What is the term used for a group of computers controlled by an attacker and used for sending spam emails or instigating a denial of service attack?

As software designed to interfere with a computer's normal functioning, malware is a blanket term for viruses, trojans, and other destructive computer programs threat actors use to infect systems and networks in order to gain access to sensitive information.

Malware Definition

Malware (short for “malicious software”) is a file or code, typically delivered over a network, that infects, explores, steals or conducts virtually any behavior an attacker wants. And because malware comes in so many variants, there are numerous methods to infect computer systems. Though varied in type and capabilities, malware usually has one of the following objectives:

• Provide remote control for an attacker to use an infected machine.
• Send spam from the infected machine to unsuspecting targets.
• Investigate the infected user’s local network.
• Steal sensitive data.

Ransomware – Is a criminal business model that uses malicious software to hold valuable files, data or information for ransom. Victims of a ransomware attack may have their operations severely degraded or shut down entirely.

Remote Administration Tools (RATs) – Software that allows a remote operator to control a system. These tools were originally built for legitimate use, but are now used by threat actors. RATs enable administrative control, allowing an attacker to do almost anything on an infected computer. They are difficult to detect, as they don’t typically show up in lists of running programs or tasks, and their actions are often mistaken for the actions of legitimate programs.

Rootkits – Programs that provide privileged (root-level) access to a computer. Rootkits vary and hide themselves in the operating system.

Spyware – Malware that collects information about the usage of the infected computer and communicates it back to the attacker. The term includes botnets, adware, backdoor behavior, keyloggers, data theft and net-worms.

Trojans Malware – Malware disguised in what appears to be legitimate software. Once activated, malware Trojans will conduct whatever action they have been programmed to carry out. Unlike viruses and worms, Trojans do not replicate or reproduce through infection. “Trojan” alludes to the mythological story of Greek soldiers hidden inside a wooden horse that was given to the enemy city of Troy.

Virus Malware – Programs that copy themselves throughout a computer or network. Malware viruses piggyback on existing programs and can only be activated when a user opens the program. At their worst, viruses can corrupt or delete data, use the user’s email to spread, or erase everything on a hard disk.

Worm Malware – Self-replicating viruses that exploit security vulnerabilities to automatically spread themselves across computers and networks. Unlike many viruses, malware worms do not attach to existing programs or alter files. They typically go unnoticed until replication reaches a scale that consumes significant system resources or network bandwidth.

Types of Malware Attacks

Malware also uses a variety of methods to spread itself to other computer systems beyond an initial attack vector. Malware attack definitions can include:

• Email attachments containing malicious code can be opened, and therefore executed by unsuspecting users. If those emails are forwarded, the malware can spread even deeper into an organization, further compromising a network.
• File servers, such as those based on common Internet file system (SMB/CIFS) and network file system (NFS), can enable malware to spread quickly as users access and download infected files.
• File-sharing software can allow malware to replicate itself onto removable media and then on to computer systems and networks.
• Peer to peer (P2P) file sharing can introduce malware by sharing files as seemingly harmless as music or pictures.
• Remotely exploitable vulnerabilities can enable a hacker to access systems regardless of geographic location with little or no need for involvement by a computer user.

Learn how to use Palo Alto Networks next-generation threat prevention features and WildFire® cloud-based threat analysis service to protect your network from all types of malware, both known and unknown.

How to Prevent Malware:

A variety of security solutions are used to detect and prevent malware. These include firewalls, next-generation firewalls, network intrusion prevention systems (IPS), deep packet inspection (DPI) capabilities, unified threat management systems, antivirus and anti-spam gateways, virtual private networks, content filtering and data leak prevention systems. In order to prevent malware, all security solutions should be tested using a wide range of malware-based attacks to ensure they are working properly. A robust, up-to-date library of malware signatures must be used to ensure testing is completed against the latest attacks

The Cortex XDR agent combines multiple methods of prevention at critical phases within the attack lifecycle to halt the execution of malicious programs and stop the exploitation of legitimate applications, regardless of operating system, the endpoint’s online or offline status, and whether it is connected to an organization’s network or roaming. Because the Cortex XDR agent does not depend on signatures, it can prevent zero-day malware and unknown exploits through a combination of prevention methods.

Malware Detection:

Advanced malware analysis and detection tools exist such as firewalls, Intrusion Prevention Systems (IPS), and sandboxing solutions. Some malware types are easier to detect, such as ransomware, which makes itself known immediately upon encrypting your files. Other malware like spyware, may remain on a target system silently to allow an adversary to maintain access to the system. Regardless of the malware type or malware meaning, its detectability or the person deploying it, the intent of malware use is always malicious.

When you enable behavioral threat protection in your endpoint security policy, the Cortex XDR agent can also continuously monitor endpoint activity for malicious event chains identified by Palo Alto Networks.

