How to Stop a Botnet Created by Angler Exploit Kits

September 2, 2015
| |
3 min read

We all are aware of what a botnet is, and most of us know the damage that it can cause when some bad actor takes over many of our corporate endpoints. But what we might not know is how easy it is to create botnets. With recent research, however, we can see exactly how this is done and hopefully get some insights into how to block and stop them from operating.

Angler: A History of the Exploit Kit

Angler first appeared a few years ago and uses a combination of plain HTML, JavaScript, Flash and Silverlight. Given this collection of tech, there is a variety of infection methods that the exploit kit uses to inject malware on a target endpoint. One example is to present the user with a misleading dialog box when they bring up the infected page; no matter what you click on, your PC is infected.

Researchers found that during May 2015, thousands of new landing pages booby-trapped with Angler were being created daily. These landing pages are used to assess what plugins your browser is using. Then the exploit can be designed to get around any controls and get its malware downloaded to your PC without alerting you it is happening. As a result of this potency, during the month of May, Angler-based exploits were responsible for more than 80 percent of the total botnet traffic, according to the researchers.

What makes Angler insidious is how hard it works at keeping itself from being detected. It frequently changes IP addresses and host names in order to bypass reputation filtering tools. To evade content detection, Angler’s components are dynamically generated for each potential victim. Finally, Angler uses a variety of obfuscation and anti-sandbox tricks to frustrate anyone attempting to collect sample code.

How to Stop Angler Before It Generates a Botnet

What are some ways to protect against Angler and other botnet-generated attacks? Below are four practices that can help you improve your defenses and reduce the risk of becoming a victim.

1. Protect DNS Records

Do a better job of protecting your own domain name server (DNS) records, either through using multifactor authentication to make any changes or by adding email notifications when these changes occur. You should do both and also look at one of the numerous secure DNS appliances that are available for this purpose. Angler and other botnets thrive on messing with your DNS entries and redirecting traffic to the sites that they control.

2. Update Plugins

Make sure your Flash and JavaScript plugins are updated regularly and stay current. Many of the exploits find loopholes in these tools and can leverage their way into your network. You should keep your overall browser versions updated, too. Using only the most recent versions of browsers and plugins ensures that all available patches are applied and vulnerabilities are minimized.

3. Block Certain Executions

When you control what your browser can or can’t run or download, you have the power to prevent botnets and other forms of malware from taking hold. Look at one of the many browser plugins that can block script and iFrame execution to stay ahead of attackers.

4. Educate

Finally, better end user education about common phishing and malware avenues, including the opening of unknown attachments and clicking on suspect links, is always a good thing. The Federal Trade Commission’s OnGuard Online has a phishing scam game to test your potential susceptibility, but you can develop tools and documentation catered toward your organization and employees, too.

Ultimately, these efforts will just be a part of a larger security strategy aimed at protecting your network, raising awareness among users and ensuring all endpoints are guarded. But the individual legwork falls largely to employees: Educating those end users is critical to the long-term defense against botnets.

David Strom
Security Evangelist

David is an award-winning writer, speaker, editor, video blogger, and online communications professional who also advises numerous startup and well-establish...
read more