Botnets and cyberwar

The power of cyber attacks on the Internet can be compared to an atomic bomb explosion in reality. Today, to underestimate the seriousness of hacker hacking web resources is stupid and dangerous. Experts on whom the power spends millions and billions dollars struggle with such misfortune. For example, the damage from cyber attacks for the global economy, according to research by the Ponemon Institute, is more than a billion dollars annually.
A botnet (botnet) is a network of computers infected with malicious code, which allows criminal groups to remotely control "infected" machines without the user's knowledge.
A bot is a malicious program that is deployed on a computer and provides remote control functions to cybercriminals, and the infected computer itself becomes a zombie. The computer that controls the botnet is called the control center. True, in order not to place a large botnet in one place of management, attackers split it up into several smaller ones in case one of them fails. Botnets can be from a few hundred computers to tens or hundreds of thousands of zombie computers.
At a certain moment, at the command of the organizer of the attack, “zazombirovannye” computers simultaneously contact the site, which is to become a victim, and send him a specific request. This action alone cannot harm the site. But through an unexpected huge number of requests, which is never normal, the computer system stops working.
The developers of bots are trying to ensure that these malicious programs do not show their presence on the computer for a long time. Therefore, many owners of infected computers are not aware of the infection. Among the suspicious signs may be that the slowing down of the system, the appearance of strange messages, sometimes it can fail. At the same time, if the Internet provider reveals the facts of spreading malicious software, spam or DDoS traffic from an infected computer, the provider can disconnect this computer from the Internet.
Bots penetrate other people's computers in various ways. Most often, they are distributed through questionable websites, when downloading untested browser plugins, via e-mails with the launch of key generators, "cracks", patches and other pirated software. There is also an infection option from a USB flash drive if it has visited the infected machine.
Removing an infected computer from a botnet is very simple - just disconnect it from the Internet. However, in the current era of ubiquitous internetization, it thus seems highly undesirable: not only does this make access to information more difficult, there is also no guarantee that the virus will not jump from a flash drive.
The main signs of infection of the computer and belonging to the botnet machines.
• The software is hard on the Internet, trying to establish a connection with the provider at any time when your computer is turned on.
• An increase in network traffic.
• In system processes, there are many new ones that did not exist before, and new processes are disguised as system processes (that is, they have names similar to them).
Botnets make attacks on servers collecting and transferring secret information, send spam, perform phishing and checkout counters, with a click on which even pennies are paid, but if there are hundreds of computers on the botnet, then this is not a penny, but real money. It should be noted that all of the above actions a botnet can perform simultaneously.
Common threats to botnet networks
DDoS attacks. The goal is to overflow the buffer of the attacked machine, as a result of which it stops responding and simply “hangs”. DDoS attacks are widely used by hackers to gain access to attacked computers and launch code on them. It is also often used by unscrupulous competitors, since a DDoS attack is not an expensive exercise, but the elimination of its consequences can take a lot of money and time.
Collect secret information. Secret information of various kinds, not intended for wide disclosure, has always attracted cybercriminals. A bot on a computer is a spy that can send passwords to various services from an infected computer, take screenshots, search for files and then delete them or upload them to a remote server. Also, these are credit card numbers, passwords to e-wallets, logins, passwords and contact lists in mailboxes or Skype and more. The information obtained is used by the attackers themselves and is sold on the side.
Spam mailing. If an attacker receives a list of contacts from the user's mail program, his base for spam will be enriched by several dozen, well, maybe a hundred e-mail addresses, but on a botnet there are several thousand computers and this is significant. There is a possibility that the user's computer may be blacklisted as a malicious spammer.
Search spam. It is used to increase the ranking of some sites in search queries. After all, the more visitors on the site, the more its owner will receive profit from advertising.
Increase click counters. There are both separate sites and entire networks that are willing to pay for the transition on their links in the hope that the user who has followed the link will make a purchase in them. This is what the botnet owners use, forcing the victims' computers to follow the necessary links while earning good money.
Phishing Phishing is the creation of a fake page of a popular project (for example, Yandex-money). The user is sent there, and they are asked to log in and the money from the users' wallets is transferred to the criminals.