Malware Removal:

Antivirus software can remove most standard infection types and many options exist for off-the-shelf solutions. Cortex XDR enables remediation on the endpoint following an alert or investigation giving administrators the option to begin a variety of mitigation steps starting with isolating endpoints by disabling all network access on compromised endpoints except for traffic to the Cortex XDR console, terminating processes to stop any running malware from continuing to perform malicious activity on the endpoint, and blocking additional executions, before quarantining malicious files and removing them from their working directories if the Cortex XDR agent has not already done so.

Malware Protection:

To protect your organization against malware, you need a holistic, enterprise-wide malware protection strategy. Commodity threats are exploits that are less sophisticated and more easily detected and prevented using a combination of antivirus, anti-spyware, and vulnerability protection features along with URL filtering and Application identification capabilities on the firewall.

For more on Malware, its variants and how you can protect your organization against it, please download one of our resources:

A Distributed Denial of Service (DDoS) attack is an attempt to crash a web server or online system by overwhelming it with data. DDoS attacks can be simple mischief, revenge, or hacktivism, and can range from a minor annoyance to long-term downtime resulting in loss of business.

Hackers hit GitHub with a DDoS attack of 1.35 terabytes of data per second in February of 2018. That’s a massive attack, and it’s doubtful that it will be the last of its kind.

“This really opened my eyes to AD security in a way defensive work never did.”

Unlike ransomware or attacks from APT groups, which are financially motivated, DDoS attacks are more disruptive and annoying. How bad can it get? Thousands of avid gamers couldn’t get on Classic WoW because of a DDoS attack!  The point is attackers don’t make money off of a DDoS attack – they’re simply doing it to cause pain.

How Does a DDoS Attack Work?

DDoS attacks most often work by botnets – a large group of distributed computers that act in concert with each other –simultaneously spamming a website or service provider with data requests.

Attackers use malware or unpatched vulnerabilities to install Command and Control (C2) software on user’s systems to create a botnet. DDoS attacks rely on a high number of computers in the botnet to achieve the desired effect, and the easiest and cheapest way to get control of that many machines is by leveraging exploits.

The DYNDNS attack exploited WIFI cameras with default passwords to create a huge botnet. Once they have the botnet ready, the attackers send the start command to all of their botnet nodes, and the botnets will then send their programmed requests to the target server. If the attack makes it past the outer defenses, it quickly overwhelms most systems, causes service outages, and in some cases, crashes the server. The end-result of a DDoS attack is primarily lost productivity or service interruption – customers can’t see a website.

While that may sound benign, the cost of a DDoS attack averaged $2.5 million in 2017. Kaspersky reports that DDoS attacks cost small businesses $120,000 and enterprises $2,000,000. Hackers engage DDoS attacks for anything ranging from childish pranks to revenge against a business to express political activism.

DDoS attacks are illegal under the Computer Fraud and Abuse Act. Starting a DDoS attack against a network without permission is going to cost you up to 10 years in prison and up to a $500,000 fine.

What is the Difference Between a DoS and a DDoS Attack?

A Denial of Service (DoS) attack includes many kinds of attacks all designed to disrupt services. In addition to DDoS, you can have application layer DoS, advanced persistent DoS, and DoS as a service. Companies will use DoS as a service to stress test their networks.

In short, DDoS is one type of DoS attack – however, DoS can also mean that the attacker used a single node to initiate the attack, instead of using a botnet. Both definitions are correct.

What Does a DDoS Attack Mean for My Security?

You need to prepare and plan to manage a DDoS attack against your systems. You need to monitor, generate alerts, and quickly diagnose a DDoS attack in progress. The next step is shutting down the attack quickly without affecting your users. You can block the IP addresses using your Next-Gen Firewall, or close inbound traffic to the targeted system and failover to a backup. There are other response plans you can implement, make sure to have one.

Common Types of DDoS Attacks

There are several different ways attackers perpetuate a DDoS attack. Here are some of the most recognized:

Application Layer Attacks

Application layer DDoS attacks aim to exhaust the resources of the target and disrupt access to the target’s website or service. Attackers load the bots with a complicated request that taxes the target server as it tries to respond. The request might require database access or large downloads. If the target gets several million of those requests in a short time, it can very quickly get overwhelmed and either slowed to a crawl or locked up completely.

An HTTP Flood attack, for example, is an application layer attack that targets a web server on the target and uses many fast HTTP requests to bring the server down. Think of it as pressing the refresh button in rapid-fire mode on your game controller. That kind of traffic from many thousands of computers at once will quickly drown the webserver.

Protocol Attacks

Protocol DDoS attacks target the networking layer of the target systems. Their goal is to overwhelm the tablespaces of the core networking services, the firewall, or load balancer that forwards requests to the target.

In general, network services work off a first-in, first-out (FIFO) queue. The first request comes in, the computer processes the request, and then it goes and gets the next request in the queue so on. Now there are a limited number of spots on this queue, and in a DDoS attack, the queue could become so huge that there aren’t resources for the computer to deal with the first request.

