WHAT IS BOTNET?
A botnet refers to a group of computers which have been infected by Malware and have come under the control of a malicious actor. The term botnet is a portmanteau from the words robot and network and each infected device is called a bot. Botnets can be designed to accomplish illegal or malicious tasks including sending spam, stealing data, ransomware, fraudulently clicking on ads or distributed denial-of-service (DDoS) attacks.
While some malware, such as ransomware, will have a direct impact on the owner of the device, DDoS botnet malware can have different levels of visibility; some malware is designed to take total control of a device, while other malware runs silently as a background process while waiting silently for instructions from the attacker or “bot herder.”
Self-propagating botnets recruit additional bots through a variety of different channels. Pathways for infection include the exploitation of website vulnerabilities, Trojan horse malware, and cracking weak authentication to gain remote access. Once access has been obtained, all of these methods for infection result in the installation of malware on the target device, allowing remote control by the operator of the botnet. Once a device is infected, it may attempt to self-propagate the botnet malware by recruiting other hardware devices in the surrounding network.
While it's infeasible to pinpoint the exact numbers of bots in a particular botnet, estimations for total number of bots in a sophisticated botnet have ranged in size from a few thousand to greater than a million.
A botnet [short for bot network] is a network of hijacked computers and devices infected with bot malware and remotely controlled by a hacker. The bot network is used to send spam and launch Distributed Denial of Service [DDoS] attacks, and may be rented out to other cybercriminals. Botnets can also exist without a command and control (C&C) server by using peer-to-peer [P2P] architecture and other management channels to transfer commands from one bot to another.
Initially, botnet operators used IRC clients to deliver instructions and execute DDoS attacks. Much recent botnet operations were observed to have the ability to mine bitcoins, intercept any data in transit, send logs that contain sensitive user information to the botnet master, and consume the user’s machine resources. See infographic below:
Botnets have continued to evolve over the years. Their most common features now include varied C&C models [centralized or distributed] and attack types [spam, DDoS, data theft], an increased communication protocols used [IRC, HTTPS], the use of effective evasion techniques [SSL, VoIP tunneling] and versatile rallying mechanisms [hard-coded IP address, distributed DNS service].
Botnets have also been used to target point-of-sale [PoS] and other payment systems.
Trend Micro’s free RUBotted antivirus service monitors your computer for suspicious activities associated with bots. If it discovers a potential infection, RUBotted will identify and clean it with the Trend Micro™ HouseCall™, which can detect known and unknown variants of botnet families including the following notorious botnets [5]:
- ZBOT/ZeuS – bank information stealer
- KOOBFACE – most successful Web 2.0 botnet
- WALEDAC – infamous spamming bot
A botnet is a group of computers connected in a coordinated fashion for malicious purposes. Each computer in a botnet is called a bot. These bots form a network of compromised computers, which is controlled by a third party and used to transmit malware or spam, or to launch attacks.
A botnet may also be known as a zombie army.
A botnet may also be known as a zombie army.
Originally, botnets were created as a tool with valid purposes in Internet relay chat (IRC) channels. Eventually, hackers exploited the vulnerabilities in IRC networks and developed bots to perform malicious activities such as password theft, keystroke logging, etc.
An attacker will often target computers not safeguarded with firewalls and/or anti-virus software. A botnet manipulator can get control of a computer in a variety of ways, but most frequently does so via viruses or worms. Botnets are significant because they have become tools that both hackers and organized crime use to perform illegal activities online. For example, hackers use botnets to launch coordinated denial-of-service attacks, while organized crime uses botnets as ways to spam, or send a phishing attack that is then used for identify theft.
Even more concerning is the industry that has sprung up around botnets in which bot herders build botnets specifically to "rent" to the highest bidder. Whether they send spam, adware/spyware, viruses/worms, etc., botnets can be used to perpetrate just about any type of digital attack.
An attacker will often target computers not safeguarded with firewalls and/or anti-virus software. A botnet manipulator can get control of a computer in a variety of ways, but most frequently does so via viruses or worms. Botnets are significant because they have become tools that both hackers and organized crime use to perform illegal activities online. For example, hackers use botnets to launch coordinated denial-of-service attacks, while organized crime uses botnets as ways to spam, or send a phishing attack that is then used for identify theft.
Even more concerning is the industry that has sprung up around botnets in which bot herders build botnets specifically to "rent" to the highest bidder. Whether they send spam, adware/spyware, viruses/worms, etc., botnets can be used to perpetrate just about any type of digital attack.
