Malware 101: Bots, backdoors, and other persistent malware

As with the keylogger mentioned previously, some malware seeks to persist on a system rather than to achieve the objective and stop. Bots are one such type that has become very common in recent years. Bots essentially wait for instructions on what to do next from an attacker — or more specifically a server created by the attacker known as a command-and-control (C2) server. The bot will periodically check for new instructions from this server and execute them. The functionality of the instructions typically needs to be coded into the bot prior to it being distributed, although the ability to add new functionality to bots — essentially apply an update to the malware — has become common as a result. These functionality components are often referred to as modules.

The specific instruction/module functionality can very greatly. It might be to send back technical details about the computer the bot resides on; steal data, credentials, or keystrokes (in which case the objectives covered in the previous article would also be applicable); or execute a denial-of-service (DOS) attack against a particular server — which, when combined with many other devices infected by the same bot and receiving instructions from the same attacker (which is referred to as a botnet), can result in catastrophic distributed denial-of-service (DDOS) attacks. One such attack was performed by the Mirai botnet in 2016 against DynDNS and resulted in a significant portion of the internet being unreachable within the Unites States during the attack.

How cybercriminals are using botnets to maximize attacks

Given how diverse the capabilities of bots can be, it is quite common for cybercriminals to create botnets for the purpose of renting their usage to other attackers. Instead of an attacker having to create the infrastructure to deploy a massive DDOS attack against a particular target, they can rent an existing botnet to achieve this. The sort of functionality many bots provide can be fairly trivial for antimalware software and network monitoring software to detect. Fortunately for attackers, technology has provided the solution for them by turning almost anything into a computer.

The Internet of Things (IoT) market is rife with devices running stripped-down versions of Linux that can be infected by bots. Home routers are also generally running similar Linux distributions and are even more widespread than IoT devices. (Although not related to malware, it seems worth pointing out that routers are networking devices, NOT IoT devices). Thus, routers and IoT devices are very common targets for bot malware and composed the Mirai botnet mentioned previously.

Backdoors and cryptominers

Bots may be the persistent malware superstar today, but one of the earliest objectives of malware is the backdoor, which essentially creates a way for an attacker to gain access to the system at a point of their choosing in the future. These can vary greatly in complexity from simply opening a port immediately to requiring a specific sequence of requests to be received by the system in order to open the connection port, referred to as port knocking.

In the case of the latter especially, backdoors can often avoid detection until they are actually used. Backdoors have been around longer than malware, previously being deployed via other means, such as physical access or manually hacking into a system, but the emergence of malware provided a good fit for providing more automation for the creation of backdoors on the part of an attacker.

A backdoor can simply consist of an open port (or one that can be opened in the case of port knocking) for an attacker to connect to, or a more user-friendly version of backdoor is the remote access Trojan (RAT). These typically add more functionality, including a client for the attacker to use and possibly modules that can be deployed, such as keyloggers, to increase the functionality of the RAT. While a backdoor could be likened more to Telnet or SSH, a RAT is more like a remote desktop application.

While bots and backdoors are more general purpose persistence objectives, cryptominers are singular in purpose — namely, stealing a device's compute power for the purpose of mining cryptocurrency. Cryptominers were very popular several years ago, in fact disrupting the percentage of ransomware being used to the extent that some security experts thought they might actually replace it as the malware of choice for financially motivated attackers. Changes in both cryptomining profitability as well as ransomware tactics (this coincided with a decline in ransomware payouts) eventually changed this trend, however.

Consequences of persistent malware

While no malware truly "goes away" until all remnants of its infection are remediated, persistent malware continues to remain active for as long as it is able rather than simply going dormant after the objectives are completed. This both gives it a chance to be detected and an opportunity to continue its harm. In the case of backdoors, the lack of signals from the malware on the network when it is not being actively used can make detection far more difficult. It also allows an attacker to wait for the most opportune time to strike.

You can read the rest of the Malware 101 series here.