Effects of botnets – a human-organisational approach

• Authors: Zsolt Bederna , Tamás Szádeczky
• Languages of publication: EN

Abstracts

EN

Botnets, the remotely controlled networks of computers with malicious aims, have significantly affected the international order from Ukraine to the United States in recent years. Disruptive software, such as malware, ransomware, and disruptive services, provided by those botnets has many specific effects and properties. Therefore, it is paramount to improve the defences against them. To tackle botnets more or less successfully, one should analyse their code, communication, kill chain, and similar technical properties. However, according to the Business Model for Information Security, besides technological attributes, there is also a human and organisational aspect to their capabilities and behaviour. This paper aims to identify the aspects of different attacks and present an analysis framework to identify botnets’ technological and human attributes. After researching the literature and evaluating our previous findings in this research project, we formed a unified framework for the human-organisational classification of botnets. We tested the defined framework on five botnet attacks, presenting them as case studies. The chosen botnets were ElectrumDoSMiner, Emotet, Gamover Zeus, Mirai, and VPNFilter. The focus of the comparison was motivation, the applied business model, willingness to cooperate, capabilities, and the attack source. For defending entities, reaching the target state of defending capabilities is impossible with a one-time development due to cyberspace’s dynamic behaviour and botnets. Therefore, one has to develop cyberdefence and conduct threat intelligence on botnets using such methodology as that presented in this paper. This framework comprises people and technological attributes according to the BMIS model, providing the defender with a standard way of classification.

Keywords

EN

capabilities; botnet; cyberattack

• Publisher: Akademia Sztuki Wojennej
• Journal: Security and Defence Quarterly
• Year: 2021