Botnets have become one of the biggest threats to security systems today. Their growing popularity among cybercriminals comes from their ability to infiltrate almost any internet-connected device, from DVR players to corporate mainframes.
Botnets are also becoming a larger part of cultural discussions around cyber security. Facebook’s fake ad controversy and the Twitter bot fiasco during the 2016 presidential election worry many politicians and citizens about the disruptive potential of botnets. Recently published studies from MIT have concluded that social media bots and automated accounts play a major role in spreading fake news.
The use of botnets to mine cryptocurrencies like Bitcoin is a growing business for cyber criminals. It’s predicted the trend will continue, resulting in more computers infected with mining software and more digital wallets stolen.
Aside from being tools for influencing elections and mining cryptocurrencies, botnets are also dangerous to corporations and consumers because they’re used to deploy malware, initiate attacks on websites, steal personal information, and defraud advertisers.
It’s clear botnets are bad, but what are they exactly? And how can you protect your personal information and devices? Step one is understanding how bots work. Step two is taking preventative actions.
The Internet is filled with threats to online security. Many of these threats are just productive, positive technologies turned to evil use. The botnet is an example of using good technologies for bad intentions. A botnet is nothing more than a string of connected computers coordinated together to perform a task. That can be maintaining a chatroom, or it can be taking control of your computer. Botnets are just one of the many perils out there on the Internet. Here’s how they work and how you can protect yourself.
Botnets are the workhorses of the Internet. They’re connected computers performing a number of repetitive tasks to keep websites going. It’s most often used in connection with Internet Relay Chat. These types of botnets are entirely legal and even beneficial to maintaining a smooth user experience on the Internet.
What you need to be careful of are the illegal and malicious botnets. What happens is that botnets gain access to your machine through some piece of malicious coding. In some cases, your machine is directly hacked, while other times what is known as a “spider” (a program that crawls the Internet looking for holes in security to exploit) does the hacking automatically.
More often than not, what botnets are looking to do is to add your computer to their web. That usually happens through a drive-by download or fooling you into installing a Trojan horse on your computer. Once the software is downloaded, the botnet will now contact its master computer and let it know that everything is ready to go. Now your computer, phone or tablet is entirely under the control of the person who created the botnet.
Once the botnet’s owner is in control of your computer, they usually use your machine to carry out other nefarious tasks. Common tasks executed by botnets include:
- Using your machine’s power to assist in distributed denial-of-service (DDoS) attacks to shut down websites.
- Emailing spam out to millions of Internet users.
- Generating fake Internet traffic on a third-party website for financial gain.
- Replacing banner ads in your web browser specifically targeted at you.
- Pop-ups ads designed to get you to pay for the removal of the botnet through a phony anti-spyware package.
Why are botnets created?
Reasons for using a botnet ranges from activism to state-sponsored disruption, with many attacks being carried out simply for profit. Hiring botnet services online is relatively inexpensive, especially in relationship to the amount of damage they can cause. The barrier to creating a botnet is also low enough to make it a lucrative business for some software developers, especially in geographic locations where regulation and law enforcement are limited. This combination has lead to a proliferation of online services offering attack-for-hire.How is a botnet controlled?
A core characteristic of a botnet is the ability to receive updated instructions from the bot herder. The ability to communicate with each bot in the network allows the attacker to alternate attack vectors, change the targeted IP address, terminate an attack, and other customized actions. Botnet designs vary, but the control structures can be broken down into two general categories:The client/server botnet model
The client/server model mimics the traditional remote workstation workflow where each individual machine connects to a centralized server (or a small number of centralized servers) in order to access information. In this model each bot will connect to a command-and-control center (CnC) resource like a web domain or an IRC channel in order to receive instructions. By using these centralized repositories to serve up new commands for the botnet, an attacker simply needs to modify the source material that each botnet consumes from a command center in order to update instructions to the infected machines. The centralized server in control of the botnet may be a device owned and operated by the attacker, or it may be an infected device.A number of popular centralized botnet topologies have been observed, including:
Star Network Topology
How botnets work
To better understand how botnets function, consider that the name itself is a blending of the words “robot” and “network”. In a broad sense, that’s exactly what botnets are: a network of robots used to commit cyber crime. The cyber criminals controlling them are called botmasters or bot herders.
Size Matters
To build a botnet, botmasters need as many infected online devices or “bots” under their command as possible. The more bots connected, the bigger the botnet. The bigger the botnet, the bigger the impact. So size matters. The criminal’s ultimate goal is often financial gain, malware propagation, or just general disruption of the internet.
