We all are aware of what a botnet is, and most of us know the damage that it can cause when some bad actor takes over many of our corporate endpoints. But what we might not know is how easy it is to create botnets. With recent research, however, we can see exactly how this is done and hopefully get some insights into how to block and stop them from operating.

Angler: A History of the Exploit Kit

Angler first appeared a few years ago and uses a combination of plain HTML, JavaScript, Flash and Silverlight. Given this collection of tech, there is a variety of infection methods that the exploit kit uses to inject malware on a target endpoint. One example is to present the user with a misleading dialog box when they bring up the infected page; no matter what you click on, your PC is infected.

Researchers found that during May 2015, thousands of new landing pages booby-trapped with Angler were being created daily. These landing pages are used to assess what plugins your browser is using. Then the exploit can be designed to get around any controls and get its malware downloaded to your PC without alerting you it is happening. As a result of this potency, during the month of May, Angler-based exploits were responsible for more than 80 percent of the total botnet traffic, according to the researchers.

What makes Angler insidious is how hard it works at keeping itself from being detected. It frequently changes IP addresses and host names in order to bypass reputation filtering tools. To evade content detection, Angler’s components are dynamically generated for each potential victim. Finally, Angler uses a variety of obfuscation and anti-sandbox tricks to frustrate anyone attempting to collect sample code.

How to Stop Angler Before It Generates a Botnet

What are some ways to protect against Angler and other botnet-generated attacks? Below are four practices that can help you improve your defenses and reduce the risk of becoming a victim.

1. Protect DNS Records

Do a better job of protecting your own domain name server (DNS) records, either through using multifactor authentication to make any changes or by adding email notifications when these changes occur. You should do both and also look at one of the numerous secure DNS appliances that are available for this purpose. Angler and other botnets thrive on messing with your DNS entries and redirecting traffic to the sites that they control.

2. Update Plugins

Make sure your Flash and JavaScript plugins are updated regularly and stay current. Many of the exploits find loopholes in these tools and can leverage their way into your network. You should keep your overall browser versions updated, too. Using only the most recent versions of browsers and plugins ensures that all available patches are applied and vulnerabilities are minimized.

3. Block Certain Executions

When you control what your browser can or can’t run or download, you have the power to prevent botnets and other forms of malware from taking hold. Look at one of the many browser plugins that can block script and iFrame execution to stay ahead of attackers.

4. Educate

Finally, better end user education about common phishing and malware avenues, including the opening of unknown attachments and clicking on suspect links, is always a good thing. The Federal Trade Commission’s OnGuard Online has a phishing scam game to test your potential susceptibility, but you can develop tools and documentation catered toward your organization and employees, too.

Ultimately, these efforts will just be a part of a larger security strategy aimed at protecting your network, raising awareness among users and ensuring all endpoints are guarded. But the individual legwork falls largely to employees: Educating those end users is critical to the long-term defense against botnets.

More from Malware

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Ransomware renaissance 2023: The definitive guide to stay safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

BlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…