Network botnet
Unfortunately, organizing a botnet is not difficult, there are many instructions on its creation on the Internet. But, first of all, attackers need to somehow translate the bot on the victim's computer, so you should be careful not to run applications sent by unknown persons.
The use of botnets is not always carried out by the network owner: an advertising campaign can pay for the purchase or rental of a network of botnets. Purposeful creation of botnets for sale is quite lucrative criminal business.
Recommendations for protection from a botnet.
• Install a good antivirus on your computer and regularly update the antivirus databases.
• Install and regularly update your firewall.
• Install all updates to the operating system and software released by the developers of these products.
• Use encryption for sensitive data.
• Be alert and cautious when downloading files, especially unfamiliar or warez servers.
Botnet as an army of cyber-robots
Although in most cases botnets are used for commercial gain, they can be used as an effective tool in cyber warfare in other states, for example, for organizing powerful DDoS attacks and massive spamming.
In April 2007, the world's first cyber attack against the state of Estonia took place. It is notable for a high level of internetization of the population and the development of e-government Internet services.
Cyber ​​attacks against Estonian websites began on April 27, following the riots in Tallinn caused by the relocation of the Soviet monument Bronze Soldier. First, the attacks were directed to the sites of the President of Estonia, the Prime Minister, the Ministry of Foreign Affairs, the Ministry of Justice and the Parliament. At first, the attacks were technically simple and had little resemblance to cyberwar, rather, cyberbunts. However, the political motives of such attacks and some evidence prompted many experts to believe that these attacks were organized by the Russian government.
First, the attackers confined themselves to spamming and cyber-vandalism (for example, the photo of the Estonian Prime Minister was distorted on the website of his party). However, on April 30th, a coordinated DDoS attack began using botnets. The most destructive attacks continued over 10:00, dropping several gigabit of traffic on the web resources of the Estonian government. DDoS attacks reached their climax on May 9, after which they began to decline.
Strangely enough, it was not possible to find any reliable evidence that Russia organized this cyber attack. The use of zombie computers that were scattered around the world, proxy servers and spoofing tactics (using someone else's IP address to deceive the security system) made it extremely difficult to determine with any degree of certainty the origin of the attacks.
At the same time, there is indirect evidence of the connection with them in Moscow. Millions of computers were attracted for cyber attacks, and renting botnets for such attacks is a costly undertaking. Therefore, the question arises: “To whom are these attacks beneficial?”. The Estonian President expressed the suggestion that the characterization of attacks on a specific government through anonymous proxy servers corresponds to the way the Putin regime operates, testing a new “weapon”.
In 2008, a powerful cyber attack was carried out against Georgia. The hackers who were directly responsible for putting the first cyber-attacker around Georgia were part of the RBN (Russian Business Network) grouping, which was controlled by Alexander Boykov from St. Petersburg. Also, the programmer and spammer Andrei Smirnov was involved in this attack. These people headed the RBN section, and they were not doing this from amusement, and at the same time they were not “hacktivists” (some cyber attacks on Georgia were carried out by activist hackers).
By that time, Alexander Boykov was already well known in the cybercriminal world, most of all for distributing the malicious VirusIsolator, which downloads Trojans to control the victim computer. He was also "made famous" by sending out bad spam, financial crimes and managing fraudulent sites.
Smirnov also worked with fraudulent portals, in particular, he owned a website selling medical preparations from Canada. It is known that Smirnov adheres to Nazi views and supported blocking the supply of natural gas to Ukraine.
The cyber attack began as follows. At first, Boykov sent out a huge amount of spam letters allegedly on behalf of the Air Force, in which it was stated that the President of Georgia was gay. When the user clicked on the sheet, a virus was downloaded on his PC. This botset began to form in 2006, but the main number of nodes increased in March-April 2008. Further investigations into the activities of Boykov and Smirnov showed that Russian authorities were involved in the cyber attack.
If you compare happened in Estonia and Georgia, then much looked identical, or at least very similar. In the attacks on both countries used botnets used for powerful DDoS-attacks. But if in Estonia they reacted in time to cyber attacks and they had little effect on the lives of ordinary people, in Georgia the defense against them was not so successful. For example, in Estonia several Internet services of large banks were unavailable for several hours, whereas in Georgia this stop was long.
