Botnets are networks of compromised internet-connected devices (usually infected by viruses or other malware) that can be accessed remotely and used to execute any processes defined by the botnet operator. The word “botnet” is a portmanteau, combining robot and networks.
How do botnets work
The bot operator combines multiple hacked computers, or devices, to launch a malicious program and amplify the power and efficiency of the attack. The threat actor can tap into any internet-connected object – and our homes are full of them – including Internet of Things (IoT) devices such as tablets, smartphones, smart thermostats and smart speakers.
Botnets are often used to send requests to remote machines over the internet, are tailored and typically aimed at specific targets. They are more commonly associated with DDoS attacks but can be used for automated traffic (e.g. account takeover or card validation attempts).
There is an increasing number of botnets being made available for hire, read what we had to say on the subject in our recent feature in Computer Business Review.
How to detect botnets
Botnet attacks have grown increasingly sophisticated in recent years as bot operators seek new opportunities to infiltrate a business’ web-facing infrastructure. For instance, threat attackers are increasingly taking advantage of the networks of residential proxies made readily available by the growing number of interconnected IoT devices.
Botnet attacks can be extremely powerful and are often used to carry out highly targeted, distributed attacks. They can remain undiscovered for long periods of time, stealing funds and committing fraud on a large scale while the victim remains entirely unaware. They can also happen suddenly and make their existence incredibly obvious.
The key to spotting a botnet attack is therefore to identify abnormal activity and patterns in traffic. Staff should be trained in how to recognize potential malicious activity – for example, an automated process running on your server that has no clear owner or purpose.
Reports of unusual activity can be investigated further using behavioral analysis tools, which look at the behavior of applications and websites and can be used to assess whether any unusual activity is indicative of a threat actor at work.
Signs that you fell victim to a botnet attack
There are several warning signs that a botnet attack is being carried out, including but not limited to:
- Linking to established command and control (C&C) servers to receive instructions
- Generating IRC traffic via a range of specific ports
- Maintaining simultaneous identical DNS requests to a range of remote hosts
- Executing sophisticated brute-force attacks from IP addresses that have been relatively inactive.
- Usage of C2 protocols such as HTTP, IRC and DNS over non-standard ports and/or to IP addresses unrelated to the botnet operator.
- Observing high levels of outbound connections on both TCP and UDP ports
How to scan your systems for botnets
The first step in scanning for botnets is understanding exactly what you’re looking for. Botnets come in a variety of shapes and sizes depending on their purpose, so it’s important to know which type of threat your system faces before you start running anti-botnet software.
Once you know what to look for, using software is the easiest way to search your system for botnet infections. The most important thing to know before starting this process is that botnets are typically composed of multiple different pieces of malware operating in concert with each other, so you must run anti-malware tools on all machines simultaneously.
You can also use a manual approach to identify infected systems. First, you should check your local DNS settings to see if there are any spoofed IP addresses in order to trick users into clicking on links or opening email attachments that contain malware. This can be done by comparing the information displayed by your system with that provided by a reputable third party service such as Google’s Public DNS.
If you find IP addresses that are likely to be hosting malware or spam, such as proxy and anonymizer services, then write down the associated hostnames so you can block access in the future.
Next, search your system for malicious executables. Specifically, look in the following folders:
- C:\Program Files (x86)
If you find a suspicious process running that isn’t part of your main operating system, then stop the process and check your task manager for additional anomalies. You should also check your network connections to try to identify new ones that may have been created by malware. If no anomalies are visible, then search for IP addresses that no software on your system uses or has registered with a DNS server.
Finally, review your hosts file (C:\windows\system32\drivers\etc\hosts or C:\winnt32_NT\SYSTEM32\DRIVERS\ETC) for any suspicious entries. Botnets often add entries to block security software from communicating with their command and control servers, so you should remove these if they exist. There may also be IP addresses used as command and control servers, in which case you should remove those entries.
If you find any infected systems, then disconnect them from the network immediately to prevent any further damage. All devices on your network should be scanned for malware at least once a week using an anti-malware solution. Anti-malware tools can also scan for and remove botnet malware, but they are less effective at identifying infected devices.
How to protect your computer from botnets
The best way to protect yourself is by stopping botnets before they start. So, you should focus on preventing infections. Below are some methods:
- Use a software firewall and keep it configured so that connections can only come from trusted sources such as your IP address range or corporate domain if using an Active Directory network.
- Apply security patches for known vulnerabilities in the operating system including all web browsers you use regularly. This prevents malware from exploiting vulnerable components to surreptitiously enter your environment. For Windows users, Microsoft also provides security bulletins which list out critical flaws fixed with each patch release so that administrators know what needs to be updated immediately.
