The work of bot detection has always been difficult, but until recently, the methodology for finding and catching bots was pretty straightforward: monitor the web for malware and other signs of bot activity, identify the source, and cut if off.
But these days, botnets have become a multi-billion dollar business that’s active in nearly all corners of the world. That’s due in large part to the growth of the Malware-as-a-Service (MaaS) market.
In a MaaS framework, malware programmers rent the botnets they create to other cybercriminals on the web, delivering a service to customers on a subscription basis much like any corporation would. In fact, these companies often purposely structure themselves after legitimate companies. The result is that in today’s world, practically anybody can be a cybercriminal. Massive botnets-for-hire allow would-be cybercriminals – some with little to no technical experience – to launch an attack for as little as a few thousand dollars.
Organizations aren’t defenseless against this new, highly scalable form of cybercrime. To keep the botnets at bay, we need to understand how MaaS came about and the scale of the threat it presents to the web as we know it.
The Evolution of Malware
Once upon a time, planting bots on residential computers with malware was hard work. Cybercriminals would have to build their own botnets from scratch by writing malware, spreading it across the web until enough unsuspecting users clicked on it, and manually executing the crime. In other words, malware had no specialization — you had to be a real jack-of-all-cybercrime-trades to make any money.
Today, specialization in the cybercriminal value chain has made operating botnets as easy as running a self-service advertising campaign. While a few highly skilled individuals do the harder work of finding security exploits and writing the actual malware code, others distribute the malware freely through spamming, malvertising, or other methods. All these services are then bundled together and sold as a discrete package. These services even include intuitive interfaces that clients can use to execute their criminal campaigns, much like any legitimate piece of software would.
The Zeus botnet is one of the early examples of a successful MaaS operation. Its creators released a developer’s kit that gave clients on the dark web the ability to not only lease its tremendous network of infected computers (some estimates say the network featured as many as 1,000,000 machines), but to configure it for their specific purposes. Whereas previous botnets could only be operated from a single command-and-control server, Zeus could receive commands from any client’s computer, making it much harder to bring down.
While Zeus was eventually disrupted by an FBI investigation in 2010, it paved the way for similar operations to turn a massive profit from renting out customizable botnets. In some cases, a malware developer will make their source code public in order to throw investigators off their trail, knowing that other criminals will use it and make it harder to know where the botnet originated.
That’s what happened in 2016 with the Mirai botnet. Mirai was created by a Rutgers undergraduate to make money through Minecraft, but after its developer posted the botnet’s code online, it was ultimately used in a massive DDoS attack targeting Microsoft’s game servers. Now that the code is out in the wild, any would-be hacker can take a stab at infecting IoT devices, causing DDoS attacks, or selling those services to others.
These are just a few examples of how easy it’s become for anyone on the dark web to use a botnet. Today, unscrupulous programmers buy, advertise, and sell malware to clients around the world – sometimes offering 24/7 concierge support.
The Effects of Specialization
The specialized malware market has also made the average cyberattack far more advanced. Think about the Industrial Revolution: Work that once took several hours and dozens of workers could suddenly be completed twice as fast by single machines. Factories could no longer rely on skilled workers to be competitive; instead, factories had to buy the most efficient machine on the market.
This is essentially what’s happened in the world of malware. A few highly skilled hackers have written malware that can go undetected on a residential computer. Instead of doing the work themselves, these people are creating kits of their highly advanced malware that any amateur can pick up and use for a fee. Cybercriminal operations can now operate at the scale and pace of legitimate corporations, creating a massive and sophisticated cybercrime economy.
What This Means for Cybersecurity
The dark web has evolved into a marketplace of accessible technologies, much like our own marketplaces in the SaaS world. We have to evolve as well.
Thanks to the explosion of the MaaS business, it no longer takes a hacking wunderkind to pose a threat. Anyone with a connection to the Dark Web can harness the world’s most advanced bots to attack practically any organization they want to target. Security teams can try to do battle with these botnets, but since all it takes is one successful breach to compromise a company’s defenses, the advantage in these battles will always go to the attackers.
There’s a possibility that this currently bleak dynamic could be reversed, but it would require a level of collaboration that has thus far been very difficult to achieve in the security space. Defensive security teams would likely be much more effective at attacking the profit centers of cybercrime at large if they combined their efforts, but companies in this industry are reluctant to risk sharing their tactics or proprietary information with competitors. If these companies were to merge their differing perspectives and knowledge bases, they might be able to achieve the kind of breakthrough needed to confront an entirely new paradigm of online attacks.
Whether collaboration on this scale is possible remains unclear. The only thing we can be sure of is now that cybercrime has evolved. To curtail it, our approach to defense has to evolve too.