We all are aware of what a botnet is, and most of us know the damage that it can cause when some bad actor takes over many of our corporate endpoints. But what we might not know is how easy it is to create botnets. With recent research, however, we can see exactly how this is done and hopefully get some insights into how to block and stop them from operating.

Angler: A History of the Exploit Kit

Angler first appeared a few years ago and uses a combination of plain HTML, JavaScript, Flash and Silverlight. Given this collection of tech, there is a variety of infection methods that the exploit kit uses to inject malware on a target endpoint. One example is to present the user with a misleading dialog box when they bring up the infected page; no matter what you click on, your PC is infected.

Researchers found that during May 2015, thousands of new landing pages booby-trapped with Angler were being created daily. These landing pages are used to assess what plugins your browser is using. Then the exploit can be designed to get around any controls and get its malware downloaded to your PC without alerting you it is happening. As a result of this potency, during the month of May, Angler-based exploits were responsible for more than 80 percent of the total botnet traffic, according to the researchers.

What makes Angler insidious is how hard it works at keeping itself from being detected. It frequently changes IP addresses and host names in order to bypass reputation filtering tools. To evade content detection, Angler’s components are dynamically generated for each potential victim. Finally, Angler uses a variety of obfuscation and anti-sandbox tricks to frustrate anyone attempting to collect sample code.

How to Stop Angler Before It Generates a Botnet

What are some ways to protect against Angler and other botnet-generated attacks? Below are four practices that can help you improve your defenses and reduce the risk of becoming a victim.

1. Protect DNS Records

Do a better job of protecting your own domain name server (DNS) records, either through using multifactor authentication to make any changes or by adding email notifications when these changes occur. You should do both and also look at one of the numerous secure DNS appliances that are available for this purpose. Angler and other botnets thrive on messing with your DNS entries and redirecting traffic to the sites that they control.

2. Update Plugins

Make sure your Flash and JavaScript plugins are updated regularly and stay current. Many of the exploits find loopholes in these tools and can leverage their way into your network. You should keep your overall browser versions updated, too. Using only the most recent versions of browsers and plugins ensures that all available patches are applied and vulnerabilities are minimized.

3. Block Certain Executions

When you control what your browser can or can’t run or download, you have the power to prevent botnets and other forms of malware from taking hold. Look at one of the many browser plugins that can block script and iFrame execution to stay ahead of attackers.

4. Educate

Finally, better end user education about common phishing and malware avenues, including the opening of unknown attachments and clicking on suspect links, is always a good thing. The Federal Trade Commission’s OnGuard Online has a phishing scam game to test your potential susceptibility, but you can develop tools and documentation catered toward your organization and employees, too.

Ultimately, these efforts will just be a part of a larger security strategy aimed at protecting your network, raising awareness among users and ensuring all endpoints are guarded. But the individual legwork falls largely to employees: Educating those end users is critical to the long-term defense against botnets.

More from Malware

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…