Dates

published

2021-07-01

received

2021-04-07

revised

2021-06-01

accepted

2021-06-06

Contributors

author

Zsolt Bederna

• Doctoral School for Safety and Security Sciences, Obuda University, Hungary

author

Tamás Szádeczky

References

• Alzubaidy, L. and Hatim, K. (2015) ‘Analysis and detection of the Zeus Botnet crimeware’, International Journal of Computer Science and Information Security, 13, pp. 121–135.
• Anomali (2019) APT28 timeline of malicious activity. Available at: https://forum.anomali.com/t/apt28-timeline-of-malicious activity/2019 (Accessed: 21 February 2019).
• Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J.A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K. and Zhou, Y. (2017). 'Understanding the mirai botnet', in Proceedings of the 26th USENIX Security Symposium. Vancouver: USENIX Association, pp. 1093-1110.
• Ashford, W. (2018) Next-gen Mirai botnet targets cryptocurrency mining operations, Computer Weekly.com. Available at: https://www.computerweekly.com/news/450433414/Next-gen-Mirai-botnet-targets-cryptocurrencymining-operations (Accessed: 21 April 2020).
• Aycock, J. (2011) Spyware and adware. Switzerland AG: Springer. doi: 10.1007/978-0-387-77741-2.
• Banday, M.T., Qadri, J.A. and Shah, N.A. (2009) ‘Study of botnets and their threats to internet security’, Sprouts: Working Papers on Information Systems, 9(24), 9–24.
• Beckers, K. (2015) Pattern and security requirements engineering-based establishment of security standards. Switzerland AG: Springer. doi: 10.1007/978-3-319-16664-3.
• Bederna, Z., Rajnai, Z. and Szadeczky, T. (2021) ‘Attacks against energy, water and other critical infrastructure in the EU’, in 2020 IEEE 3rd international conference and workshop on electrical and power engineering (CANDO-EPE), Óbuda, Hungary. doi: 10.1109/CANDO-EPE51100.2020.9337751.
• Bederna, Z. and Szadeczky, T. (2019) ‘Cyber espionage through botnets’, Security Journal, 33, pp. 43–62. doi: 10.1057/s41284 019-00194-6.
• Bing, C. (2016) You can now buy a Mirai-powered botnet on the dark web, CYBERSCOOP. Available at: https:// www.cyberscoop.com/mirai-botnet-for-sale-ddos-dark-web/ (Accessed: 21 April 2020).
• Brichant, R. and Eftekhari, P. (2019) The rise of disruptionware. Available at: https://icitech.org/wp-content/ uploads/2019/09/ICIT-Brief-The-Rise-of-Disruptionware.pdf (Accessed: 29 September 2019).
• Cantón, D. (n.d.) Botnet detection through DNS-based approaches, INCIBE. Available at: https://www.incibecert.es/en/blog/botnet-detection-dns (Accessed: 1 August 2018).
• Chang, W., Mohaisen, A., Wang, A. and Chen, S. (2015) ‘Measuring botnets in the wild: Some new trends’, in ASIACCS 2015-Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. doi:10.1145/2714576.2714637.
• Chukwudi, A.E. (2017) ‘Game theory basics and its application in cyber security’, Advances in Wireless Communications and Networks, 3(4), pp. 45–49. doi: 10.11648/j.awcn.20170304.13.
• Cimpanu, C. (2019) Hacker takes over 29 IoT botnets, ZDNet. Available at: https://www.zdnet.com/article/hacker-takes-over-29-iot-botnets/ (Accessed: 10 March 2020).
• Cisco (2014a) Cisco Networking Academy connecting networks companion guide: Hierarchical network design. Cisco Press.
• Cisco (2014b) The Art of Network Architecture. Cisco Press.
• Cisco Talos (2018) New VPN Filter malware targets at least 500K networking devices worldwide. Available at: https://blog.talosintelligence.com/2018/05/VPNFilter.html (Accessed: 20 February 2020).
• Dey, P.K. Canbaz M.A., Yuksel, M., and Gunes, M.H (2018) ‘On correlating ISP topologies to their businesses’, in IEEE international conference on communications. doi: 10.1109/ICC.2018.8422620.
• Do, C.T., Tran, N.H., Hong, C., Kamhoua, C.A., Kwiat, K.A., Blasch, E. ... and Iyengar, S.S. (2017) ‘Game theory for cyber security and privacy’, ACM Computing Surveys, 50(2), pp. 1–37. Article No.: 30. doi: 10.1145/3057268.
• Dobák, I. (2021) ‘Many areas of cybersecurity are also interconnected with national security’, Security & Defence, 33(1), pp. 75-85. doi: 10.35467/sdq/133154.
• Eskandari, S., Leoutsarakos, A., Mursch, T. and Clark, J. (2018) ‘A first look at browser-based cryptojacking’, in Proceedings of 3rd IEEE European symposium on security and privacy workshops, EURO S and PW 2018. doi: 10.1109/EuroSPW.2018.00014.
• European Union (2016) 'Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union', Journal of the European Union. Available at: http://data.europa.eu/eli/dir/2016/1148/oj.
• European Union Agency for Network and Information Security (ENISA) (2019) ENISA threat landscape report 2018. doi: 10.2824/622757.
• European Union Agency for Network and Information Security (ENISA) (n.d.) Botnets. Available at: https://www.enisa.europa.eu/topics/csirts-in-europe/glossary/botnets (Accessed: 26 February 2020).
• Europol (2014) International action against ‘Gameover Zeus’ botnet and ‘CryptoLocker’ ransomware. Available at: https://www.europol.europa.eu/newsroom/news/international-action-against-gameover-zeus-botnet-andcryptolocker-ransomware (Accessed: 20 April 2020).
• FireEye (2018) Threat research-A deep dive into RIG exploit kit delivering grobios trojan. Available at: https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html (Accessed: 20 April 2020).
• Fortinet (2019) New emotet report details threats from one of the world’s most successful malware operations. Available at: https://www.fortinet.com/blog/threat-research/emotet-playbook-banking-trojan.html (Accessed: 20 April 2020).
• Gandhi, R., Sharma, A., Mahoney, W., Sousan, W., Zhu, Q. and Laplante, P. (2011) ‘Dimensions of cyber-attacks: Cultural, social, economic, and political’, IEEE Technology and Society Magazine, 30(1), pp. 28–38. doi: 10.1109/MTS.2011.940293.
