Marta Mª Padilla Foubelo

What is a botnet and how does it work? To begin with, let's dissociate the word botnet. On the one hand, “bot” means robot and, on the other hand, “net” means network. This gives the phrase a meaning, something like “a network of robots”. A bot, or robot, would be a system infected by malicious software whose target is defined in the malware code. Therefore, a botnet would be a net of systems infected by the same malicious software. A botnet is a group of systems infected by malicious software (malware) and managed by the same BotMaster. This network is called a Botnet, what is not implicit in the name is the fact that they are controlled remotely through a common Command and Control (hereafter C&C) server from which the operator of the network, also known as BotMaster, will send instructions to perform malicious actions. In botnets, the famous parental phrase "if a friend of yours goes off a cliff, will you do it too? Well, yes sir, everyone will do the same as they are controlled by a specific threat actor. Botnets also on mobile devices It is not only computers that are affected, mobile devices are also targeted by BotMasters. For example, on a well-known Dark Web forum, a botnet is offered for the Android operating system, which is one of the most widely used operating systems worldwide.: The full functionality and capabilities are included in the post itself: In this case it is the Anubis botnet, whose main objective is to collect bank account information. But it can also be used to send SMS messages to the device's contacts. How many times have we seen online scams in which we have received a message from a known person asking for data, money or simply sending a link? Obviously, coming from a known person does not usually seem suspicious. However, nothing could be further from the truth. Additionally, and as a curious fact, botnet names are often associated with the malware that links them. Due to the large amount of malware currently in existence, it is practically impossible to list them all. Among the best known, although not always the most widely used, are Emotet, Mirai, Pink, Arkei, Redline and Racoon. Cyber Security How Lokibot, the malware used by Machete to steal information and login credentials, works June 29, 2022 Uses and purposes of botnets There are an infinite number of uses for a botnet, it all depends on the imagination of each threat actor, which, it has been demonstrated, is also quite broad. One of the most common uses of botnets, for example, are the famous distributed denial of service or DDoS attacks, which are orchestrated, in most cases, by networks of infected systems. Distributed Denial of Service (DDoS) attacks are often launched using botnets. However, not only can an infected computer be used to attack exposed services, but also to collect the affected user's credentials, mine cryptocurrencies, carry out phishing attacks, and even download other malware. What's more, from the DFIR team's perspective, many ransomware attacks start with the insertion of botnet malware. These malwares are tasked with downloading more malware to move laterally in the network, downloading updates to the malware itself, or even directly downloading the payload of the ransomware itself. How do I know if my computer is part of a botnet? That said, the question often arises "how do I know if my computer is part of a botnet?" It is best to have an EDR, a firewall with defined rules or a powerful signature-based detection software, otherwise it can go completely unnoticed by a user. In general, infected people will not be handpicked, i.e., they are not targeted attacks, but, on the contrary, mass campaigns that make anyone susceptible to be infected. Everyone is susceptible to being targeted by a botnet just because they have a computer or a mobile phone. Many people think that they are "nobody" or not "interesting" enough for a botnet operator to be particularly interested in attacking them. Nothing could be further from the truth. Who doesn't access their bank account from their computer, who doesn't access online shopping platforms, who doesn't access their company's internal network via a VPN, any information of this kind is still very valuable, or even if you are a low-ranking worker in a company, you still have access to that private network that is so attractive to cybercriminals! Cyber Security Differences between encryption, hashing, encoding and obfuscation June 1, 2022 How to identify botnet operators Likewise, the question arises "is it easy to identify the threat actors operating botnets"? It is not easy. In fact, investigation is complicated by the fact that threat actors, apart from being groups of several people, often operate through the Tor network. In addition, the operators use domain generation algorithms (DGA) to generate a large number of domain names. In this way, they manage to evade possible detection by the C&C server, as only some of these domains will resolve to a real C&C server. For example, if a specific IP address or domain is denied access by a firewall rule, the BotMaster will have so many domains that it can dynamically change the domain name of its C&C. In this way, it maintains contact with the bot as it will continuously generate the same list of domains per DGA. Another evasion method used is to make use of a Fast Flux network in which, basically, many different IP addresses would be assigned to the same domain name. These IP addresses will be changeable and, assuming that many different domain names will be used, the possible IP addresses connecting to the C&C would increase exponentially. For these reasons, dismantling a botnet organisation takes years of investigation, dedication and, in some cases, cooperation between law enforcement agencies in several countries. Cyber Security Attacking login credentials June 22, 2022 Dark Web sales of malware and botnets Of course, as with anything, there is also malware available for sale on the Dark Web, as discussed in the post on these types of markets. Threat actors also have the possibility to add systems to their botnets by selling or renting specific malware on Dark and Deep Web forums and markets. For example, below, we can see a sale of Redline