Ego Market: When Greed for Fame Benefits Large-Scale Botnets

Cybercrime is an evolving phenomenon and offenders are continuously developing new techniques to gain unauthorized access into computer systems. This paper will showcase just how ingenious botmasters have become by analyzing a specific botnet, the Linux/Moose botnet, and the illicit online market it thrives in. The Linux/Moose botnet was first discovered by the ESET research team in 2015 and their analysis of the botnet was published in a technical report. Following the publication of this report, the botnet operators transitioned to a new version of their Linux/Moose botnet infrastructure, but essentially kept the same end-goal: social media fraud, which can be defined as the process of creating false endorsements of social networks accounts in order to enhance a user’s popularity and visibility. This can be achieved by liking posts (or any similar endorsement) or following a user.

Linux/Moose stands out among all other botnets for three reasons. First, it is part of a new generation of Internet of Things (IoT) botnets that run on embedded systems such as routers rather than computers. It is therefore much stealthier and difficult to detect since no antivirus and little security software monitor these devices’ traffic and behavior. Second, rather than sending instructions to the bots it has compromised, the botnet uses the bots only as proxies to hide the origin of the requests it sends to social media websites exclusively. The bots therefore do not need much computational power; their bandwidth and their “clean” IP address is what the botnet is after. Lastly, the botnet specializes in social media fraud, a very different activity from other botnets, which usually send spam, commit ad fraud and launch distributed denial of service (DDoS) attacks.

To investigate the Linux/Moose botnet, we infected several honeypots around the world. We performed a man-in-the-middle attack to decrypt the botnet’s traffic, analyzed its operations and studied the illicit online market where social media fraud services are bought and sold. This paper presents the results of our months-long investigation and blends a technical understanding of the botnet with a social assessment of its activities. The first section presents the latest updates of the Linux/Moose botnet and the multiple steps that were required to successfully infect honeypots. It also presents how a manin-the-middle attack (mitm) was performed on the botnet’s traffic. The second section presents the botnet’s activity on social media networks, the illicit online market in which social media fraud services are bought and sold and the potential revenue generated by the botnet.

Ce contenu a été mis à jour le 2 mars 2017 à 23 h 45 min.