Persistent Bots: Five Ways They Stay Enmeshed in Your Network

Attackers have created the first persistent internet-of-things botnet, Hide 'N Seek, using a well-known tactic from server- and desktop-based systems. Here are five ways the attackers stay on your system following a compromise.


Earlier this year, the developers of a malicious program created to infect Linux-based internet-of-things (IoT) devices found a way for it to automatically reinstall the malware following a reboot.

The malware, known as Hide ‘N Seek, is the first known example of an IoT botnet that can stick around after the user restarts a device. Known as persistence, such a feature makes malware much harder to clean from compromised systems and will likely cause significant headaches for service providers and the owners of the devices, said Bogdan Botezatu, senior e-threat analyst with software security firm Bitdefender, which published an analysis of the malware on May 7.

"The rest of the (IoT) botnets, even if they have impressive numbers, fluctuate because they do not have persistence," Botezatu said. "While compromising an IoT device is pretty simple, achieving persistence is usually extremely difficult, because writing a binary to an IoT device requires root privileges."

Persistence Has Become a Major Problem

Persistence has become a significant aspect of malicious software, one of 11 major tactics that online attackers incorporate into their code, according to the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) database managed by MITRE, a non-profit research/development center.

While most botnets have lost ground in the first quarter of 2018, persistence remains an issue for companies, according to the Q1 Threat Landscape Report published by network-security firm Fortinet. About 2.8 percent of networks are “infested,” which means they host 10 or more bots;  more than 7 percent of infections last more than three days. With attackers focusing on persistence, even these seemingly small numbers can result in significant headaches for security professionals.

The result is that infections are lasting longer than they should be, Anthony Giandomenico, senior security strategist and researcher at Fortinet, told eWEEK.

"It is a combination between attackers getting better at persistence and defenders not paying enough attention," Giandomenico said. "Organizations will often buy the technology but not put an actual plan in place to direct the people and the process." 

Attackers need to keep their code on a system until they have achieved their goals, so persistence will continue to be a sought-after feature. Currently, there are some 50 different ways of achieving persistence, according to the ATT&CK list, but the most common approaches follow a simple rule, said Viktors Engelbrehts, director of threat intelligence for managed security firm eSentire.

"The attacker will always use the path of least resistance," Engelbrehts said. “They prefer to avoid spending a lot amount of time and resources on something new."

Here are five common ways that attackers stay on your system or device:

Method 1: Infecting the Registry

For the most common target, Windows systems, one approach rules them all: Modifying the registry. The technique is both simple and easy, because the attacker does not have to first gain administrative user rights.

"It is working perfectly, it has been tested over time, and it is enough to fool the users," Bitdefender's Botezatu said.

There are many ways to modify the registry to run code: Attackers can change the default file associations; they can abuse a variety of dynamic linked libraries (DLLs) whose values are stored in the Windows registry; or they can change existing services.

The registry is complex, and most people do not know what is in their database, said Fortinet's Giandomenico.

"When you load up a typical Windows machine, there are so many different processes that load, that many organizations don't know what their baseline build is," he said.

Method 2: Gaining Control from Bootup

Attackers can copy malware into the boot sectors of a hard drive, which are run whenever a computer is booted up. The ransomware programs, Petya and NotPetya, both infected boot records to immediately take control of a system.

The technique, called a bootkit, allows the attacker to gain persistence but can be easily detected, especially if the operating system is running integrity functions that uses cryptographic features, such as the Trusted Platform Module, to verify the integrity of the boot sequence.

"It is complicated, it is complex, and it is noisy," said Bitdefender's Botezatu. "When you have a program that messes with the master boot record, it will prevent modern versions of operating systems from booting."

Method 3: Execution-path Hijacking

Attackers can also take advantage of the standard way that operating systems look for programs and binaries. On Windows system, for example, they can place programs with the same name as commonly used libraries in the DLL search path to automatically execute the code. On MacOS systems, a similar technique places programs in the dynamic library, or dylib, search path.

The Hide 'N Seek IoT bot used this technique, copying itself to the init.d directory on compromised Linux-based devices, which is run every time the device is restarted.

"Once the botnet manages to get control of the device via telnet, then the bot script copies the binary to the init.d folder, which is the default startup on Linux and Unix systems," Bitdefender's Botezatu said.

Method 4: Lateral Movement Allows for Reinfection

While not true persistence, automatically infecting vulnerable devices is frequently used by malware authors to infest a network, compromising as many devices as possible. In 2001, for example, the Nimda worm infected Windows computers, hammering systems on the same network and causing outages and days-long cleanup efforts.

More recently, the Andromeda botnet, which was taken down by law enforcement last year, still tops the list of botnet detected by Fortinet, because many companies remain infected with the malware, the company stated in its latest report.

"Those infected systems are still phoning home, and it is ironic that the prevalence was one of the highest threats in the botnet section of the report this quarter," Fortinet's Giandomenico said.

Good network hygiene—especially segmentation—is a good defense against botnets such as Andromeda, he said.

Method 5: Beware Malicious Apps

Traditional computer systems are the easiest for malware to maintain a presence, while embedded and internet-of-things devices are much more difficult. Mobile phones are somewhere in between.

Android-based devices can be vulnerable, especially if the user downloads apps from third-party providers. Once an app gains permissions to install itself, persistence is part of the package, said Bitdefender's Botezatu.

"It is trivial to achieve persistence on an Android device, if you don't have antivirus up to date," he said.

However, a well-maintained phone which is configured to use one of the major app stores is a much harder target. Manufacturers and operating system providers frequently update the apps on the phones, which means that attackers have to adapt to the new software.

Overall, botnets are usually only able to maintain persistence if the user or security team is not managing the security of their devices.

As Fortinet states in the conclusion of its report: "We hate to beat a dead horse, but talking to inactive botnets is not behavior you want to condone among hosts in your organization. Rather than reactively chastising every endpoint, mature your capability to detect and sever botnet communications (live or dead) at key choke points in your network through a combination of smart tools and good intel."