InsiderSecurity Blog

Singapore botnet for hire

Thousands of devices in Singapore are being rented out for web access without their owners’ knowledge.

InsiderSecurity, a cyber security firm that provides security monitoring to businesses using algorithms, found that thousands of devices in Singapore have been “rented out” to access the web without their owners’ knowledge.

We believe that these devices are either a Singapore botnet for hire, or part of a peer-to-peer VPN such as Hola VPN. Hola users had their devices rented out for a botnet attack in 2015. A botnet is a network of compromised machines.

In a period of 3 months, our algorithms uncovered 21,760 Singaporean ip addresses being abused. These mostly belong to consumer users from all major Singapore ISPs (Singtel, StarHub, M1, MyRepublic, ViewQuest). We have also found abused ip addresses from local universities (eg NUS, NTU, SMU) and a number of companies.

It appears that almost all the ip addresses are dynamic addresses. Dynamic ip addresses are allocated by ISPs and change over time. By our analysis, the actual number of devices in Singapore being abused may be between 3000-6000 devices.

InsiderSecurity detected these devices when our algorithms picked up unusual patterns in our customers’ traffic. We found that these devices are web scraping data from our customers’ websites, for commercial reasons. The customers’ websites are not breached. So as not to be blocked by the target websites, web scrapers may employ many ip addresses, and make their requests appear to be from the same geographical region as real users. The web scrapers have tried to be stealthy and go under-the-radar, but advanced algorithms allow us to pick out such activity from among billions of events.

While web scraping is an activity that is legally questionable, the use of a botnet or hijacking consumer devices would have crossed the line.

Cyber security implications

The bigger risk is that the same devices can be hired to launch other more serious cyber attacks, eg distributed denial of service attacks (DDOS).

Due to Singapore’s fast internet backbone, a single household device can have access to hundreds of Mbps of bandwidth. A small-sized local botnet can easily pump out Gbps worth of traffic and overwhelm local servers. Compared to an overseas botnet, a local botnet can’t be easily filtered away by geographic source.

A third party can also rent the devices to do other illegal activities, eg, upload terrorists materials, or to hack the local network where the device is in (some of the devices are within company networks).

This is the first time or one of the first time that a Singapore botnet has been uncovered.

Technical details

Our algorithms picked up tell-tale signs that thousands of consumer devices in Singapore are being hijacked for web scraping.

1) The devices only access specific urls to systematically scrap certain types of customer data. This suggests the use of automated code.

2) In a typical day, each device only makes a very small number of requests (2 or less in 50% of the time) to a target website. A real human user can easily generate tens or hundreds of requests to a website with a single click. This again suggests the use of automated code.

How a legitimate user access a website
How the stealthy web scraper access a website
No of times a device is used

3) In a typical day, 95% of the urls requested by the devices are only requested once. An url is never requested more than 3 times, despite there being thousands of requests. This is highly unlikely if the users are humans, since certain items in a website are lot more popular than others. Again this suggests the use of automated code.

No of times a web resouce is requested

4) The devices have ip addresses from all the major Singapore ISPs (Singtel, StarHub, M1, MyRepublic, ViewQuest), local university networks (eg NUS, NTU, SMU), and a number of companies. 21760 ip addresses were detected within a 3 month period. As most of the ip addresses appear to be dynamic, our analysis is that the actual number of devices abused may be between 3000-6000 devices.

5) Interesting, we see a very small number of devices from other countries, such as China, Thailand, USA, and even Nepal. The web scraper may have gotten the geographic locations of these devices wrong. This also suggests the full botnet (or peer-to-peer VPN) is international in scope. Only devices in Singapore have been deliberately hired for web scraping Singapore-based websites.

6) The affected devices may be routers, ip cameras, desktops, or mobile devices. If a peer-to-peer VPN is responsible, then the devices will be mobile devices and desktops.

7) We also did a sampling check to verify that the devices are not TOR exit nodes, in case someone is exploiting TOR to access the customers’ data. TOR is a well-known anonymity network.

What can the consumer do about it today?

1) The tech-savvy consumer can check that devices with internet access (eg router, ip camera, notebook, mobile phone) have their software updated regularly, and that default passwords are not being used.

2) The use of peer-to-peer VPN software (eg Hola browser extensions) carries cyber security risks. As it is peer-to-peer, someone may be using your internet bandwidth for illegal activities. The consumer should decide for himself/herself whether the benefits are worth the risks.

About InsiderSecurity

InsiderSecurity provides a game-changing cyber security monitoring service called Monitor. Monitor uses algorithms and AI to catch cyber attacks. Our users include well-known internet companies. Monitor analyses billions of events a month for our users today.