- Block access to known malicious websites especially those offering pirated content or running ad-supported revenue models.
- Minimize the use of USB storage devices if you cannot block them completely via an endpoint security solution such as one from Sophos or McAfee. Hackers have been known to infect storage devices used on corporate networks, so this step is important for data centers which support Bring Your Own Device (BYOD) policies. The same applies to download sites and email attachments. Bad actors regularly launch malware attacks that rely solely on tricking users into clicking on a link or image contained within an email message in order to install malicious code on their computers.
- Follow security policies. Make sure that your systems are configured according to your organization’s security policy and/or industry standards.
- Monitor your environment with a real-time solution that can detect botnet activities and block the delivery of malware to your network.
New generation of botnets
The most recently discovered type of botnet is the cloud botnet, where the server software that controls it sits on cloud-based servers instead of being locally installed on an infected computer. This means that the hacker does not have to worry about installing and maintaining their own C&C (command & control) network.
He or she simply rents space on a public webserver online with no resources whatsoever required except the ability to pay for the service; then using a combination of exploits and social engineering techniques, they can commandeer computers all over the world. It also makes it much harder for law enforcement agencies to track down who is behind the attacks as there are so many different sources. For example, the Kelihos botnet is programmed to scan lists of IP addresses and then find any machines with port 80 open. It then found its way onto a public cloud server that was infected, where it could use it as a base from which to conduct DDoS attacks.
Cloud-based botnets also do not have any single C&C software installed on them; all the instructions are run through remote servers meaning they can be shut down immediately if discovered. A strong example of a cloud-based botnet is the aforementioned Kelihos botnet, which also uses peer-to-peer communication technology making it very difficult to stop.
The second most recent type of botnet is the mobile one – unlike most botnets which are aimed at PCs, mobile botnets are infecting smartphones and tablets. Once again this is a result of the increasing number of people relying on their mobiles for access to email, social media or even banking services; if the device is infected it would give hackers an easy way to access these. Mobile botnets typically contain code that can be used for sending messages, attacking other networks or conducting DDoS attacks. Researchers have also discovered that mobile botnets will only infect devices running on particular versions of the Android operating system.
Mobile botnets are very similar to their PC-based counterparts, but they use a different mechanism and have some significant advantages over them: mobile botnets allow hackers to send SMS messages from any mobile hotspot in the world; they do not have limited control channels or protocols as PCs do; there is less code running on smartphones so malicious software tends to go undetected for much longer – potentially months – and many popular messaging apps come preinstalled on most devices.
Frequently asked questions about botnets
How to detect a botnet on your network?
In order to detect a botnet in your network, you need to monitor two things:
1. Monitor the Registry of your server or workstation for changes that would indicate a malware infection such as an increase in the number of entries under HKLM\Software\Microsoft\Windows\CurrentVersion and/or key modifications such as a change from “C:\Program Files” to “C:\PROGRA~1”.
2. Monitor the file structure of your hard drive for newly created files or folders that shouldn’t be there based on your security policy and/or configuration standards.
What happens after I am infected by a botnet?
After infection, the host normally becomes part of what is known as a Botnet (short for robot network). Basically, a Botnet is a network of computers which are running the same malware or piece of malicious code. This botnet then becomes controlled by an operator who can direct what these computers do and how they behave ranging from using them to propagate other malware payloads to conducting Distributed Denial of Service attacks against specific targets for political or financial gain.
How to prevent a botnet attack?
The key things to do in order to prevent a botnet attack are as follows:
- Back up your data regularly so that the malware can’t encrypt or destroy it.
- Ensure that all of your security software is updated and configured correctly on all of your workstations and servers.
- Restrict administrative access based on location, role and/or business requirement. If you have remote offices, ensure that the level of control isn’t higher than the site administrators would need for their specific purposes.
How is a botnet built?
Typically, a botnet consists of several tens to hundreds thousand infected computers. Some malware can also be present on up to five million devices at the same time. It is no secret that cybercriminals use social engineering techniques alongside their malicious tools in order to lure people into downloading and installing malware onto their computers without even realizing it.
How are botnets built?
Typically, a botnet consists of several tens to hundreds of thousand infected computers. Some malware can also be present on up to five million devices at the same time. It is no secret that cybercriminals use social engineering techniques alongside their malicious tools in order to lure people into downloading and installing malware onto their computers without even realizing it.
How do botnets spread?
The most commonly used method of spreading botnets is through exploits. This involves taking advantage of any known security flaws in popular applications such as browsers or e-mail clients.
However, exploits are only effective for a limited time after their discovery due to the fact that vendors fix them very quickly with the release of patches and updates. In order to find fresh victims, cybercriminals resort to other methods: spam emails with malicious attachments, infected USB sticks, fake sites serving rogue antivirus software, etc.
