So, what is a botnet? A botnet is a collection of networked machines that can be employed beneficially or with malicious intent. Legitimate uses for bots include crawling and indexing websites for search engines, chatroom policing, and crypto mining. On the darker side, botnet activity has a criminal element.
Botnets allow cybercriminals to infect and control groups of devices to launch distributed denial of service attacks (DDoS), send mass spam, secretly mine cryptocurrencies (cryptojacking), and deploy malware.
Botnets are advantageous for cybercriminals because they can steal the processing power of millions of devices using a technique that’s challenging to detect. This article defines a botnet, how it works, and measures to defend against a botnet attack.
What Is a Botnet?
A botnet is a set of hijacked, Internet-connected user devices used to carry out various automated scams and cyberattacks. Hackers can use botnets to perform DDoS attacks, send spam, steal data, and mine cryptocurrency.
The hacker controls the individual devices in the botnet without the owner’s knowledge or consent by using Command and Control Server software (C&C). This software allows the cybercriminal to send remote commands to each hijacked zombie device in the botnet to get them to perform a specific function.
How Does a Botnet Spread?
A botnet will spread and grow using malware, malicious software that infects individual devices to become ‘zombies’. Malware is usually spread by unsuspecting users downloading software from a free site, clicking a link or bogus attachment in an email, or visiting a compromised website.
Hackers can also identify a vulnerability in an application or operating system. They look to determine devices with that vulnerability and try to expose those devices to their malware.
How A Botnet Functions
Cybercriminal gangs intend to take control of thousands or even millions of devices that have all been infected with botnet malware, creating a vast zombie network.
Once the botnet is in place, the hacker can command all the malware-infected zombie computers to perform certain functions simultaneously, such as sending out millions of spam emails, secretly mining crypto (cryptojacking) or coordinating a significant DDoS attack.
Types of Botnet
Once the attacker infects and controls the desired number of devices, they can control the bots using two approaches; client-server and peer-to-peer.
The standard botnet client-server model includes setting up a C&C server and sending automated commands to infected botnet clients using a communications protocol like Internet Relay Chat (IRC). The hacker programs the bots to remain dormant and wait for commands from the C&C server before executing malicious activities.
Another common approach to controlling bots is using a Peer-to-Peer (P2P) network. Instead of using C&C servers, P2P botnets rely on a more decentralised approach. Infected devices are programmed to scan for other user devices that already belong to a botnet.
The bots communicate and share updated commands or the current malware versions. The P2P approach is becoming more common than the client-server because hackers wish to avoid detection.
6 Common Botnets To Avoid
Below are examples of six common botnets and their characteristics.
Moobot is a botnet that targets Internet of Things (IoT) devices. It exploits Tenda routers with Remote Code Execution (RCE) vulnerabilities. Moobot was first spotted in April 2020, targeting Small Office Home Office (SOHO) IoT devices. Moobot is associated with an underground malware domain called Cyberium, which has also been used with Mirai variants.
Emotet is a botnet that was initially developed as a banking Trojan. The goal was to access foreign devices and capture sensitive private data. Once infected, the malware spreads to infiltrate other network devices to expand the botnet.
Mirai is a botnet that zeroes in on IoT devices as they are usually less well-protected. Although it paused in recent years, its spin-offs continue to challenge ethical hackers. First spotted in 2016, it took down an army of smart home appliances and other connected devices because they used weak passwords.
In October 2016, hackers used Mirai to mount an attack against Dyn, a high-profile DNS provider. Criminals flooded multiple servers globally, temporarily disrupting services like GitHub, Twitter, and Spotify.
The Kraken botnet is a network hacking spyware program. It attacks Windows and Mac systems through email, websites, and social networking sites.
Kraken has infected machines in approximately 50 of the Fortune 500 companies. It has grown to over 400,000 bots, sending up to 9 billion spam messages daily (source: Wiki).
Kraken botnet malware was likely designed to evade antivirus software because it employed techniques to thwart it.
Dridex first appeared in 2011 and uses web injection techniques to steal money from users. It also infected USB thumb drives and was initially tracked as a worm, not a Trojan.
Most Dridex zombie machines that make up the botnet are based in Europe, with a large concentration of cases in the United Kingdom, followed by France and Germany.
ZueS was once the most prevalent banking Trojan botnet. At its height, it was responsible for 90% of all online bank fraud incidents worldwide. ZeuS spreads in several different ways.
For example, in 2009, one of the gangs involved executed a massive email campaign delivering ZeuS via the Pushdo spam botnet, whereby approximately 3.6 million US computers were infected.
5 Ways To Defend Against a Botnet
Given how widespread the use of botnets is, you must know how to protect yourself from botnet malware. The following are some practical, helpful tips.
- Email attachments and links embedded in phishing emails are the leading cause of malware infection. Always verify that an email is legitimate before clicking on the attachment, especially if it’s an external email.
- Ensure you are using the latest NextGen antivirus software on devices such as laptops, desktops and smartphones to prevent infection from malicious email attachments or bogus websites that spread malware.
- No matter the device type, be it a laptop, mobile phone or tablet, never click links that appear in messages from an unknown sender. Texts, emails, DM’s, and social media messages can all be vehicles for botnet malware.
- Before you purchase a smart device, IoT, or home gadget that connects to WiFi, check if it has sufficient security features and is running the latest firmware and any security patches.
- For smart IoT devices such as security cameras, smart doorbells, speakers and power meters, ensure to use a complex password. It is essential to change the factory default password.
From a user’s perspective, botnet attacks are challenging to detect because their device will perform slower after it is infected but still be useable.
IT Security teams may notice unusually high traffic on internet-facing WAN links if a botnet has compromised the local network and can run packet captures to inspect the traffic in more detail. Also, users may complain of slow devices such as laptops, desktops and even mobile phones.
Botnet attack vectors are becoming increasingly sophisticated, so corporate security teams need to address these concerns across all industry sectors.