September 2, 2015 By David Strom 3 min read

We all are aware of what a botnet is, and most of us know the damage that it can cause when some bad actor takes over many of our corporate endpoints. But what we might not know is how easy it is to create botnets. With recent research, however, we can see exactly how this is done and hopefully get some insights into how to block and stop them from operating.

Angler: A History of the Exploit Kit

Angler first appeared a few years ago and uses a combination of plain HTML, JavaScript, Flash and Silverlight. Given this collection of tech, there is a variety of infection methods that the exploit kit uses to inject malware on a target endpoint. One example is to present the user with a misleading dialog box when they bring up the infected page; no matter what you click on, your PC is infected.

Researchers found that during May 2015, thousands of new landing pages booby-trapped with Angler were being created daily. These landing pages are used to assess what plugins your browser is using. Then the exploit can be designed to get around any controls and get its malware downloaded to your PC without alerting you it is happening. As a result of this potency, during the month of May, Angler-based exploits were responsible for more than 80 percent of the total botnet traffic, according to the researchers.

What makes Angler insidious is how hard it works at keeping itself from being detected. It frequently changes IP addresses and host names in order to bypass reputation filtering tools. To evade content detection, Angler’s components are dynamically generated for each potential victim. Finally, Angler uses a variety of obfuscation and anti-sandbox tricks to frustrate anyone attempting to collect sample code.

How to Stop Angler Before It Generates a Botnet

What are some ways to protect against Angler and other botnet-generated attacks? Below are four practices that can help you improve your defenses and reduce the risk of becoming a victim.

1. Protect DNS Records

Do a better job of protecting your own domain name server (DNS) records, either through using multifactor authentication to make any changes or by adding email notifications when these changes occur. You should do both and also look at one of the numerous secure DNS appliances that are available for this purpose. Angler and other botnets thrive on messing with your DNS entries and redirecting traffic to the sites that they control.

2. Update Plugins

Make sure your Flash and JavaScript plugins are updated regularly and stay current. Many of the exploits find loopholes in these tools and can leverage their way into your network. You should keep your overall browser versions updated, too. Using only the most recent versions of browsers and plugins ensures that all available patches are applied and vulnerabilities are minimized.

3. Block Certain Executions

When you control what your browser can or can’t run or download, you have the power to prevent botnets and other forms of malware from taking hold. Look at one of the many browser plugins that can block script and iFrame execution to stay ahead of attackers.

4. Educate

Finally, better end user education about common phishing and malware avenues, including the opening of unknown attachments and clicking on suspect links, is always a good thing. The Federal Trade Commission’s OnGuard Online has a phishing scam game to test your potential susceptibility, but you can develop tools and documentation catered toward your organization and employees, too.

Ultimately, these efforts will just be a part of a larger security strategy aimed at protecting your network, raising awareness among users and ensuring all endpoints are guarded. But the individual legwork falls largely to employees: Educating those end users is critical to the long-term defense against botnets.

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today