Night of the Living Zombie Botnets

Zombie computers, botnets, DDOS, DNS attacks, ransomware - all can be fueled by hordes of insecure devices and malware-infested systems. Devices that have been infected with a specific type of malware which allows stealing of personal data, controlling critical functions, has keylogger and remote access capabilities is usually refer to as a “zombie”. Controlled by fraudsters, clusters of zombie devices forming their own robot network and working in unison for any number of malicious activities are referred to as a “botnet”.


                                                                         [ Morpheus. Shattering reality since 1999. ]

Attackers can easily mask their actions by hiding behind infected users while the primary motive for such fraudulent activities is profit. Statistics from Spamhaus portray that India, China, and Vietnam with 923 million, 793 million, and 528 million botnets respectively are at the top of the list for the world’s most affected countries. Companies, banks, governments, even healthcare organizations fall victim to botnet-empowered DDOS attacks. A few illustrative examples include:


  • DDOS attacks on major Internet companies including DNS provider Dyn and Amazon;
  • attacks in TELCOs in Europe by the now well-known Mirai botnet, which has had its source code made freely available by one of its creators (you can actually find the code available on GitHub);
  • hijacking of surveillance cameras and other IP connected devices;
  • while just a few days ago Russian giant Alfa Bank had admitted falling victim to DNS attacks adding to the ranks of hundreds other banks over the last few years.


Victims’ computers are often infected during adventurous web surfing in insecure locations without proper antivirus in place. Victims usually do not realize that their devices have fallen victim to such malware and are subject to their attackers’ whims other than their connection speed possibly being somewhat slower a few times per day (most do not even notice that).


                                                                                   [ Batman gets it. ]

Unfortunately, the picture on the horizon continues to be bleak. The rise of the IoT ecosystem brings forth renewed innovation for many verticals (particularly for consumer and industrial markets) but also unparalleled dangers. Cybersecurity vendors are anticipating greatly magnified threats of existing issues mostly due to the influx of new IP connected and smart devices.

Depending on country and socioeconomic background, most digital users in developed and developing societies usually have between one to five IP connected devices at their disposal. These primarily include smartphones, tablets, laptops, computers, or smart TVs.  With the advent of the smart home and home automation devices, however, the number of internet connected devices per person is increasing exponentially.  Due to their HTTP functionality, these devices are inherently insecure and can easily fall prey to ransomware, RATs, botnets and other threats. In turn, compromised devices will be used to fuel further attacks to either infect more targets or coordinate into attacking more attractive and profitable targets.


                                                      [ What would IoT actually mean in Fry’s time in the year 3000 AD? ]

In a way, this whole process of infecting hosts and leveraging them in order to attack companies and governments has more similarities with those cliché zombie outbreak movies. The first question that will be tossed around, possibly from a CISO, is: “how did this happen”?! This is usually followed by an explanation that seemed farfetched at the time but there was always a possibility of it occurring anyway (for example the mammoth 600 Gbps attack suffered by BBC at the hands of the New World Hacker group). Then, as the plot unravels, we get brief glimpses of some background information that helps us frame the story better, like the millions of insecure surveillance, industrial, and personal devices that anyone can find using the Shodan API and take control of remotely. Then, finally, someone will ask the question that the viewers were waiting for: “how do we stop it”? At which point, the director will force a few seconds of silence and blank stares between the protagonists in order to increase suspense and finally have someone reply “You don’t stop it”.

While governmental and industrial systems are required to adhere to certain technological specifications and regulations, the same is not actually followed by some companies in the enterprise, or even worse, in the consumer markets. ABI Research, in an analysis report entitled “Smart Home Cybersecurity” investigates the (in)security of smart home devices and points towards new incubation grounds for future IoT botnet threats. This is due to three major reasons.

First, since technology is still evolving and smart home vendors are still fleshing out new applications, there is no overarching standardization yet which allows companies to flood the market with new products. Similarly, there are no specifications about what constitutes “proper” consumer privacy protection measures. Some vendors even admit that their products are insecure and point towards other (often times incompatible) security products to complement their own solutions.


                                                                 [ Any resemblance to Mordor is entirely coincidental. ]

Second, there is no smart home ‘secure network umbrella’ other than what can be obtained by companies that offer a central smart hub (e.g. Samsung’s SmartThings), certain guidelines and prerequisites that apps must meet for certain solutions (e.g. Apple’s HomeKit), or specific communication protocols (e.g. the Zigbee Alliance is making some admirable efforts in ensuring integrity in connected devices). This can also be described as a “stalemate” between security and cost, where it is almost impossible to increase one side without decreasing the other.

Numerous factors are also keeping the pressure on market strategy. Vendors are moving as fast as possible to ensure their presence in the future market, thus leaving other crucial aspects lacking (such as security). Further, a broader range of smart home applications is constantly being upgraded as a result of increased competition. In addition, more technologies and different communication protocol varieties are being produced, hindering efforts in standardization. Finally, the DIY segment is an innately insecure one since users try to mix and match their preferred offerings from different vendors.

With the number of connected smart home devices expected to surpass the 400 million mark by 2021, ABI Research expects the industry to go through a rather turbulent period. Currently, smart home vendors give more emphasis on gaining traction for their respective products and establishing a foothold in the market rather than addressing security issues as part of their product development phase (or, often times, even after deployment). With machine learning and AI, security orchestration, and automation being leveraged in governmental, industrial, and enterprise cybersecurity contexts, perhaps it’s time that the consumer sector also received a similar security upgrade?