and make a Facebook profile, and now they control the posts. If they control a million Facebook accounts, they can post whatever they want and “like” each other. Suddenly you have articles that could contain any kind of content that you want or drive any political agenda. A million “likes” on a post gets attention anywhere in the world.
TCB: How do botnets affect attribution?
OI: A botnet opens the door for the attacker to go through what looks like real devices. Look at the Internet of Things (IoT) botnet, Mirai. One of the surprises for everyone in the industry was that a lot of traffic – hundreds of thousands of nodes – came from normal networks, such as people’s homes and stores with cameras. It became hard for the defenders to determine whether it was a human or not. With a botnet, the traffic isn’t just coming from China or Russia, it is coming from hotels in the U.S. and other normal locations.
TCB: So how do you stop a botnet? I have heard of law enforcement actually hacking into botnets to disable them. What is the method for doing that?
OI: The method of taking over botnets, as the FBI is doing, has been known for a while. When someone writes a new tool and creates a botnet, he would also try to hack into other botnets and steal nodes from them. Law enforcement is just using the same thing to shut down the botnets.
Industry is now starting to take a very different approach. It says that identifying a bot is hard, almost impossible, but identifying humans is still possible. So if I can say, “You move your mouse like a human being, you interact with the website like a human being, your phone gives me all the signals of a real device – I see the sensor information, I see the battery – then I can allow you access.” And if I am not seeing all that, then I am going to block access.
Industry is going to be able to identify the non-human visitors, the bot, but not by looking at their signatures. Companies have tried to look at the signatures of bots before, but this is just a cat-and-mouse game. If they identify the signature of a botnet and start blocking it, the attacker can simply modify that signature a little bit, and now he is able to get in again. Human behavior, on the other hand, is human behavior. If you are able to identify human behavior, then you are able to block any bot.
TCB: You mentioned the Mirai botnet. Could you expand on that? What does it actually do?
OI: We started seeing these IoT botnets last year. They take over normal devices connected to the internet. The security of these devices is usually very low. Default passwords in many cases are usually something like “1234.” They are exposed to the internet, because, hey, if you just bought a new camera, you want to be able to watch it from your phone. So suddenly you have a device with a very weak password on the public internet.
Running a scan on every device connected to the internet across the world is very easy – today it takes about five minutes. If they find a way to get into a camera, DVR, or an office printer using easy login credentials, they can deliver a malicious payload that actually takes over the device and start launching attacks. The code, or payload, that runs inside the device connects to something called a command-and-control center, often a news site that gives instructions to the bots.
Most people look at these botnets and think they can only conduct distributed denial of service (DDoS) attacks that flood sites with traffic until they crash. But there are other payloads, like hiding the attacker’s traffic so that it looks as if he is coming from anywhere.
Bots are also able to do what is called account takeover, where they take credentials that have leaked – for example from the billion-user password leak at Yahoo – and they simply go and try them out. If you use your Yahoo password and you didn’t change it on your bank, email account, or favorite store, they will get daily, even hourly, attacks of bots trying to use these passwords trying to see if they are still valid.
TCB: What are some of the critical systems that could be targeted by a botnet DDoS attack?
OI: There are a few ways attackers make money or gain from these attacks. The first case of DDoS is extortion. This is what happened during the larger infrastructure attacks. They conduct an attack and ask you to pay $50,000 to stop the attack. – similar to ransomware.
The second reason for a DDoS is a smoke screen. So if they want to hack you, they will launch a very large DDoS attack. Companies are going to scramble, and their entire security team is going to try and fight the botnet attacking, leading them to miss out on what is really happening.
After all, a DDoS attack only takes down a website. It’s bad if your business is online, but it is not at the same level of stealing all of your information. So if they use a DDoS attack as a smokescreen, they can then go hack in for far more malicious purposes while the security team is distracted.
Then, of course, you have DDoS attacks that are for political reasons, such as by hacktivists or a nation-state. For example, a foreign government might try to disrupt an election by taking down a news site that is running a piece that hurts its favorite candidate.
TCB: Where do you see the future of botnets?
OI: The burden of defense is now moving to the websites who must protect their users. Bots are a fact of life, but there are ways to protect against them. As technology evolves, innovations in deep learning can help us understand the behavior of humans and differentiate it from bots in order to actually block out these botnet attacks to a degree.
