NEWSAbout UsContact UsWebsiteBizcommunity

Command tweets, a better botnet and the ever-increasing creativity of DDoS attack execution

It used to be that so-called n00bs writing shoddy malware, in their mothers' basements or otherwise, were a punchline instead of a threat to websites, businesses and livelihoods. It also used to be that a tweet couldn't launch a cyber attack and a DVR couldn't help control a botnet, but thanks to the creativity of DDoS attackers, a surprising range of awful things has become all too possible. Here's what you need to know about some of the latest developments in DDoS attack execution.
Command tweets, a better botnet and the ever-increasing creativity of DDoS attack execution

The basics

Distributed Denial of Service or DDoS attacks have become a hot topic in the last few years, and not just amongst cybersecurity professionals and website owners. Thanks to record-breaking attacks that have taken down high-profile sites like Netflix and Twitter they’ve garnered all kinds of attention on social media and grabbed headlines in mainstream media across the globe.

These attacks use the collective power of a botnet, which is a network of malware infected devices that can be controlled remotely. The botnet is used to overwhelm a target website or online service with malicious traffic or requests, knocking the target offline if successful. While the basic strategy behind distributed denial of service attacks has stayed the same over the 15+ years these attacks have been used, the evolution of attacks has been nonstop, including recent tweaks to attack execution, both brilliant and not-so brilliant.

Twitter trouble

Amongst the millions of tweets about President Trump, the NBA playoffs and Taylor Swift’s new boyfriend, cybersecurity professionals managed to uncover something truly interesting on Twitter: an account controlling a DDoS botnet.

How it works is the Twitter account is hard-coded in the botnet’s malware source code, and the botnet queries the Twitter account at predetermined times to check for commands that instruct it to start and stop DDoS attacks against targets identified by IP address in the tweets. This positions the Twitter account as the botnet’s command and control server. According to malware researchers, it appears to have been written by a Russian malware author.

Also according to researchers, the malware is poorly written and contains many inefficiencies. And while the Twitter account as a command and control server is new and novel, it’s flawed as well because when that Twitter account is shut down, it will orphan the entire botnet, rendering it useless for DDoS attacks.

So the good news is this development, for the time being, isn’t a tremendous threat. The bad news is it’s still a threat. Using Twitter as a command and control server removes the step of actually creating a command and control server, and it’s only a matter of time before a more skilled attacker figures out how to use roving Twitter accounts as multiple command and control servers which will be much harder to stop than a single account that’s been hard-coded. Furthermore, even the most inefficient botnet will wreak havoc on a website that isn’t protected against DDoS attacks.

A scary smart IoT tweak

There’s another recent DDoS attack execution development that is a major threat, right this minute. The Mirai botnet, made up of hundreds of thousands of Internet of Things (IoT) devices, was the botnet behind the record-busting attacks of last fall. For all its success, however, it does have a design flaw. The massive Mirai botnet relies on centralised command and control servers to issue attack commands to the botnet. When traffic to these servers is blocked, the botnet loses its ability to launch attacks.

This is where the new development comes in. The new IoT botnet making waves is the Hajime botnet, and unlike Mirai, it’s not going to be hampered by centralised command and control servers. It instead uses peer to peer networking, which allows any device in the botnet to issue commands to the rest of the botnet. With any device essentially able to act as a command and control server, this botnet will be much harder to stop, and with almost 300,000 DVRs, webcams and routers already enlisted, when it starts up its attacks are going to be crippling.

The full spectrum lesson

From the work of brilliant botnet masterminds to bumbling malware amateurs, the range of distributed denial of service threats that exists is unprecedented and ever-growing. When something as simple as a Tweet or as a complex as instructions issued over a P2P IoT network can kickstart an attack that could take down websites, no one is safe without professional DDoS protection.

18 May 2017 13:15