Imagine the following: You’ve enlisted ten of your friends to call the Department of Motor Vehicles at the same time on the same day. Aside from the deafening sounds of ringing phones and the scurrying of State employees, not much else would happen. Now, imagine you wrangled 100 of your friends, to do the same thing. The simultaneous influx of such a large number of signals, pings, and requests would overload the DMV’s phone system, likely shutting it down completely.
Cybercriminals use botnets to create a similar disruption on the internet. They command their infected bot army to overload a website to the point that it stops functioning and/or access is denied. Such an attack is called a denial of service or DDoS.
Most people who are infected with botnets aren’t even aware that their computer’s security has become compromised. However, taking simple, common-sense precautions when using the Internet can not only remove botnets that have been installed, it can also prevent them from being installed on your computer, tablet and phone in the first place.
- Good security begins with an Internet security suite that detects malware that has been installed, removes what’s present on your machine and prevents future attacks.
- Always update your computer’s operating system as early as possible. Hackers often utilize known flaws in operating system security to install botnets. You can even set your computer to install updates automatically.
- The same is true of applications on your computer, phone and tablet. Once weakness are found and announced by software companies, hackers rush to create programs to exploit those weaknesses.
- Don’t download attachments or click on links from email addresses you don’t recognize. This is one of the most common vectors for all forms of malware.
- Use a firewall when browsing the Internet. This is easy to do with Mac computers, as they come with Firewall software pre-installed. If you’re using a Windows-based machine, you might need to install third-party software.
- Don’t visit websites that are known distributors of malware. One of the things that a full-service Internet security suite can do is warn you when you’re visiting such sites. When in doubt, check with Norton Safe Web.
Want to learn more about these types of threats and where they come from? Check out the trailer for Episode two of "The Most Dangerous Town On the Internet- Where Cybercrime Goes to Hide" below. The full documentary premieres March 10th! check it out on MostDangerousTown.com
The term botnet is derived from the words robot and network. A bot in this case is a device infected by malware, which then becomes part of a network, or net, of infected devices controlled by a single attacker or attack group.
The botnet malware typically looks for vulnerable devices across the internet, rather than targeting specific individuals, companies or industries. The objective for creating a botnet is to infect as many connected devices as possible, and to use the computing power and resources of those devices for automated tasks that generally remain hidden to the users of the devices.
For example, an ad fraud botnet that infects a user's PC will take over the system's web browsers to divert fraudulent traffic to certain online advertisements. However, to stay concealed, the botnet won't take complete control of the web browsers, which would alert the user. Instead, the botnet may use a small portion of the browser's processes, often running in the background, to send a barely noticeable amount of traffic from the infected device to the targeted ads.
On its own, that fraction of bandwidth taken from an individual device won't offer much to the cybercriminals running the ad fraud campaign. However, a botnet that combines millions of devices will be able to generate a massive amount of fake traffic for ad fraud, while also avoiding detection by the individuals using the devices.
Botnet architecture
Botnet infections are usually spread through malware, such as a Trojan horse. Botnet malware is typically designed to automatically scan systems and devices for common vulnerabilities that haven't been patched, in hopes of infecting as many devices as possible. Botnet malware may also scan for ineffective or outdated security products, such as firewalls or antivirus software.Once the desired number of devices is infected, attackers can control the bots using two different approaches. The traditional client/server approach involves setting up a command-and-control (C&C) server and sending automated commands to infected botnet clients through a communications protocol, such as internet relay chat (IRC). The bots are often programmed to remain dormant and await commands from the C&C server before initiating any malicious activities.
The peer-to-peer approach is more common today, as cybercriminals and hacker groups try to avoid detection by cybersecurity vendors and law enforcement agencies, which have often used C&C communications as a way to monitor for, locate and disrupt botnet operations.
Notable botnet attacks
Zeus
The Zeus malware, first detected in 2007, is one of the best-known and widely used malware types in the history of information security.
Zeus uses a Trojan horse program to infect vulnerable devices and systems, and variants of this malware have been used for various purposes over the years, including to spread CryptoLocker ransomware.
Initially, Zeus, or Zbot, was used to harvest banking credentials and financial information from users of infected devices. Once the data was collected, attackers used the bots to send out spam and phishing emails that spread the Zeus Trojan to more prospective victims.
In 2009, cybersecurity vendor Damballa estimated Zeus had infected 3.6 million hosts. The following year, the FBI identified a group of Eastern European cybercriminals who were suspected to be behind the Zeus malware campaign; the FBI later made more than 100 arrests in the U.S. and Europe.
