Rise of the botnets
When harnessed together, a network of zombie computers can be a force for evil — or good
Armies of zombie computers caused a lot of mayhem in 2018.
In January, one cluster of infected, connected machines attacked the three biggest banks in the Netherlands. The attack crippled computer systems and left customers uncertain about their money. In February, a website for computer programmers, called Github, was knocked offline by a network of tens of thousands of devices. In May, the public train system in Denmark was attacked. Its ticket-selling programs stopped working.
That was just in the first half of the year. The armies of infected devices that caused all this damage are known as robot networks, or simply “botnets.” These attacks happen online, via the internet. And the computer culprits weren’t all owned by criminals. Many were machines owned by regular people but taken over by hackers. Hackers have been using botnets in cyberattacks for more than a decade. Now the botnet armies are getting bigger, smarter and more destructive.
2018 was definitely a bad year for botnets. So was 2017. And 2016. And the several years before that. For more than a decade, botnets have been helping hackers commit crimes. They have stolen identities and money. They have attacked trains and banks. They have caused millions of dollars in damage.
Some botnets can create problems for years without being detected, says Adrian Dabrowski. He studies computer security in Vienna, Austria. Experts estimate that the biggest botnets can take over tens of millions of machines. Dabrowski says the problem of these malicious armies won’t go away in 2019. Indeed, it will likely worsen.
“There’s a lot you can do with 100,000 infected computers,” notes Jody Westby. She’s a security expert in Washington, D.C. Perhaps the most surprising thing about these devices is that their owners don’t know they have zombies. The user, says Westby, has little way of knowing. The device might simply run a little slower. For the most part, botnets are “all owned by people who are not aware that their computers are infected,” Westby says.
And every smartphone, tablet, laptop and gadget that connects to the internet is at risk.
Meet the zombies
A botnet might include computers, cameras and routers. Or they could be other online devices, such as security cameras or toys. Any electronic device that connects to the internet is vulnerable. It just has to be able to run a type of computer program known as malware. This program turns computers into zombies. That means it forces those computers to do whatever hackers tell them to do.
Botnet attacks can be expensive. A botnet that attacked a website in 2016 cost more than $300,000. That cost mostly came from the extra energy used by the owners of infected machines. In the attack on Github in 2018, the botnet demanded $15,000 in ransom to stop the attack. (Github didn’t pay. Their experts stopped the attack within a few minutes, even though it was one of the largest attacks in history.) In October 2016, a botnet crippled dozens of websites. They included Amazon, PayPal, Spotify and Twitter. Attacked businesses lost money when customers couldn’t buy things.
“Botnets are very effective” at causing problems, says Westby. She runs a company called Global Cyber Risk. It specializes in helping companies protect themselves against threats such as botnets.
Experts like Westby say that botnets are getting bigger, smarter and initiate more types of harm. They’re one of the biggest threats to online security and privacy. Computer security experts and government agencies know of tens of thousands of botnets. Most of those networks are dormant, which means they’re not doing any harm right now (but they are ready to do so).
But with one computer command, the botmaster (or botherder — sort of like a malicious shepherd) can tell all those devices to attack. Last April, for example, a botnet that included 50,000 surveillance cameras in Japan launched a series of attacks around the world.
How to amass an army of zombies
Botnet attacks will get worse, Westby says. That’s partly because botmasters are finding ways to send more data from individual devices. It’s also because of the Internet of Things. That term refers to the idea that any gadget can be online. Such devices are often said to be “smart.”
Yet smart devices are often dumb when it comes to security. As a result, they become easy prey for recruiters. To build a zombie army of smart devices, a hacker writes a computer program that searches the internet for connected devices. Then, the program tries to break into that device. It tries to guess the password. With the right password, the program can install malware.
“And as long as they get malware in the computer, they can use it to commit crimes or send messages,” says Westby.
Guessing a password is easier than you might think. New devices like smart TVs, wi-fi routers and security cameras are sold with a default password in place. (It’s often something easy, like “password.”) According to a survey conducted by a computer magazine in June and July 2018, more than one-third of people never change their passwords. And many people use the same password for all their devices, which is also risky. If a criminal trying to build a zombie army tries to hack a million devices, they might successfully infect more than 300,000.
Hacked devices can make the army even bigger. For example, the malware might direct the device to search the internet for other devices to infect.
Many botnets sit quietly for months or years. One of the biggest attacks took place in October 2016. The culprit was a botnet named Mirai. Its creators had written and launched Mirai in 2014. For two years it spread from machine to machine. An investigation revealed that Mirai had first been used to attack the computer system of Rutgers University, in New Jersey, in 2014 and 2016.
In September 2016, the culprits behind Mirai published the computer program online. Now anyone, including any hacker, could download and use it. As a result, many criminals have now used Mirai to build their own zombie networks. In December 2017, a government investigation identified the culprits behind Mirai. As it turns out, two of them had started a company to help other businesses deal with attacks. (Sort of like bank robbers moonlighting as security guards.) Even though they’ve been caught, their creation lives on. Mirai-based botnets still cause problems.