A SYN flood attack is a specific protocol attack. In a standard TCP/IP network transaction, there is a 3-way handshake. They are the SYN, the ACK, and the SYN-ACK. The SYN is the first part, which is a request of some kind, the ACK is the response from the target, and the SYN-ACK is the original requester saying “thanks, I got the information I requested.” In a SYN flood attack, the attackers create SYN packets with fake IP addresses. The target then sends an ACK to the dummy address, which never responds, and it then sits there and waits for all those responses to time out, which in turn exhausts the resources to process all of these fake transactions.

Volumetric Attacks

The goal of a volumetric attack is to use the botnet to generate a major amount of traffic and clog up the works on the target. Think of like an HTTP Flood attack, but with an added exponential response component. For example, if you and 20 of your friends all called the same pizza place and ordered 50 pies at the same time, that pizza shop wouldn’t be able to fulfill those requests. Volumetric attacks operate on the same principle. They request something from the target that will vastly increase the size of the response, and the amount of traffic explodes and clogs up the server.

DNS Amplification is a kind of volumetric attack. In this case, they are attacking the DNS server directly and requesting a large amount of data back from the DNS server, which can bring the DNS server down and cripple anyone that is using that DNS server for name resolution services.

How Can DDoS Attacks Be Prevented?

How did GitHub survive that massive DDoS attack? Planning and preparation, of course. After 10 minutes of intermittent outages, the GitHub servers activated their DDoS mitigation service. The mitigation service rerouted incoming traffic and scrubbed the malicious packets, and about 10 minutes later the attackers gave up.

In addition to paying for DDoS mitigation services from companies like Cloudflare and Akamai, you can employ your standard endpoint security measures. Patch your servers, keep your Memcached servers off the open internet, and train your users to recognize phishing attacks.

You can turn on Black Hole Routing during a DDoS attack to send all traffic to the abyss. You can set up rate limiting to cap the number of requests a server gets in a short amount of time. A properly configured firewall can also protect your servers.

Varonis monitors your DNS, VPN, Proxies, and data to help detect signs of an impending DDoS attack against your corporate network. Varonis tracks behavior patterns and generates warnings when current behavior matches a threat model or deviates from standard behavior. This can include malware botnet attacks or significant increases in network traffic that indicate a DDoS attack.

DDoS Attacks Today

Just like everything else in computing, DDoS attacks are evolving and becoming more destructive to business. Attack sizes are increasing, growing from 150 requests per second in the 1990s – which would bring a server of that era down – to the recent DYNDNS attack and GitHub attack at 1.2 TBs and 1.35 TBs respectively. The goal in both of these attacks was to disrupt two major sources of productivity across the globe.

These attacks used new techniques to achieve their huge bandwidth numbers. The Dyn attack used an exploit found in Internet of Things (IoT) devices to create a botnet, called the Mirai Botnet attack. Mirai used open telnet ports and default passwords to take over WiFi-enabled cameras to execute the attack. This attack was a childish prank but presented a major vulnerability that comes with the proliferation of the IoT devices.

The GitHub attack exploited the many thousands of servers running Memcached on the open internet, an open-source memory caching system. Memcached happily responds with huge amounts of data to simple requests, so leaving these servers on the open internet is a definite no-no.

Both of these attacks show a significant risk of future exploits, especially as the IoT universe continues to grow. How fun would it be for your fridge to be part of a botnet? On the bright side, GitHub wasn’t even brought down by the attack.

What’s more, DDoS attacks have never been easier to execute. With multiple DDoS-as-a-Service options available, malicious actors can pay a nominal fee to “rent” a botnet of infected computers to execute a DDoS attack against their target of choice.

In September of 2019, attackers hit both Wikipedia and Classic World of Warcraft with DDoS attacks. Currently, there isn’t any indication these attacks are new technology but stay tuned for any updates.

DDoS Attack FAQ

A quick look at the answers to common questions people have about DDoS attacks.

Q: What does DDoS mean?

A: DDoS stands for Distributed Denial of Service. Using multiple connected online devices known as a botnet, a DDoS attack aims to overwhelm the capacity limits of a website's network resources with fake traffic.

Q: What happens during a DDoS attack?

A: During a DDoS attack the distributed computers – botnet – spam the target with as many data requests as possible.

Q: Are DDoS attacks illegal?

A: Yes, it is illegal to use DDoS techniques to disrupt a target without permission. It’s a good practice to set up a DDoS drill so you can practice your Incident Response plan for DDoS attacks, which is a legal use of DDoS.

Q: In a DDoS attack, what communications channel is commonly used to orchestrate the attack?

A: HTTP, DNS, and TCP/IP requests are common protocols used for DDoS attacks.

DDoS attacks can be disruptive, so take a proactive approach and build an Incident Response plan to respond quickly. Varonis’ unique combination of monitoring and threat detection capabilities give you a head start on your DDoS strategy.

Check a Live Cyber Attack Demo webinar to see Varonis in action.