The Zeus botnet was repeatedly disrupted in 2010, when two internet service providers that were hosting the C&C servers for Zeus were shut down. However, new versions of the Zeus malware were later discovered.
Srizbi
The Srizbi botnet, which was first discovered in 2007, was, for a time, the largest botnet in the world. Srizbi, also known as the Ron Paul spam botnet, was responsible for a massive amount of email spam -- as much as 60 billion messages a day, accounting for roughly half of all email spam on the internet at the time. In 2007, the Srizbi botnet was used to send out political spam emails promoting then-U.S. Presidential candidate Ron Paul.
The botnet used a Trojan to infect users' computers, which were then used to send out spam. Experts estimated that the Srizbi botnet included approximately 450,000 infected systems.
The cybercriminals behind Srizbi used San Jose, Calif.-based hosting provider McColo for the botnet's C&C infrastructure. The botnet's activity ceased when McColo, which was discovered to be hosting other botnet and spam operations, as well, was shut down in 2008.
Gameover Zeus
Approximately a year after the original Zeus botnet was disrupted, a new version of the Zeus malware emerged, known as Gameover Zeus.Instead of relying on a traditional, centralized C&C operation to control bots, Gameover Zeus used a peer-to-peer network approach, which initially made the botnet harder for law enforcement and security vendors to pinpoint and disrupt. Infected bots used the domain generation algorithm (DGA) to communicate.
The Gameover Zeus botnet would generate domain names to serve as communication points for infected bots. An infected device would randomly select domains until it reached an active domain that was able to issue new commands. Security firm Bitdefender reported two versions of Gameover Zeus, one of which generated 1,000 new domains, and the other which generated 10,000 new domains each day.
In 2014, international law enforcement agencies took part in Operation Tovar to temporarily disrupt Gameover Zeus by identifying the domains used by the cybercriminals, and then redirecting bot traffic to government-controlled servers.
The FBI also offered a $3 million reward for Russian hacker Evgeniy Bogachev, who is accused of being the mastermind behind the Gameover Zeus botnet. Bogachev is still at large, and new variants of Gameover Zeus have since emerged.
Methbot
An extensive cybercrime operation and ad fraud botnet known as Methbot was revealed in 2016 by cybersecurity services company White Ops. According to security researchers, Methbot was generating between $3 million and $5 million in fraudulent ad revenue daily last year by producing fraudulent clicks for online ads, as well as fake views of video advertisements.
Instead of infecting random devices, the Methbot campaign is run on approximately 800-1,200 dedicated servers in data centers located in both the U.S. and the Netherlands. The campaign's operational infrastructure includes 6,000 spoofed domains, and more than 850,000 dedicated IP addresses, many of which are falsely registered as belonging to legitimate U.S.-based internet service providers.
The infected servers can produce fake clicks and mouse movements, as well as forge social media account logins to appear as legitimate users to fool conventional ad fraud detection techniques. In an effort to disrupt the monetization scheme for Methbot, White Ops published a list of the spoofed domains and fraudulent IP addresses to alert advertisers and enable them to block the addresses.
Mirai
Several powerful, record-setting distributed denial-of-service (DDoS) attacks were observed in late 2016, and they later traced to a new brand of malware known as Mirai. The DDoS traffic was produced by a variety of connected devices, such as wireless routers and CCTV cameras.
Mirai malware is designed to scan the internet for insecure connected devices, while also avoiding IP addresses belonging to major corporations, like Hewlett-Packard and government agencies, such as the U.S. Department of Defense.
Once it identifies an insecure device, the malware tries to log in with a series of common default passwords used by manufacturers. If those passwords don't work, then Mirai uses brute force attacks to guess the password. Once a device is compromised, it connects to C&C infrastructure and can divert varying amounts of traffic toward a DDoS target.
Devices that have been infected are often still able to continue functioning normally, making it difficult to detect Mirai botnet activity from a specific device. For some internet of things (IoT) devices, such as digital video recorders, the factory password is hard coded in the device's firmware, and many devices cannot update their firmware over the internet.
The Mirai source code was later released to the public, allowing anyone to use the malware to compose botnets leveraging poorly protected IoT devices.
Preventing botnet attacks
In the past, botnet attacks were disrupted by focusing on the command-and-control source. Law enforcement agencies and security vendors would trace the bots' communications to wherever the C&C servers were hosted, and then force the hosting or service provider to shut them down.However, as botnet malware has become more sophisticated, and communications have become decentralized, takedown efforts have shifted away from targeting C&C infrastructures to other approaches. These approaches include identifying and removing botnet malware infections at the source devices, identifying and replicating the peer-to-peer communication methods and, in cases of ad fraud, disrupting the monetization schemes, rather than the technical infrastructures.