An attack occurs when the hacker who controls the zombies sends out a signal for all the devices to do something. In the case of the attack on Github, all of the zombies sent junk data to the website at the same time. This attack crashed the website. Westby says botnets also can be used to harvest personal information or credit card information. That information can be used to steal money. It also can be sold to other criminals, to use later.
But that’s not all that botnets can do. Dabrowski says the threat from botnets isn’t limited to stealing money or crippling websites. His research has shown that it’s possible for them to move beyond machines and cause real, physical danger.
“It’s not just stealing credit cards or invading your privacy,” he says. “Botnets can actually have an impact on the physical world.”
Dabrowski works at SBA Research, a cybersecurity company in Vienna. He studies ways that virtual and physical worlds come together. He has studied privacy and security in wearable gadgets like fitness trackers, for example. But recently, he’s been studying power grids. He’s worried that they’re an easy target for botnets.
The power grid connects the places where electricity is generated to the people who use it. It includes power stations, wires and towers. And it runs on computer software. If the power grid goes offline, people lose access to electricity. The grid is vital to daily life, and as Dabrowski notes, it’s among the largest structures built by people. Power grids are a type of cyberphysical system, which means they bring together computer programs and real-world parts.
A few years ago, Dabrowski attended a talk where the speaker described how power grids work. Almost immediately afterward, he began to think about the ways that a power grid could break. Trying to find weaknesses in systems, he says, is an important part of working in security.
“Everything you see, you start wondering, where is the flaw? How can I misuse this thing?” he says.
In 2017, he identified how a power grid might fall victim to botnets. Computers need energy to function. Different parts of a computer require different amounts of energy. Botnets can harness and control those energy-guzzling features. For an individual machine, that would only mean a higher energy bill for the unsuspecting user. But a botnet controlling millions of machines could gobble up so much energy that it overloads the grid, and the grid shuts down.
“An attack can basically render the grid unusable,” he worries. A loss of power would be more than inconvenient. It could be dangerous, too. Wastewater treatment plants are often connected to the grid, so they could shut down. If hospitals lose power and don’t have a backup source, patients could be in danger. Gas pumps that use electricity would stop working, so that people couldn’t add fuel to their vehicles.
Recognizing that power grids have weaknesses is important for protection, Dabrowski says. However, he also predicts hackers will always find a way to break in. “I think it’s impossible to build the grid that is by itself resilient to this attack,” he says.
Predicting how botnets might attack is important. If engineers know a system’s weak spots, they can build detectors that can sound an alarm when botnets attack.
Computer armies working for good
Botmasters use armies of zombies to complete a task. Usually, it’s one that’s against the law. But connected computers also can be used for good. Together, their computing power can be used to discover new things about the world.
Dave Anderson is a computer scientist at the University of California, Berkeley. He’s a pioneer in a type of research known as volunteer computing. Anderson has developed projects where users allow their devices to be used to solve big problems. Such volunteer computing is not malware.
One of Anderson’s first projects is still running. It’s called SETI@Home. SETI originally stood for “Search for Extra-Terrestrial Intelligence.” The SETI project uses data from radio telescopes to search for potential signals from aliens. But radio telescopes collect a lot of data — too much for one computer to search.
Working together, a lot of linked computers can do the job. People who sign up for SETI@Home allow their computers to churn through data and look for signals. Then, those computers send their results over the internet to the central computer.
So far, SETI@Home hasn’t found aliens. But it’s not for lack of trying. SETI@Home uses the power of about 250,000 volunteer computers. Anderson wants more.
“I would like it to be 10 times or 100 times that much,” he says.
Anderson has developed software that helps other scientists conduct big data projects, beyond aliens. These include programs that simulate climate conditions. They also include studies into how DNA folds up inside a cell.
Anderson says volunteer computing helps in studies where one big task can be broken into a lot of smaller tasks. Sometimes those big tasks could be done by a supercomputer. Alas, most scientists don’t have a supercomputer. “A supercomputer is actually a bunch of processors connected by a high-speed network,” explains Anderson. So volunteer computing creates a connection that acts like a supercomputer.
Even though volunteer computing brings computers together, it’s not a botnet. That’s because unlike botnets, volunteer computing depends on people choosing to work toward some common goal. But Anderson still worries about botnets. “Our worst nightmare is that a hacker might take over a server and distribute malware,” he says. “We have a bunch of features to prevent that.”
The best way for individual users to stop botnets is to prevent infections. Westby has some tips for how to do that. She recommends that people set difficult passwords and never keep the default password on a new device.
In addition, she advises users to be careful about internet use. Some links sent via email or online can lead a user to download malware by accident. She says not to click on links in strange emails or on websites you don’t trust. “The minute they click on something, or go to some site they shouldn’t, they could be infected,” she says. People who suspect their computer might host vicious programs can use anti-malware software to find and get rid of them.
Westby says students have to be smart about what they do online. She also thinks that today’s students will come up with smart solutions for problems like botnets.
“Kids look at things differently than adults,” she says. “They can look at a problem fresh and come up with a cleaner approach.” Botnets, she suspects, “are a problem that kids could effectively solve.”