for life (and at a discount of 300 euros!). In this other recent post from a well-known Dark Web marketplace, the Arkei malware is offered for sale for $210: Not only paid malware is found, but, ironically, there are also free “pirated” versions of malware, as we can see below with the Arkei malware. Although the post was opened in 2018, it can be seen that the thread has been quite active throughout the years up to 2022, apparently accumulating a lot of downloads. As another curious fact, and following the saying “if you want something well done, do it yourself”, tutorials are offered for sale, and sometimes for free, to learn how to set up your own botnet. Dark Web sales of credentials and session cookies One of the capabilities of malware infecting systems is the theft of login credentials or the theft of session cookies from web services. It is a common occurrence to see credentials being sold on major Deep and Dark Web markets. It is as common as it is worrying as it not only affects access credentials to personal services (Amazon, online banking, supermarkets, streaming platforms, etc.), but also affects access to professional services such as access to work tools, access to VPN networks, access to professional mail, etc. The sale of credentials on Deep and Dark Web markets is as common as it is disturbing What started out as the compromise of a single computer, ends up being the compromise of an entire corporate network and can lead to a serious security incident, as discussed above. In order to provide real data and obtaining data for all countries in the world and from the sales of the main Dark Web markets, it was found that, in the last month alone, at least 311 credentials for access to Citrix services, 2000 accesses to the intranet of different companies, 105 VPN accesses, among many others, have been offered for sale. At the enterprise level, it is, to say the least, worrying. Conclusion As we have seen, anyone can be a target of a botnet and the consequences can be dire. The human factor is one of the main players in botnet infection so, at this point, there is nothing more we can do than recommend being very careful about where we click or where we download software from - beware of freeware or off-platform downloads! This way, we will already be much less likely to end up "turned" into a bot.

What are Dark Markets or Black Markets? This concept has been in the news for a long time as a consequence of clandestine sales. The markets for drugs and pharmaceuticals or firearms, for example. As well as the illegal sale of animals, credit cards, child pornography, documentation, permits, licences, counterfeit money, the contracting of cosmetic operations, the hiring of hitmen, and a long etcetera. Almost anything you can think of will be on the black markets. In the age of digitalisation, and this has been going on for a few years now, everything is modernised, even the black market. Whereas in the past it was necessary to know someone, that someone knew someone else who had a contact in a gang operating on the black market, the old-fashioned word of mouth, now it is no longer necessary. All you need now is a computer, internet connection and, in the worst-case scenario, an "IT responsible friend" who can explain how to connect to the black market network. Although, excuse the joke, our grandchildren, children and nephews and nieces are going to know almost more than any of our friends. But the point is: a computer, internet connection and someone to help you, and you are free to search, pay and get what you really want. What are Deep Web and Dark Web? To give value to the part in which our IT expert friend is involved and to make it easier to understand how it works, we would like to explain this process in a very summarised way. It is true that it is not as easy as it seems to access some of the black markets, because yes, there are many places, many gangs and a lot of demand, hence the large supply. In order to minimally understand how to gain access and which is the part where the "computer-savvy friend" will help you, you need to know in which part of the internet these black markets are to be found. That part is known as the Deep Web and Dark Web. Although the terms Deep Web and Dark Web have a "bad reputation", not everything on them is bad or illegal For the sake of clarification, the term Deep Web was originally introduced in 2001 by Michael K. Bergman. Just as the Dark Web has no clear origin, it can only be said that the first times this term was used date back to 2009. Both have the "bad reputation" of being sites where only illegal acts can be committed. What if we told you that absolutely all of us, even my mother, use the Deep Web on a daily basis? The following is an approximation of what one can find in the three different parts of the web: Surface web: These pages are the ones that are indexed in the main internet search engines. All the pages that appear after a simple search on Google, Bing, Yahoo, etc. all comprise part of the Surface web. These pages can be accessed from any conventional browser such as Google Chrome, Firefox, Opera, Safari, etc. Deep Web: These are the pages that are not indexed in the main search engines. For example, our private area in the bank, on Amazon, in our favourite clothes shop, our email inbox, even messaging services such as WhatsApp. That is the Deep Web. It is true that there are other services and Markets that are not indexed in the main search engines, and that would be part of the Deep Web, that carry out illicit activities. As you can see, not everything on the Deep Web is bad or illegal. These pages can also be accessed from any conventional browser. Dark Web: These pages are also not indexed in the major search engines. However, they are often, but not always, associated with illicit activities. Similarly, I myself could set up a Dark Web forum and provide access only to the people I consider appropriate. Only people I share my URL with would be able to access it, and the forum could only deal with horoscope topics, for example. And it would not be associated with any illegal activity. It is true that nobody wants to be "invisible" and not take advantage of it. For example, a rather hot topic is