• Halder, D. and Jaishankar K. (2012) Cyber crime and the victimization of women: Laws, rights, and regulations. Hershey, PA: IGI Global. doi: 10.4018/978-1-60960-830-9.
• IBM Corporation (2016) The inside story on botnets. Available at: https://www.ibm.com/downloads/cas/V3YJVYZX.
• Ilascu, I. (2014) ‘New gameover Zeus botnet forming, the US sees most infections’, Sofpedia News. Available at: https://news.softpedia.com/news/New-Gameover-Zeus-Botnet-Forming-the-US-Sees-Most-Infections-455112.shtml (Accessed: 27 May 2021).
• Kaspersky (2018) Trojan-Banker.Win32.Emotet. Available at: https://threats.kaspersky.com/en/threat/TrojanBanker.Win32.Emotet/ (Accessed: 27 May 2021).
• Khonji, M., Iraqi, Y. and Jones, A. (2013) ‘Phishing detection: A literature survey’, in IEEE Communications Surveys and Tutorials, 15(4), pp. 2091–2121. doi: 10.1109/SURV.2013.032213.00009.
• Liang, X. and Xiao, Y. (2013) ‘Game theory for network security’, IEEE Communications Surveys and Tutorials, 15(1), pp. 472-486. doi: 10.1109/SURV.2012.062612.00056.
• Liu, Y. and Wang, H. (2018) VB2018 paper: Tracking Mirai variants’, Virus Bulletin. Available at: https://www. virusbulletin.com/virusbulletin/2018/12/vb2018-paper-tracking-mirai-variants/ (Accessed: 21 April 2020).
• Malwarebytes Labs (2019a) Electrum bitcoin wallets under siege. Available at: https://blog.malwarebytes.com/ cybercrime/2019/04/electrum-bitcoin-wallets-under-siege/ (Accessed: 20 April 2020).
• Malwarebytes Labs (2019b) Electrum DDoS botnet reaches 152,000 infected hosts. Available at: https://blog. malwarebytes.com/cybercrime/2019/04/electrum-ddos-botnet-reaches-152000-infected-hosts/.
• Manky, D. (2013) ‘Cybercrime as a service: A very modern business’, Computer Fraud and Security. doi: 10.1016/S1361-3723(13)70053-8.
• Manuel, J. (2018) Searching for the reuse of Mirai code: Hide ‘N Seek Bot. Available at: https://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html (Accessed: 10 March 2020).
• Miller, C. (2010) ‘Kim Jong-il and me: How to build a cyber army to attack the US’, DEF CON 18.
• MITRE ATT&CK (2019) Smoke loader. Available at: https://attack.mitre.org/software/S0226/ (Accessed: 20 April 2020).
• Montalbano, E. (2018) Mirai creators Cooperate with feds to avoid prison, the security ledger. Available at: https://securityledger.com/2018/09/mirai-creators-cooperate-with-feds-to-avoid-prison/ (Accessed: 27 May 2021).
• Putman, C.G.J., Abhishta, A. and Nieuwenhuis, L.J.M. (2018) ‘Business model of a botnet’, in Proceedings of the 26th euromicro international conference on parallel, distributed, and network-based processing, PDP 2018. doi: 10.1109/PDP2018.2018.00077.
• Ravali, P. (2013) A comparative evaluation of OSI and TCP/IP models’, International Journal of Science and Research, 4(7), pp. 514–521.
• Ryan, R.M. and Deci, E.L. (2000) ‘Self Determination Theory and the facilitation of intrinsic motivation, social development and well-being’, American Psychologist, 55(1), pp. 68–78. doi: 10.1.1.529.4370.
• Sandee, M. (2015) GameOver ZeuS-Backgrounds on the Badguys and the backends. Available at: https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends-wp.pdf.
• Security Boulevard (2020) Emotet attacks-A spike to start the year…. Available at: https://securityboulevard.com/2020/02/emotet-attacks-a-spike-to-start-the-year/ (Accessed: 20 April 2020).
• Siddiqui, H., Healy, E. and Olmsted, A. (2018) ‘Bot or not’, in 12th International conference for internet technology and secured transactions, ICITST 2017. doi: 10.23919/ICITST.2017.8356448.
• Spamhouse (2019) Estimating Emotet’s size and reach. Available at: https://www.spamhaus.org/news/article/791/estimating-emotets-size-and-reach (Accessed: 20 April 2020).
• Specht, S.M. and Lee, R.B. (2004) ‘Distributed denial of service: Taxonomies of attacks, tools and countermeasures’, in International Workshop on Security in Parallel and Distributed Systems, pp. 543–550.
• Szőr, P. (2005) The art of computer virus research and defense. New Jersey: Pearson Education.
• Tandoc, E.C., Lim, Z.W. and Ling, R. (2018) ‘Defining “fake news”: A typology of scholarly definitions’, Digital Journalism. doi: 10.1080/21670811.2017.1360143.
• Trend Micro (2014) Gameover: ZeuS with P2P functionality disrupted. Available at: https://www.trendmicro.com/en_us/research/14/f/gameover-zeus-with-p2p-functionality-disrupted.html (Accessed: 27 May 2021).
• Trend Micro (2021) VPNFilter two years later: Routers still compromised. Available at: https://www.trendmicro.com/en_ca/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html (Accessed: 27 May 2021).
• Ullrich, J.B. (2018) Worm (Mirai?) exploiting android debug bridge (Port 5555/tcp), SANS ISC InfoSec forums. Available at: https://isc.sans.edu/forums/diary/Worm+Mirai+Exploiting+Android+Debug+Bridge+Port+5555tcp/23856/ (Accessed: 21 April 2020).
• Vakulyk, O., Petrenko, P., Kuzmenki, I., Pochtovyi, M. and Orlovskyi, R. (2020) ‘Cybersecurity as a component of the national security of the state’, Journal of Security and Sustainability Issues, 9(3), pp. 775–784. doi: 10.9770/jssi.2020.9.3(4).
• Verizon (2020) Data breach investigations report 2020. Available at: https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf (Accessed: 23 March 2021). doi: 10.1016/S1361-3723(20)30059-2.
• von Roessing, R. (2010) ‘The ISACA business model for information security: An integrative and innovative approach’, in ISSE 2009 securing electronic business processes. doi: 10.1007/978-3-8348-9363-5_4.
• Youngblood, J.R. (2016) ‘Ransomware’, in Business theft and fraud. Detection and prevention. Boca Raton, FL: Routledge. doi: 10.4324/9781315380780-37.

Identifiers

DOI

10.35467/sdq/138588