sb-as logo
Story image

The JAKU botnet - what you need to know

22 Jun 2016

Article by Carl Leonard, principal security analyst at Forcepoint

Botnets are a well-known and continually evolving threat.

As one of the most sophisticated and popular types of cybercrime, a botnet is a network of private computers infected with malicious software and controlled as a group without the computer owners' knowledge.

In short, botnets allow hackers to take control of multiple computers at the one time to spread viruses, create spam and perform Distributed Denial of Service (DDOS) attacks.

Given organised crime has been operating botnets for years, Forcepoint Security Labs conducted research into the JAKU botnet campaign to gain insights and understanding into their inner workings.

JAKU

What makes the JAKU botnet campaign unique is that within the noise of thousands of botnet victims, it targets and tracks a small number of specific individuals. These individuals include members of International Non-Governmental Organisations (NGOs), Engineering Companies, Academics, Scientists and Government Employees. North Korea (DPRK) and Pyongyang are the common theme shared between these individuals.

JAKU uses three different command and control (C2) mechanisms, making it highly resilient. Compressed and encrypted code embedded in image files are used to deliver the second stage malware, while the botnet controllers monitor the botnet members via obfuscated SQLite databases. The controllers also cleverly re-use widely available open source software, including the UDT network transport protocol, software copied from Korean blogger sites and re-writes of previously published code.

JAKU’s victims are spread all over the globe, but a significant number of victims are in South Korea and Japan.

JAKU Attack Map

Forcepoint Security Labs has determined that the botnet C2 servers identified are also located in the APAC region, including Singapore, Malaysia and Thailand.

The JAKU Command and Control (C2) servers have been identified as being located in Malaysia, Thailand and Singapore

Victims per country

The JAKU campaign spans 134 countries with an estimated 19,000 unique victims. Over 87% of victim computers were in one of four countries: South Korea (42%), Japan (31%), China (8%) and the United States (6%).

Both Australia and New Zealand were affected by JAKU.

Victims per language

The victims of the JAKU campaign are clustered around Japanese (30%) and Korean (43%) languages, followed by English (13%) and Chinese (10%).

Victims per time-zone

Each of the victim machines has a time-zone setting for the geographic region the system is configured to operate in. The two major time-zone group of victims included the +09:00 time zone (Korea Standard time, Tokyo Standard Time and Yakutsk Standard Time) with 69% of victims and the +08:00 time-zone (West Australia Standard Time Zone, North Asian East Standard Time and China Standard Time).

Number of total JAKU victims’ computers/day

Implications of findings

The JAKU research shows botnets are an easy form of resilient, redundant and highly pervasive attack infrastructures that are repeatedly deployed by major threat actors, such as organised crime-sponsored attackers and rogue states via their agencies.

Botnet resilience is strengthened by what appears to be the herding of victims into smaller bot-networks. This, to some degree at least, ensures that if the botnet is compromised then the remainder of the campaign is left to operate.

The JAKU study also highlights the consequences that Internet users who disregard copyrights and digital rights may face. Many may incur end-point security vulnerabilities that may not only leave them subject to attack, but also may allow their machines to be misused by adversaries, such as the JAKU botnet controllers, to execute information and identity theft.

Moving forward

Although bots present a serious challenge for businesses and individuals there are ways to secure your network quickly and reliably.

Firstly collaboration is key, as finding, tracking and shutting down attack modes and methodologies can be a formidable task. What is required is the close collaboration and intelligence-sharing activities of both private organisations and government agencies.

To protect networks prior to infection, businesses and individuals should configure their security software’s settings to update automatically and increase security settings on the browser. Other tips include limiting user rights when online and not opening attachments from unverified senders.  The JAKU investigation sheds light onto why the victims of botnets are targeted, and how their usage of pirated or counterfeit software and movies leaves them vulnerable to attack.

Download the full whitepaper here.

Article by Carl Leonard, principal security analyst at Forcepoint

Story image
Top security threats for 2021
2021 will see several themes develop into full blown security threats, many of them borne from the struggles of pandemic-stricken 2020, writes Wontok head of technology Mick Esber.More
Story image
How the editorial team works at Techday: Our tips for you
Preparing your releases in a particular way will not only make our lives easier, but improve the chances of your lead being picked among the masses.More
Story image
Fortinet promises free cybersecurity training until skills gap trend reverses
"We are committed to continue offering the entire catalogue of self-paced Network Security Expert training at no cost until we see the skills gap trend reverse."More
Story image
IronNet expands Asia Pacific presence with new strategic partnership
“The combination of M.Tech’s extensive network in Asia Pacific and our unparalleled expertise in threat intelligence and detection will help more enterprises across the region to proactively identify and take down known and unknown threats before they happen.”More
Story image
SASE vs zero trust – or the best of both worlds
Zero trust and SASE work together by converging a least-privilege access strategy with an architecture that simplifies how highly distributed users, BYOD, and cloud resources are secured.More
Story image
Hornetsecurity acquires Altaro, the latest in acquisition spree
The move is a culmination of a medley of acquisitions made by Hornetsecurity recently, following the January 2019 acquisition of Spamina, a Spanish cloud email security company, as well as EveryCloud, its British market partner, in early 2020.More