Botnets are one of the key drivers of cyberattacks, used to distribute malware, ransomware and other malicious payloads – and dark web forums are now offering lessons on how to make money from them, a move that is likely to increase the threat over time.
Infected computers and devices in a cyber criminal-controlled botnet can be used to send phishing emails or malware to even more devices. It’s common for botnet operators to lease out their collection of unwittingly controlled machines – which can number in the thousands – to other cyber criminals.
For example, TrickBot malware ropes machines into a botnet, providing the attacker with a backdoor into them. That access is often sold to cyber criminals who can then use them to deploy ransomware, using that access to encrypt files and demand a significant ransom payment. Many botnets are used to steal usernames and passwords, while others will take the processing power of the machines they control and lease them out to launch DDoS attacks in order to overflow websites with traffic and take them down.
SEE: A winning strategy for cybersecurity (ZDNet special report)
Botnet operators can, therefore, make significant sums of money, and now there are dark web operators who are offering online courses to train others on using botnets – and they operate much like their legitimate counterparts teaching cybersecurity and other skills in online courses.
Cybersecurity researchers at Recorded Future analysed advertising and activity in a botnet school on a prominent underground forum and found that these courses are in demand – something that could be a potential issue for organisations that might be targeted by cyber criminals learning these skills.
“It’s essentially like as if you’re in college,” Danny Panton, cybercrime intelligence analyst at Recorded Future told ZDNet. “You’ll have a director and they’ll be virtually teaching you – I don’t believe cameras are going to be on the person – but they have access to a platform and are taught insights into what you need to do to leverage botnets against potential victims.”
Those teaching the courses include individuals who run large botnets themselves. The courses aren’t cheap – they cost over $1,400 dollars – but promise to provide even novice cyber criminals with knowledge on how to build, maintain and monetise botnets.
“It really is a range of cybercrime experience and levels. You might have people who are seasoned cybercrime fraudsters, but aren’t really familiar with using botnets,” Panton explained. “Then there are people who are just completely new to cybercrime as a whole and just are curious and want to become better seasoned and increase their skills,” he added.
Given the nature of the cybercrime world, some might be suspicious that if they hand over money to take part in the course, they’ll be scammed and get nothing in return. But it seems like legitimate a service and the course is subject to reviews, which suggest that the botnet school really offers what it says it does. If it was a scam, it wouldn’t have lasted so long.
Researchers don’t have the data to detail how many wannabe cyber criminals have taken the course in total, but during the time spent analysing this activity, the number of people taking the classes at any one time could vary; sometimes as few as five people, sometimes as many as 100.
The course covers subjects including how to run a botnet in a way designed to avoid law enforcement attention – because, as demonstrated by the Emotet takedown, the authorities will clamp down hard on botnets when they can.
And researchers warn that the existence of these courses likely leads to an increases in the threat of botnets – although by how much is hard to quantify without being able to track the activity of individual users.
“It is highly likely that, as a result of these courses, more threat actors become proficient in botnet-oriented attacks,” said Panton.
Botnets remain a significant threat to computer networks, but there are measures that can be taken to avoid becoming a victim. These include ensuring networks are updated with the latest security patches, making sure that default manufacturer passwords aren’t in use, and ensuring that internet-facing ports that aren’t necessary for the function of devices are closed.