Are botnets illegal?
Yes. Botnets are illegal according to the laws of most countries in one way or another.
What does ‘botnet’ stand for?
Bot is an abbreviation of robot; network is a group of computers or devices connected over a network such as the Internet.
Bot and network have the same Latin root: “robot”. This word was created in the 1920s by Czech writer Karel Čapek. He used it as a name for mechanical devices which were invented at that time to replace human labor on production lines.
How is a botnet created?
A botnet is created by infecting a large number of devices or computers with malware. This can happen in multiple ways.
Usually, the infected device interacts with other unknown devices to form the botnet. Some malicious code might open additional channels of communication which are not directly visible on the machine itself. The malware can also install password sniffers that capture login credentials used to access online services and then distribute them to other devices on the network.
Where and when did botnets originate from?
Botnets are a relatively new phenomenon. The first botnet appeared back in the middle of the 90s, but it was considered to be an experimental project and not used for illegal purposes until early 2000 when DDoS attacks began to emerge.
Early botnets were created using techniques which involved compromising one or two computers only: sending them malicious code or remotely controlling them through IRC (Internet Relay Chat) channels that would issue commands like “download this file” or “install this update”.
How do botnets proliferate DDoS attacks?
Botnets often use the combined computing power of all infected machines to launch DDoS attacks. Depending on the number and type of botnet devices, attack sizes can vary significantly.
How many computers are infected with a botnet virus?
There is no exact answer to this question due to the fact that nobody knows how much malware is actually out there. Most researchers agree, however, that millions of computers around the world have become part of botnets in recent years.
Which operating systems are targeted by cybercriminals first?
Windows-based platforms are usually affected first because they form the backbone of most networks nowadays and their popularity keeps growing each year.
What happens when a computer becomes part of a botnet?
When a device is infected by a bot, its original owner becomes a victim of cybercrime. The main purpose of botnets is to perform the following:
How do botnets communicate?
Botnets use decentralized peer-to-peer communication between infected machines. There is no central server controlling botnets; each computer can act on its own without having to communicate with other devices except initiating the attack (which is done through an IRC channel).
Are botnets easy to track down?
Cybercriminals don’t rely on a single computer or server to run their botnet. This makes it very difficult for law enforcement agencies to discover the physical location of their servers and take them offline. The recent trend among cyber attackers is to gain control over domain names of large hosting providers such as Amazon Web Services, Google or Microsoft Azure by using spear-phishing or similar techniques.
Are botnets designed to steal?
Yes, botnets are created for stealing resources such as private or banking information.
How long can a computer remain part of a botnet?
Depending on whether it is controlled by an IRC channel or not, an infected device can become part of a botnet for as long as its memory does not get cleared (the victim may notice strange system behavior). A more common scenario is when compromised computers stealthily connect to centralized servers using encrypted channels and then wait there until they receive commands from their owners to initiate an attack.
Do botnets deploy malware?
Yes, botnets are created and used to spread malware.
Do botnets send spam?
Yes, malware inside botnets is used to send spam.
Do botnets pose danger to businesses?
Yes, botnets are created for the purpose of stealing resources from businesses (such as banking or private information). In addition, they can also perform DDoS attacks on web servers and cause a significant amount of damage regardless of whether the attack was successful or not.
Do botnet attack APIs?
Yes. They attack not only APIs, but also data exchange channels between applications and databases.
Can botnets flood a web server?
Yes. Botnets can be used for DDoS attacks against any web resource of interest, such as an online shopping website or a bank.
Why are botnets hard to stop?
Unlike many other malicious software, botnets have no clear starting point. Once a server or computer becomes part of one, it needs to be eliminated from the botnet before it can become useful again outside of its peer-to-peer network and respond to new commands.
Does every bot in a botnet act identically?
No, each member of a botnet may have different capabilities. Some bots are only used for downloading files and spreading viruses whereas others are capable of DDoS attacks.
How do botnets make money?
Botnets may be used for making money in a number of ways, such as shutting down competitors’ websites and taking over their traffic or installing hidden affiliate links on legitimate sites to redirect users to malicious websites.
Are botnets really dangerous?
Yes, they can cause significant damage because of their sheer size and the level of control cybercriminals have over them. A single computer acting as part of a botnet, for example, can initiate an attack more than 100 times bigger than it would have been able to do individually.
How long is a botnet lifecycle?
The lifecycle of a botnet is not well defined. The life cycle phases vary from one type to another, and even within the same botnet, some phase steps will occur simultaneously while others are executed sequentially.
Collaborate with a bot management vendor who can quickly and accurately distinguish bots from humans, using technology that learns and adapts as quickly as the bots do to ensures it is always effective and efficient.