How can you tell if you’ve been botted?
The search for answers about your devices & botnets that attack the Internet.
So how do you know if your device is part of the dark army, blocking connections to your favorite sites so even you can’t find them?
There are some clues that could show that your DVR and connected fridge have been enslaved in a botnet, a zombie force used in a DDoS or distributed denial of service attack, where the botted devices bombard sites with so much junk data that they can’t function properly.
“If your home network experiences frequent outages and high bandwidth usage, you may have a machine infected with a DDoS bot,” said Allison Nixon, director of research at Flashpoint.
“These DDoS bots will take out your entire home network while they are attacking, and many of these bots will attack frequently,” Nixon told Archer News.
No outages, no bot?
Unfortunately, if you have no outages, that does not mean you are bot-free.
Some botnets can work in stealth mode.
“It’s tough to detect hacks on IoT [Internet of Things] devices because they can operate perfectly normally even when infected,” said Andrew Plato, CEO of Anitian Enterprise Security.
It would be nice to have an easy test for bot malware on your device. But experts say that doesn’t exist yet.
“You cannot just login to the device and see a problem,” Plato told Archer News. “This is why you have to start looking at other behaviors.”
Other behaviors, like what’s going in and out of your device, and when.
“One way we look for it is to look for unusual traffic at unusual hours,” he said. “Does your router try to contact China at 3 a.m.? It’s probably infected.”
Checking this kind of traffic on home devices takes technical skills the average person may not have, experts say.
Plato suggests logging all access and traffic to a syslog, which keeps track of the communications.
He also suggests using a next-generation firewall with integrated antivirus and botnet monitoring.
“Those are pretty techy answers,” he said.
Botnet reconnaissance on home devices can be difficult for the typical user, agreed Roland Dobbins with Arbor Networks.
“It’s a good idea, but unfortunately beyond the capabilities of most non-specialists—involves portscanning, looking at variations in telnet banners, etc.,” Dobbins said.
But all is not lost. You can take steps to protect yourself.
“A more low-tech answer is to update your device to the latest firmware revision,” Plato said. “Or even reapply the current firmware.”
Updating and rebooting will probably wipe out any malware code running on your device, according to Plato.
“It’s the simplest. Everything else requires some degree of IT and networking skill,” he said.
Change is good
That’s not all.
Just updating and rebooting may clean your machine—but also leave it open for future botting.
You’ll also need to change the default password. That’s the password that comes on your new device—like “admin” or “test”—so you can get in and set it up.
Many people do not change default password, allowing attackers to simply search the Internet for common default passwords and then take over your device.
“Devices that become infected with Mirai [a botnet involved in the October 21 cyber attack] can be cleaned by restarting them,” said cybersecurity company Symantec in a post.
“However, due to constant scanning for devices by the botnet, vulnerable devices can become re-infected within a matter of minutes of going back online unless the default credentials are changed,” the post said.
Common default usernames & passwords for smart devices.
At some point, the maker of your smart device may ask for it back.
Flashpoint discovered that a botnet used in the October 21 attack exploited cameras from Hangzhou Xiongmai Technology. The company then issued a recall of four webcam models.
“Pay attention to the recall notices issues by the relevant manufacturers,” said Dobbins. “See if their devices are listed. If so, enroll in the recall process.”
Pay attention to any security updates from your smart devices companies as well. They may issue an update to fix your device, instead of a recall.
Hangzhou Xiangmai Technology issued this recall notice in Chinese, saying it disagreed with some reports that its webcams were involved in attacks, but was issuing a recall anyway.
Living in a smart home may sound exciting and convenient. But some of the connected cameras, light bulbs and door locks are more secure than others. Find the ones that don’t leave you open to attack, experts say.
“Don’t be lured by the glitz and promise of a new item,” advised Dale Drew, chief security officer with Internet service provider Level 3 Communications in a post for National Cyber Security Awareness Month.
“Do the research to see if a connected device has passed security scrutiny,” he added. “A lot of IoT products from well-known companies have detailed security instructions. Read them. Follow them.”
In addition, look for hub-connected devices, he said.
“Generally, smart hubs have certain security standards that interconnected devices need to meet,” Drew said. “Third-party vendors want to be compatible with popular hubs, so it forces them to examine their security stance.”
Make it smarter
Once you get that device in your house, make it smarter.
Symantec recommends you:
—Use a strong encryption method when setting up Wi-Fi network access
—Disable features and services that are not required
—Disable Telnet login and use SSH where possible
—Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary
—Disable or protect remote access to IoT devices when not needed
—Use wired connections instead of wireless where possible
—Regularly check the manufacturer’s website for firmware updates
You can also try using a secure DNS service, which can help protect you more, according to Plato.
“They blackhole botnets automatically,” Plato said.
Batten down the hatches
You can change other settings on your computer and smart devices to make them more secure.
The United States Computer Emergency Readiness Team suggests you configure your firewall to restrict traffic coming into and going out of your computer.
If you set it to maximum security, you can get notifications about which applications are trying to talk to which sites and servers.
You can put limits on your smart devices. For example, do you want them to communicate with everything on the Internet, or just specific sites and servers?
You can also limit their bandwidth, so if they become part of a botnet, they can’t use up all of your communication space.
If you notice your smart devices using a lot of bandwidth or some other unusual pattern, that could be a sign of trouble.
You may also find clues through these free infection detection tools, as compiled by the STOP. THINK. CONNECT. campaign:
What are the chances?
Almost a third of the devices used in some Mirai botnet attacks came from the U.S., according to Level 3.
Other companies show different locations for botnet devices. But it is clear that many people have vulnerable things, just waiting to be taken over for attack.
In a recent test, cybersecurity company ESET found that 15% of more than 10,000 home routers are not secure, many with weak passwords and common usernames that are easy for attackers to guess.
Experts say lawsuits may emerge over the lack of security on some smart devices, and manufacturers may need to start paying more attention to security.
Until then, keeping watch over your connected things may help your devices—and you—stay connected, and even prevent another big cyber attack.
Even if you’re not infected, it’s a good idea to change passwords and update regularly.
“It is a good habit to update these devices at least every three to six months,” Plato said. “So, yeah. It can’t hurt.”