Preventing botnet attacks has been complicated by the emergence of malware like Mirai, which targets routers and internet of things devices that have weak or factory default passwords, and which can be easily compromised.
In addition, users may be unable to change the passwords for many IoT devices, which leaves them exposed to attacks. If the manufacturer cannot remotely update the devices' firmware to patch them or change their hardcoded passwords, then they may have to conduct a factory recall of the affected devices.
Botnet Infections
Botnets aren’t typically created to compromise just one individual computer; they’re designed to infect millions of devices. Bot herders often deploy botnets onto computers through a trojan horse virus. The strategy typically requires users to infect their own systems by opening email attachments, clicking on malicious pop up ads, or downloading dangerous software from a website. After infecting devices, botnets are then free to access and modify personal information, attack other computers, and commit other crimes.
More complex botnets can even self-propagate, finding and infecting devices automatically. Such autonomous bots carry out seek-and-infect missions, constantly searching the web for vulnerable internet-connected devices lacking operating system updates or antivirus software.
Botnets are difficult to detect. They use only small amounts of computing power to avoid disrupting normal device functions and alerting the user. More advanced botnets are even designed to update their behavior so as to thwart detection by cybersecurity software. Users are unaware they’re connected device is being controlled by cyber criminals. What’s worse, botnet design continues to evolve, making newer versions harder to find.
Botnets take time to grow. Many will lay dormant within devices waiting for the botmaster to call them to action for a DDoS attack or for spam dissemination.
Vulnerable Devices
Botnets can infect almost any device connected directly or wirelessly to the internet. PCs, laptops, mobile devices, DVR’s, smartwatches, security cameras, and smart kitchen appliances can all fall within the web of a botnet.
Although it seems absurd to think of a refrigerator or coffee maker becoming the unwitting participant in a cyber crime, it happens more often than most people realize. Often appliance manufacturers use unsecure passwords to guard entry into their devices, making them easy for autonomous bots scouring the internet to find and exploit.
As the never-ending growth of the Internet of Things brings more devices online, cyber criminals have greater opportunities to grow their botnets, and with it, the level of impact.
In 2016, a large DDoS attack hit the internet infrastructure company Dyn. The attack used a botnet comprised of security cameras and DVRs. The DDoS disrupted internet service for large sections of the country, creating problems for many popular websites like Twitter and Amazon.
Botnet Attacks
Aside from DDoS attacks, botmasters also employ botnets for other malicious purposes.Ad Fraud
Cybercriminals can use the combined processing power of botnets to run fraudulent schemes. For example, botmasters build ad fraud schemes by commanding thousands of infected devices to visit fraudulent websites and “click” on ads placed there. For every click, the hacker then gets a percentage of the advertising fees.Selling and Renting Botnets
Botnets can even be sold or rented on the internet. After infecting and wrangling thousands of devices, botmasters look for other cybercriminals interested in using them to propagate malware. Botnet buyers then carry out cyber attacks, spread ransomware, or steal personal information.Laws surrounding botnets and cybercrime continue to evolve. As botnets become bigger threats to internet infrastructure, communications systems, and electrical grids, users will be required to ensure their devices are adequately protected from infection. It’s likely cyber laws will begin to hold users more responsible for crimes committed by their own devices.
Botnet Structures
Botnet structures usually take one of two forms, and each structure is designed to give the botmaster as much control as possible.Client-server model
The client-server botnet structure is set up like a basic network with one main server controlling the transmission of information from each client. The botmaster uses special software to establish command and control (C&C) servers to relay instructions to each client device.While the client-server model works well for taking and maintaining control over the botnet, it has several downsides: it’s relatively easy for law enforcement official to location of the C&C server, and it has only one control point. Destroy the server, and the botnet is dead.
Peer-to-peer
Rather than relying on one centralized C&C server, newer botnets have evolved to use the more interconnected peer-to-peer (P2P) structure. In a P2P botnet, each infected device functions as a client and a server. Individual bots have a list of other infected devices and will seek them out to update and to transmit information between them.P2P botnet structures make it harder for law enforcement to locate any centralized source. The lack of a single C&C server also makes P2P botnets harder to disrupt. Like the mythological Hydra, cutting off the head won’t kill the beast. It has many others to keep it alive.