the fact that the Islamic State of Iraq and Syria (ISIS) uses the Dark Web to communicate internally. This tracking is made almost impossible because they are so protected by the protocols used in this type of navigation. How to access Dark Markets As already mentioned, the Dark Web pages will only be accessible through protocols or services that anonymise their users, such as Tor (The Onion Router), Freenet, I2P, Zeronet and many others. Tor is mentioned here because it is the most widely used and known by most people. This type of browser offers layers of security in order to avoid or make it as difficult as possible to be identified while browsing, i.e., the cap with the glasses of celebrities when they go out in the centre of a big city, and the pages, instead of ending in ".com", ".es", ".org", etc. They end in ".onion". Once you have access to these browsers, you need to know which page of the Market you want to connect to. Sometimes, these pages can be found in search engines such as DuckDuckGo, or even in Google's own search engine, where you can find articles sharing the latest addresses of the main Dark Web markets. However, on other occasions, it is necessary to have that page through contacts, and here we are back to word of mouth, but via Telegram, Discord, or any other type of messaging platform. Once you have obtained that specific URL address, all you have to do is enter it through your browser, depending on the website, and, as we mentioned before, search for what you are interested in in that specific market. Police surveillance of illegal Dark Markets These markets, and speaking of the central concept of the article, offer everything. While it is true that some specialise in drugs, others in weapons, others in documents, etc., there will always be a Market, at the very least, that can satisfy the needs of those who are looking for it. It should be noted that this practice is just as illegal and punishable as when it is carried out in the old way. It should be noted that police work becomes very complicated in this respect as it is very difficult and sometimes impossible to attribute a criminal act within this type of surfing. So, just as in the past there were police officers infiltrating the gangs to be able to identify all the details of illegal activities, the same thing is happening now, but in the gangs operating in the markets of this part of the web. Police officers infiltrate gangs to identify illegal activities, just as they infiltrate the gangs operating in the markets of this part of the web. Likewise, part of the police work focused on the Dark Web consists of setting traps for people who want to consume certain types of commerce because access alone constitutes a crime, as would be the clear example of consuming child pornography. This consists of honeypots. A honeypot is a lure placed, in this case, on the Internet, to be targeted and attract the attention of people who want to be identified by consulting certain types of information. The Dark Web is full of honeypots to track illegal activities. One of the most active markets in recent months has been confirmed not to specialise in the sale of a particular illegal commodity, but to be a general marketplace providing many services, as can be seen from the navigation panel on the left-hand side of the website. What can be said is that the majority of the offer is focused on the sale of drugs. One of the most active markets in recent months The same applies to another of the markets with the largest offer in recent months. This market was at the centre of the biggest cyber-raid in the history of the Dark Web market when the site's administrator was arrested. However, it has risen from the ashes like a phoenix and is once again one of the most popular markets. One of the markets with the largest offer in recent months. As shown, it offers more of the same as above. Above all, it would focus on the sale of drugs. Going even deeper into the black markets of the Dark Web, we find another one that is off to a strong start. In this case, we can already see offers for weapons, the sale of stolen goods, and even a section listed as “organs for transplants”. As this type of Markets has been found, many more can be found. However, it is better to stop at this point, as I think we have gained enough of an idea of what is happening here. Why should cybersecurity experts monitor the Dark Web? I currently work in one of the teams dedicated to cybersecurity at Telefónica Tech. We regularly visit this type of websites, mainly to analyse the buying and selling of access to services, as well as sales of privileged information and vulnerabilities associated with our clients' exposed assets. We may find, for instance, sales of username and password for access to VPN services, access to remote desktops exposed to the Internet, and even sales of exploits, i.e. software that would exploit vulnerabilities in the exposed services and could allow, for instance, remote code execution on the victim company's systems. Any type of sale that could result in an intrusion into our clients' systems would be covered by this type of search. There is only some obvious advice left to give here. If you need any drugs, the best thing to do is to go to your doctor and have him prescribe them. If you want to obtain a licence, study or make the necessary arrangements, you should always use the legal route. If you want to have an aesthetic operation, we refer to beauty and the beast, beauty is on the inside! In case you want to kill someone, the best idea is to count to 10 and approach the " issue " in a less dangerous way. Generally speaking, the items found on these sites are often illegal or unethical to use at best. If they were legal merchandise, they could be purchased from legitimate portals. We should think very carefully about any activity in this type of environment. Before finishing this post, we must remember that purchases on these types of portals are always outside the applicable tax system and that —in almost all cases— the items or services to be purchased will be illegal at an international level, with the purchase process itself (or subsequent attempted use) being a criminal offence in the relevant jurisdiction.