The concept of a “botnet” (a collection of devices which have been infected with software which brings them into the ‘net and which allows the actions of all ‘net members to act in concert) is nothing new, but how they’ve been implemented and used in recent years has been changing. The EternalBlue attack which, successfully, went after healthcare facilities leveraged devices that had historically been ignored by security programs such as security cameras and other devices that wouldn’t register as “a computer” to most people.
Botnets, like ransomware, rely on a home server, or servers, to coordinate the actions of each piece of the ‘net, which makes the whole thing vulnerable to decapitation. Security professionals often look to destroy the command and control structure of an attack first, as the entire botnet can be rendered toothless by removing its ability to act. This gives additional time to come up with a solutions which removes the infection from the members of the net, as they are no longer able to receive software updates or adapt to the efforts of the security professionals.
However, modern botnets are much more flexible and are capable of limited autonomous operations even when cut off from headquarters, and that headquarters is becoming further decentralized. While the KashmirBlack botnet does use servers for command and control, it also leverages cloud servers, like those used by Dropbox, to send commands as well. This hardens its control infrastructure against removal by distributing the command functions through public infrastructure, which means any attempt at removal must be more precisely tuned. Further, it allows the ‘net to hide the extent of its size and the commands being sent by traveling with the normal traffic that comes out of Dropbox. After all, it’s would not be unusual for a computer to be connected to Dropbox or to send/receive large files to/from them. This camouflage further extends KashmirBlacks life expectancy and increases the danger it poses. While the KashmirBlack ‘net so far appears to be used for crypto-mining, spam, and expanding the ‘net, there’s nothing stopping it from being used for more dangerous attacks or being sold to another entity that would use it for more damaging purposes.
