On Wednesday, September 8, it became known that the most powerful cyberattack in the history of the Internet was carried out on Yandex, which the company's specialists managed to repel. The Russian tech giant was attacked by a botnet called Mēris, which means “plague” in Latvian. This type of threat is not as familiar to the average user as money-stealing Trojans or viruses that spy on users through smartphone cameras. However, in reality, the problem concerns hundreds of thousands of ordinary Russians. “Lenta.ru” figured out the scale of the threat.
Become part of a botnet
Alexey is a fairly well-known information security specialist in narrow circles, who suddenly discovered for himself that for several months he had not noticed the infection of his own laptop. That is why he asks not to disclose either his real name or the company he currently represents.
For more than a year, his relatively new home laptop periodically lost performance and behaved suspiciously: the coolers turned off spontaneously, the newly opened browser instantly crashed, the device gave errors, overloaded the network and itself went into long reboots.
Photo: Valery Melnikov / RIA Novosti
“It seems to me that even a person far from the world of technology would have suspected that something was wrong,” said Alexey sadly. – But all this coincided with the beginning of the pandemic, there was a lot of work, they tried to provide safe remote work for thousands of employees of one of the largest Russian companies. When the load decreased, I sat down to analyze network activity and realized that the laptop had become part of a botnet. “
“Perhaps your device is already in some botnet.”
If a laptop becomes part of a botnet, fixing the problem on a single device will not fix it globally. Botnets are a far more serious threat than is commonly thought. And the main “trick of the devil” is that the elements of this threat are people who have never heard this term in their lives.
“A botnet is a network of compromised devices whose owners have no idea that they have been compromised. These can be smart home devices or the Internet of Things, as well as home routers and access points, ”lists Aleksandr Akhremchik, a leading analyst at the Jet CSIRT Information Security Monitoring and Incident Response Center, Jet Infosystems.
The safety of such devices, as a rule, is given very little attention, the specialist notes. “They often have standard passwords or old firmware on them, so it's very easy to hack them and make them part of a botnet. Remember what password you have on your home router: if the answer is “standard”, then perhaps your device is already in some botnet, “Akhremchik adds.
Photo: Jason Redmond / Reuters
When it comes to infecting ordinary people's computers, not corporate networks, the difference between a botnet and other popular viruses is that a conventional Trojan will almost instantly try to steal bank card details or passwords from social networks. The botnet simply takes control of the device. From that moment on, it expects a command from the one who now controls it.
“The creator of the botnet is trying to increase the number of devices to at least 10,000-100,000,” explains Pavel Korostelev, head of product promotion at Security Code. – After that, an attack can be carried out, which looks like the following step by step: the operator issues a command to all devices on the network through the botnet's administrative console. The command is delivered to devices via the Internet and is executed with the help of a pre-built code. A botnet can be tasked with sending traffic, or a request to a specific address, or executing malicious code when a specific resource needs to be hacked. “
56
thousand
of infected devices participated in a DDoS attack on Yandex
Executing a command on hundreds of thousands of devices most often results in a DDoS attack. The more links in the infected chain, the more difficult it is for the victim to fight back. In theory, it is possible to create a botnet that cannot be defended against at all. If he attacks, he will definitely breach the company's defense. Problems can be fixed, but it will take a long time, at best – hours. This is what hackers use: a dense attack paralyzes work, disrupting all internal and external business processes. And the larger the company, the greater the losses it will incur.
“Botnets are like rare diseases.”
Russia is quite firmly included in the top 10 countries most infected by botnets. The traditional leaders of this rating are the most densely populated states (India and China occupy the first two places), as well as countries with a smaller population, but a high level of technology penetration (USA, Brazil, Great Britain).
The “home port” of the botnet does not formally say anything about who is using it for their own purposes. For example, in India there are practically no hacker groups capable of carrying out attacks on a global scale. This means that most of the infected devices are almost certainly controlled from other countries.
In Russia, the problem is not limited to urban residents who are considered technological leaders. On the constantly updated map of botnet activity, one can find infected devices located somewhere on the Russian-Mongolian border, and servers from Transbaikalia that control the network.
