Botnets “not idle” during the new crown epidemic, the attack speed is faster, the methods are diverse and more hidden

Botnets “not idle” during the new crown epidemic, the attack speed is faster, the methods are diverse and more hidden

Botnet is a means rather than a result of malicious behavior on the Internet, and its existence directly reflects the “threat” itself. Through the formation of Botnet, hackers can control a large number of network resources and obtain powerful attack capabilities. Relying on this attack capability, hackers can use various methods to obtain illegal economic benefits.

In recent years, from Gafgyt, Mirai to GoBrut, BigViktor, Mozi, Pink, we have observed huge changes in Botnet upgrades. It illegally controls and transforms a large number of network resources, continuously improves attack capabilities, and gradually increases concealment methods, thus causing more and more serious losses to limited network resources.

In the past 2020, although the world was hit by the new crown epidemic, the activities of botnets were not affected by the epidemic and became more active.

Based on this, NSFOCUS released the “2020 BOTNET Trend Report”, which focuses on the overall trend analysis of Botnet, and describes the first-hand data obtained from the continuous monitoring and tracking of Botnet by CNCERT IoT threat intelligence platform and NSFOCUS threat identification system. The overall development of Botnet in 2020 and the changes of characteristic families, and then interpret the data and refine opinions.

point one

The IoT environment is still the hardest hit area for all kinds of vulnerability attacks, and the vulnerabilities used in the attacks span a relatively long period of time; IoT devices often run in an environment that lacks human intervention for a long time. Due to the large number of IoT manufacturers, the technical level and equipment quality are uneven. And the initial password is fixed, so that attackers can automatically invade such devices and build a large number of botnet nodes.

point two

In 2020, Botnet is deeply bound to spam, and bait emails with the theme of New Coronary Pneumonia spread a large number of traditional Trojan horses; the impact of the New Coronary epidemic in 2020 has a wide range and great social influence, which is by no means comparable to other social events in the same period. The controller of the malicious email botnet did not miss this great opportunity, and quickly constructed and distributed bait emails on epidemic topics in various languages ​​and genres, actively expanding the influence of email Trojans.

point of view three

The family activities of DDoS botnets are still dominated by traditional IoT Trojan families represented by Mirai and Gafgyt.

point four

The exploration of botnets in terms of lateral movement has become more and more in-depth, and they have gradually acquired the ability to “discover on the same day, exploit on the same day” in terms of vulnerability exploitation; Fuying Lab found out when detecting botnet threats and network attacks that the Mirai variant Fetch family used The latest attack chain attacked, and about 3 hours before the attack was discovered, the foreign forum just disclosed the relevant use. This is enough to show that the intelligence transformation ability of botnet operators has far exceeded the inherent cognition of defenders.

point five

Botnets show special changes in adversarial aspects, and attackers begin to analyze some open source honeypots and take countermeasures.

point six

In terms of control protocols, the botnet family is accelerating the transition to P2P control structures. Since 2020, Mozi, BigViktor and other botnets that use P2P protocol to control botnet nodes have been very active, gradually eroding the territory of traditional botnet families such as Mirai and Gafgyt. Although the number of control nodes of emerging botnet families is small, due to their control protocols The particularity of this type of botnet makes it difficult to shut down this type of botnet. Therefore, in the future, botnets based on P2P protocols such as Mozi and BigViktor will gradually occupy the mainstream position.

Viewpoint seven

Some botnets have begun to change their development models, that is, they will focus on spreading intrusions first, and then improve their Trojan horse functions after occupying broilers.

Viewpoint Eight

Botnet operators have been able to quickly transform threat intelligence and open source community intelligence into attack methods, gradually expand the time and information gaps between attacks and defenses, and continuously improve their threat capabilities to Internet devices and users through rapid deployment and iteration.

Viewpoint nine

The behavior of Botnet controllers is becoming more and more cautious, and the botnets controlled by head operators continue to develop towards high occultity.

point ten

APT organizations have diversified attack platforms.


The Links:   LTM09C012 G121I1-L01 BSM150GT120DN2