Consequently, the higher the level of internetization of the population, the greater the harm cyber attacks can cause. At the same time, the state and private business can counter cyber attacks, quickly increasing the capacity of Internet channels and blocking DDoS traffic. But in order to do this effectively, it is necessary to take cybersecurity measures at the state level in advance.
In Ukraine, launched an Internet project "cyber defense"

In Ukraine, earned a new information resource called "cyber defense." The project was launched on May 26, 2014 as a page on the social networking site Facebook https://www.facebook.com/kiberoborona. The group included IT specialists, public figures and journalists.
Powerful hacker attacks showed the unwillingness of government structures to resist cybercriminals. The hacker attack on the CEC almost frustrated the presidential election of 2014 in Ukraine. And the influential edition of The Financial Times wrote about the spread of Russian viruses, which are advanced tools for espionage or even remote control of IT systems. The Cyberkut community continues to be active, which openly declares its unlawful activities involving digital vandalism.
In connection with these events, a number of activists, including Alexander Olshansky, Mirohost President Oleg Pilipenko - PCWeek Chief Editor, Oleg Sych - Zilly Project Manager, Ilya Golovatsky - Cyber ​​Security Specialist, created an initiative group whose task is to draw public attention to the problems of Ukrainian vulnerability information space.
The state should pay much more attention to the direction of information security. The active informatization of public administration systems and the “digitalization” of Ukrainian society are undergoing great risks of cyber attacks. But here we must understand that the state can take in allies only citizens and private business, since all the competencies are in private companies. Without this, any investment in security would be completely useless. In addition, private companies should become the main “workers” bodies in the struggle. And the SBU and the Ministry of Internal Affairs should rather play the role of some coordinating bodies.
In Ukraine, too long did not pay attention to hidden threats. However, some steps to protect information and cyberspace nevertheless were taken: the introduction of the decision of the National Security and Defense Council on the information security of the country (elaboration of the creation of national antivirus and operating system), the intensification of public activities of CERT-UA (a specialized structural unit of the State Center for Information and Telecommunications Protection under the State Special Forces Service, pinpoint hacking of hackers, carried out DDoS attacks on the websites of government agencies.
Experts believe that these efforts are not enough, since in parallel with military actions in the traditional way, the enemy leads a hidden cyber war. This type of aggression is capable of provoking violations in government, outrage in society, followed by escalating violence and other negative consequences.
Ukraine is only beginning to gain momentum in the direction of cyber defense, but we can already be proud of the good results: in October 2014, the Cabinet of Ministers created a task force to respond to cyber attacks, as well as a center for cyber defense and countering cyber threats in the NSDC. During the elections to the Verkhovna Rada of 2014, when the web resource of the Central Election Commission (CEC) was subjected to DDoS attacks, the experts worked very professionally.
Estonia is ready to help in creating and developing the potential of Ukraine’s cyber defense.
“Estonia, as a very small country, should take into account its unique possibilities, which it makes sense to offer, so that everyone will benefit from it. As we know, cyberspace occupies a place in ordinary conflicts. Therefore, after a thorough analysis, the Ministry of Defense decided to offer Ukraine the creation and development of cyber defense. I am sure that this is an area where Estonia can give a lot for Ukraine to be better protected, ”said Estonian Defense Minister Sven Mikser.
Tallinn is one of the world's leading cybersecurity centers. Estonian representatives are constantly participating in various international conferences on this topic. Estonian military is involved in NATO cybersecurity drills. In 2008, the North Atlantic Alliance Council approved the accreditation of the NATO Cyber ​​Defense Center in Tallinn and granted it the status of an international military organization. Now 15 countries are participating in the center.
In Ukraine, the Russian cyberwar, which, although it does not directly entail human sacrifice, is attended by several hacker groups that support one of the parties. Thus, in the conflict in the east of Ukraine, 3 main groups distinguished themselves more than others - “Ukrainian Cyber ​​Troops”, “Cyberkut” and “Anonymous International”. All of them call themselves independent activists, working separately from the government.