Another feature of botnets is that it is impossible to say exactly how many devices are infected in each specific country. For example, at the time of this writing, special resources reported that there are about 300 thousand such devices on the territory of Russia. However, the list includes only those devices that were active at the time of the calculations. The real figure can be ten times higher.
Photo: ISAS / JAXA / AP
“This is a real Internet plague of the 21st century,” says Alexey. “The scale of the infection is so great and so easy to hide that botnets can be compared to rare diseases with an incubation period of several decades.”
Who attacked Yandex
There is no answer to this question, and it is unlikely that it will be possible to get it in the foreseeable future. As a result of the attack, Yandex specialists published a large review on Habré with a description of the technical details of the attack. By the way, the next day Habr itself was attacked, but the scale was smaller there.
21.8
million
requests per second – this was the speed of the attack on Yandex on the peak day
In the most strategically important part of the study, Yandex specialists talked about the number of devices on the botnet that attacked the company. “We have collected data on 56,000 attacking devices. But we assume that the true number is much higher – probably more than 200 thousand devices. The full power of the botnet is not visible due to the rotation of devices and the lack of the attackers' desire to show all the available power. Moreover, the devices on the botnet are high-performance devices, rather than typical IoT devices connected to a Wi-Fi network. Most likely, a botnet consists of devices connected via an Ethernet connection – mostly network devices, ”Yandex noted.
It was found that devices from a dozen countries took part in the attack, and Russia was not the leader in this list. Almost all countries from the top 10 in terms of infection were noted: India, China, Brazil, USA, Indonesia, Iraq.
In the history of the Internet, there have been networks with a large number of infected devices. The largest botnet was Storm, created, judging by indirect signs, in Russia (by the way, many of the most famous botnets have either post-Soviet roots or lines of code in Russian). The peak of its activity fell on the first decade of the century, and the sizes were estimated at tens of millions of computers.
“Comparing the attack on Yandex with other serious botnets, it is tempting to say that 200,000 is not a threat at all compared to networks of millions of devices,” says Alexey. “But it is very important to understand that the attack of 30 million devices from 2007 and the attack of 200 thousand are now quite comparable in power, the technologies and capabilities of devices have changed too seriously over a decade and a half.”
“Many owners lease the power of their botnets to other criminals and take a certain reward for this,” Akhremchik says. “Thus, some cybercriminals profit from their network of bots, while others achieve the goal, which can be the disabling of a competitor's resource, extortion, the distribution of malicious software, or even political protest (hacktivism). In some cases, such attacks are a demonstration of capabilities and a way to make themselves known in order to stir up interest in the services of a new botnet. That is, it can be carried out by the owners themselves, and not by some kind of customer. Most likely, we will soon learn that cybercriminals are offering the services of a new botnet on the darknet with a capacity unprecedented to this day. ”
Photo: Adam Berry / Getty Images
This option fully explains the fact that not the entire network of infected devices was involved in the botnet attacks on Yandex. At the same time, the monstrous congestion rates faced by the Russian tech giant inspire serious concerns among information security specialists.
How will they deal with Mēris
Yandex believes that the botnet consists mainly of devices from the Latvian company MikroTik, which specializes in routers. Russian experts have sent the manufacturer the details of their investigation. An official response from MikroTik followed on Friday: “As far as we know, these attacks use the same routers that were hacked back in 2018. Unfortunately, the patch did not immediately protect the routers. If someone found out your password in 2018, then a simple update won't help. You should also change your password, double-check your firewall so that it does not allow remote access to unknown persons, and look for scripts that you did not create. As far as we know, there are currently no new vulnerabilities in these devices. ”
These tips will slow down rather than stop the spread of the botnet. Users rarely pay attention not only to flashing the router, but even to the need to change the factory password.
“With a high degree of probability, attackers will be found through the botnet control servers. This is the most common way to combat bot attacks, since blocking each of them pointwise is too long and too expensive, Korostelev said. “Typically, tech companies work with law enforcement on these issues, which allows them to either block the botnet's control server or take over control of it.”
Photo: Jason Redmond / Reuters
This is how the existence of all known botnets of the last two decades ended. However, the question of what to do with hidden botnets, which did not appear in high-profile attacks and can wait for years in the wings, remains open. As a serious threat, they continue to work. Including on the devices of ordinary Russians.
