How Hackers Use Botnets To Launch DDoS Attacks

by Sunny Hoi

Role Of Botnets & How DDoS Works

Botnets serve as the culprit of some of the most extensive worldwide internet disruptions of the decade.

Distributed denial-of-service (DDoS) attacks flood an adversarial service with an enormous amount of traffic. The outcome of the DDoS attack is that the service’s servers are incapable of processing the requests and ultimately collapses.

DDoS attacks can occur at any moment and require prompt swift attention to mitigate before it drastically affects revenue.

The Reconnaissance Stage

Sadly, Information Technology (IT) administrators ought to check for potential DDoS activity and need to be vigilant to protect against these sorts of attacks.

Reasons for creating a new botnet vary. The malicious cyber actor may have been hired by an adversarial competitor.

Some distributed denial-of-service attacks are state-sponsored and launched to harm foreign governments and companies. Other reasons are for cybercriminals to make money or solely driven by political motives or heated feuds.

Botnets begin with the notion of demolishing public internet service on an adversarial company’s server. Nevertheless, the hacker requires devices with malware installed on them.

For an immense cybersecurity attack to occur, the initial step is to conduct reconnaissance by investigating the organization and searching for specific users. LinkedIn and social media are ideal for this stage. An adversarial cybercriminal may acquire a list of employees for a targeted company including individuals that hold high-level access on the network. Finance and Human Resources departments are usually targeted since they hold high-level access to crucial data.

Using Email Campaigns To Disseminate Malicious Malware – Infect And Disseminate Stage

Email fraud is the most prevalent method for disseminating adversarial controlled malware on a device. The most massive DDoS attack happened in February 2018 where attackers targeted GitHub, a popular code repository, with DDoS attacks that reached a record-breaking 1.35 Tbps. The second largest distributed denial-of-service attack was on the company Dyn, a significant DNS provider. This attack made international headlines because of the enormous amount of Internet of Things (IoT) devices deployed to initiate it. Any system may be employed for purposes of launching a DDoS attack including desktops and laptops. This stage is known as ‘infect and disseminate’. 

Hackers employ two primary techniques for phishing their victims. Notably, the hackers deceive targeted victims into accessing a server controlled by the attacker and disclosing authentication credentials or attach harmful files that consist of executables or documents containing macros intended to download malware.

Phishing emails are prevalent when a hacker desires authentication credentials. With authentication credentials, the cybercriminal may authenticate to the network and carry out any activity with the targeted victim’s permissions. Human Resources, finance, and IT administrators possess high-level access. Hence, an adversary will frequently target these users particularly. These tactics are commonly deployed in data breaches. However, cyber-actors may also send additional emails utilizing the employee’s account to further phish for additional information or infect more devices on corporate networks.

The alternative method for a hacker is sending emails with malicious attachments. Such attachments may contain executables that stealthily install malware without the target being consciously aware. An increasingly common method is to send emails with Microsoft Office attachments that include macros. Such macros download malware to infect targeted systems.

When a cybercriminal begins hoarding stolen credentials and infected systems, they start to accumulate devices for their botnet collection. Malware installed on machines run quietly waiting for a signal from the intruder. Various malware permits the intruder to authenticate remotely into the system when the victim is absent. Moreover, botnet malware may go over email contact lists and send malicious emails to other users. Whenever consumers receive email from someone they know already, there is a higher likelihood of recipients opening and executing attachments.

Evidently, this stage requires the hostile cyber actor to grasp phishing, malware, and deception of users. A new cloud service known as malware-as-a-service (MaaS) offers rentable infected machines at a price. Payment is rendered employing cryptocurrency, and an adversarial attacker may anonymously rent numerous infected systems to launch a cyber attack. Malware-as-a-service typically provides a cloud-hosted centralized dashboard where the threat actor may launch a DDoS campaign without ever needing to go through the steps to infect systems.

Command and Control Stage

Botnet malware is designed and coded to evade detection, yet intrusion detection and anti-malware applications together with artificial intelligence have advanced to identify potential infections in a more meaningful way. To evade detection, botnet malware will render alterations to its footprint.

Central command servers are investigated by anti-malware researchers and IT administrators eventually are aware of such danger which permits them to take further precautions to avoid infection. Botnet software ought to be capable of connecting to a central command server. Therefore, adversaries have to alter the IP address where malware connects. This may be achieved in numerous ways. Cybercriminals may modify the hosting addresses for the central control dashboard, and the malware will modify the contact IP address. Proxy servers are also a conventional resource used by the attacker to retain the same host IP address but alter proxy IP addresses to evade detection.

Despite that detection evasion is built into malware, the threat actor understands that few infected systems will eventually be cleaned or lost. Accordingly, the malware is made to distribute to other systems continuously. The botnet malware will dispatch email deploying the victim’s contact list configured on an email client. Unsurprisingly, the malware may scan the network for opportunities to infect any vulnerable devices. Furthermore, a threat actor may transmit additional phishing emails to IT administrators expecting to fool at least one high-level access user. Using an administrator’s credentials, an adversary may authenticate remotely and install malware on vulnerable devices on the network.

In addition, the threat actor registers various domain names employing a random domain generation algorithm. Such domains merely comprise a string of letters and numbers ready for registration. With the attacker’s surreptitious mindset, these domains sneak past content filters and remain undetected.

Lastly, infected network servers may also serve as proxies and assist the cyber actor as well. These servers may be utilized to infect more devices on the network and provide cybercriminals means to check for success.

Once the threat actor is prepared to continue, the central control center transmits commands to inactive systems. The command includes information on the victim’s server, and recipient devices render requests. Such requests may be from a large number of devices across the world, and targeted corporations perceive no cautions that a distributed denial-of-service attack is about to occur. Ultimately, the flood of requests overburdens server resources and the target’s service crashes.

Related Posts