Bot networks still wreak havoc online. Millions of hacks, spam operations and online fraud campaigns perpetrated by botnets in recent years have done serious damage to law-abiding internet users: In the U.S. alone, botnets have caused over $9 billion in losses, the FBI estimates.
Although you can protect yourself by setting up firewalls and antivirus software, combating botnets on a larger scale has traditionally been difficult for law enforcement, because there isn’t a proven methodology for connecting one “bot” to another or back to the hacker controlling the network.
A group of Israeli researchers believe they are the first to have discovered a way to locate botnets and identify who is behind them, by planting honeypots that gather information about attacks carried out by the network, and analyzing that data with machine learning programs.
A botnet is a group of computers infected with malware that’s used to do a cybercriminal’s bidding from afar. A hacker spreads malware to thousands or millions of unprotected computers around the world, typically through spear-phishing emails with malware-infected attachments. The hacker then controls the network remotely, harnessing the bots’ combined power to carry out denial-of-service attacks or spam campaigns that scam targets out of their money.
The hacker conceals its identity and activities, and the hosts typically don’t even know they’ve become part of a virtual zombie army.
Botmasters can also lease their zombie networks on the dark web to other cyber thieves, and this rent-a-bot scheme can be very lucrative when carried out on a large scale. The operators of the botnet Bamital, which had control of about 8 million computers worldwide in order to highjack search results, earned an estimated $1.1 million a year from their operation, according to the security firm Symantec.
Now, researchers at Telekom Innovation Laboratories at Ben Gurion University of the Negev in Israel say they have discovered and traced six botnets by analyzing data collected through cyberattacks.
I visited the lab at the new cybersecurity complex underway in Beersheba, Israel, in February. The researchers told me they had potentially found a way to teach computer programs how to identify relationships among the millions of malicious bots around the world in order to discover which network they belong to.
The lab, a research and development arm of German telecom giant Deutsche Telekom, set up several hundred honeypots in Deutsche Telekom’s vast customer network, which comprises some 150 million people. Honeypots are designed to lure hackers by masquerading as a web server, pretending to contain the kind of personal data that hackers love, like credit card numbers, emails, and medical records. And in this case, it was successful.
Some of the honeypots the team set up were real databases, and the idea was “basically to just expose them to the network” and wait for them to get attacked by zombie bots, researchers explained. Each of the team’s honeypots was attacked thousands of times a day over a roughly one-year period. Each time they were attacked, the honeypots recorded critical information about their attackers and the way they behaved, including the attackers’ geolocation and IP address.
But the planted software recorded too much information for a mere mortal to ever hope to analyze, so they turned to artificial intelligence. To cope with the oceans of data the honeypot software had recorded from all these attacks, the researchers used machine learning algorithms tricked out to fit their specific needs.
The team used 17 unique algorithms to classify and categorize attacks based on hundreds of characteristics designed to differentiate one bot from the next.If a spam campaign was sending out emails at a rapid pace for a certain number of hours, for example, that behavior was analyzed according to about 700 different micro-criteria.
“Basically, we taught the technology to be able to identify a bot on its own”
“Basically, we taught the technology to be able to identify a bot on its own” without the help of humans, said Dudu Mimran, a towering, teddy-bear like man with piercing blue eyes who is the Chief Technology Officer at the Labs.
The artificial intelligence programs were eventually able to learn the behavior of thousands of bots in cyberspace and group them into networks based on that behavior. The researchers believe they’re the first to have done this.
“We can see where the bots reside, what their IP addresses are, and to which bot network they belong,” said Lior Rokach, a professor of data science at Ben Gurion University of the Negev and one of the principal investigators of the the Labs project.
At the labs office in Beersheba, Rokach showed me a map of tens of thousands of bots that his team’s project had identified around the world. Zooming in on North Dakota, Rokach revealed attack data on over 1,200 bots that had been curated autonomously by the group’s AI algorithms.
The new bridge from the Beersheba cyber park to Ben Gurion University in the Negev. Image: Hunter Stuart
So where are these botnets located, and who’s behind them? Although the data shows large numbers of bots in Russia and China, demographics are a better indicator than geography: There tend to be more bots in populations that are less computer-savvy—essentially anywhere where people aren’t educated about how to protect themselves from phishing emails or other online scams.
Areas where piracy is prevalent also show higher rates of infection. If you use The Pirate Bay or another program to torrent movies for free, you’re at greater risk of unknowingly downloading malware. “As the saying goes, if it’s free, then you’re the product,” said said Oleg Brodt, Telekom Innovation Laboratories’ Senior R&D Developer.
Though the popular perception of a hacker is a pale teenager working out of his parents’ basement, botnets are more often controlled by organized criminal entities, Mimran said.
“You’re making a lot of money if you own a botnet of 500,000 bots,” he said. “So usually that’s organized crime.”
For example, it was a Russian gang of cybercriminals who the FBI suspects was behind the “Gameover Zeus” botnet that infected 1 million computers with malicious software which the gang used to hack into online bank accounts, causing an estimated $100 million in financial losses before the FBI shut them down in 2014. The gang’s suspected ringleader, Evgeniy Bogachev, now has a $3 million bounty on his head.
Deutsche Telekom says it doesn’t have any plans to provide information to law enforcement at this point because the data they have is outdated and won’t help find existing links between zombie bots and their commanders. This is the problem with battling botnets: the networks can quickly mutate and conceal themselves.
“I say good on DT [Deutsche Telekom] for building this system, but make no mistake it's going to miss a lot of botnet activity,” security expert Brian Krebs, told Motherboard. “This stuff is in flux so quickly and up one minute for the first time ever and then down after a short time of spreading bad stuff.”
Butthe researchers believe that if their algorithms can be applied to new attack data in the future, it would help tamp down the activity of these shadowy online networks. “The utopic idea is to identify the emergence of new botnets at the infection stage,” Mimran said. “If we can do that, it would help to eliminate--or at least reduce--the botnet phenomenon.”
Theoretically, the bot networks identified by the research lab could be handed over to law enforcement to investigate to see what control center the bots are communicating with—in other words, who is at the top of the organized cybercrime hierarchy.
“It’s like with drug trafficking,” Mimran said. “The idea is to find the kingpin.”