We all are aware of what a botnet is, and most of us know the damage that it can cause when some bad actor takes over many of our corporate endpoints. But what we might not know is how easy it is to create botnets. With recent research, however, we can see exactly how this is done and hopefully get some insights into how to block and stop them from operating.

Angler: A History of the Exploit Kit

Angler first appeared a few years ago and uses a combination of plain HTML, JavaScript, Flash and Silverlight. Given this collection of tech, there is a variety of infection methods that the exploit kit uses to inject malware on a target endpoint. One example is to present the user with a misleading dialog box when they bring up the infected page; no matter what you click on, your PC is infected.

Researchers found that during May 2015, thousands of new landing pages booby-trapped with Angler were being created daily. These landing pages are used to assess what plugins your browser is using. Then the exploit can be designed to get around any controls and get its malware downloaded to your PC without alerting you it is happening. As a result of this potency, during the month of May, Angler-based exploits were responsible for more than 80 percent of the total botnet traffic, according to the researchers.

What makes Angler insidious is how hard it works at keeping itself from being detected. It frequently changes IP addresses and host names in order to bypass reputation filtering tools. To evade content detection, Angler’s components are dynamically generated for each potential victim. Finally, Angler uses a variety of obfuscation and anti-sandbox tricks to frustrate anyone attempting to collect sample code.

How to Stop Angler Before It Generates a Botnet

What are some ways to protect against Angler and other botnet-generated attacks? Below are four practices that can help you improve your defenses and reduce the risk of becoming a victim.

1. Protect DNS Records

Do a better job of protecting your own domain name server (DNS) records, either through using multifactor authentication to make any changes or by adding email notifications when these changes occur. You should do both and also look at one of the numerous secure DNS appliances that are available for this purpose. Angler and other botnets thrive on messing with your DNS entries and redirecting traffic to the sites that they control.

2. Update Plugins

Make sure your Flash and JavaScript plugins are updated regularly and stay current. Many of the exploits find loopholes in these tools and can leverage their way into your network. You should keep your overall browser versions updated, too. Using only the most recent versions of browsers and plugins ensures that all available patches are applied and vulnerabilities are minimized.

3. Block Certain Executions

When you control what your browser can or can’t run or download, you have the power to prevent botnets and other forms of malware from taking hold. Look at one of the many browser plugins that can block script and iFrame execution to stay ahead of attackers.

4. Educate

Finally, better end user education about common phishing and malware avenues, including the opening of unknown attachments and clicking on suspect links, is always a good thing. The Federal Trade Commission’s OnGuard Online has a phishing scam game to test your potential susceptibility, but you can develop tools and documentation catered toward your organization and employees, too.

Ultimately, these efforts will just be a part of a larger security strategy aimed at protecting your network, raising awareness among users and ensuring all endpoints are guarded. But the individual legwork falls largely to employees: Educating those end users is critical to the long-term defense against botnets.

more from Malware

Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine

Following ongoing research our team, IBM Security X-Force has uncovered evidence indicating that the Russia-based cybercriminal syndicate "Trickbot group" has been systematically attacking Ukraine since the Russian invasion — an unprecedented shift as the group had not previously targeted Ukraine. Between mid-April and mid-June of 2022 the Trickbot group, tracked by X-Force as ITG23 and also known as Wizard Spider,…

World’s Largest Darknet Market Shut Down, $25 Million in Bitcoin Seized

On April 5, German authorities announced the takedown of the Hydra marketplace, the world’s largest darknet market trading in illicit drugs, cyberattack tools, forged documents and stolen data. The criminal operation, with about 17 million customer accounts, raked in billions in bitcoin before getting shut down. On its website, the Federal Criminal Police Office (BKA) stated it had secured and…

Countdown to Ransomware: Analysis of Ransomware Attack Timelines

This research was made possible through the data collection efforts of Maleesha Perera, Joffrin Alexander, and Alana Quinones Garcia. Key Highlights The average duration of an enterprise ransomware attack reduced 94.34% between 2019 and 2021:  2019: 2+ months — The TrickBot (initial access) to Ryuk (deployment) attack path resulted in a 90% increase in ransomware attacks investigated by X-Force Incident…