Botnets are becoming increasingly popular among cybercriminals due to their ability to infiltrate almost any internet-connected device. Today, they pose one of the biggest threat to security systems as their use ranges from activism to sponsored disruption, where most attacks are simply profit based. They are commonly used as tools to influence elections by spreading fake news and to mine cryptocurrencies. Naturally, people are curious about what a botnet is and how it works. We got you covered.
What are botnets?
A botnet is a group of internet-connected devices which have been infected with malware used to control them from a remote location by a malicious user. They are dangerous to both corporations and consumers as they can be designed for various tasks such as deploying malware, sending spam, stealing personal data, defrauding advertisers and, DoS attacks.
Depending on the method of control, the attacker or “bot herder” can amplify the damage they cause.
Some malware is instructed to take total control of the target device, while other malware runs silently as a background process while waiting silently for instructions from the bot herder. The impact size of the attack depends on the size of the botnet. So attackers use self-propagating botnets that recruit additional devices as bots through a variety of channels. The devices targeted for these seek-and-infect missions are the ones that lack OS updates or antivirus software. IoT devices such as security cameras and refrigerators are particularly vulnerable as they are relatively new and their security is not taken as seriously as that of computing devices.
This entire operation is done without the knowledge of the owner of the device, that is they are both a victim of cybercrime and unknowingly an accomplice as well.
Botnet control structure
A major requirement for a sophisticated attack is the ability of a botnet to receive updated instructions from the bot herder. The attacker can change targeted IP addresses, start or terminate an attack and, other customised actions. The designs to accomplish these tasks varies, but the structure is designed in a way that gives the attacker as much control as possible.
This model mimics the traditional network set up style where each individual machine is connected to one main server in order to access information. Each bot connects to a command and control server which are used by the botmaster to modify the source code and relay instructions to each client device. Popular centralized botnet topologies include Star Network Topology, Multi-Server Network Topology and, Hierarchical Network Topology.
Although this model works well for taking and maintaining control over the botnet, only the server needs to be disrupted to kill the botnet. Sophisticated attackers are moving to the P2P model to prevent this vulnerability of disruption via a single or a few points of failure.
The decentralized peer-to-peer structure is being used recently to overcome the shortcomings of the client-server model. These botnets work hand-in-hand with their neighbouring nodes where each infected device fucntions as a client as well a server. Each bot connects to a limited number of trusted devices with which they communicate and update malware. This army is harder to disrupt as tracking a single server isn’t enough to stop the attack. P2P botnets are typically encrypted so that access is limited and the bot herder does not lose control of the botnets.
Some Known Botnets
Storm was one of the first known peer-to-peer botnets — that is, it was among the first to be controlled by several different servers that were linked by a Trojan horse spread by email spam. The network was tremendous and could be rented out to any criminal willing to pay for it on the dark web. Because of this, Storm was involved in a wide range of criminal activities, from DDoS attacks to identify theft and was reportedly powerful enough to force entire countries off the Internet. Some of Storm’s servers were shut down in 2008, and today the botnet is thought to be more or less inactive.
Founded around 2007, Cutwail is a botnet mostly involved in sending spam e-mails. The bot comprised of 1.5 million infected machines at the time and typically infects computers running Microsoft Windows by way of a Trojan component called Pushdo.
Even after an attempted takedown by the FBI and other law enforcement agencies in 2014, the botnet remains active affecting computer users in over 50 countries and available for rent today.
The Mirai botnet was behind a massive distributed denial of service (DDoS) attack in 2016 that left much of the internet inaccessible on the U.S. east coast. The most surprising thing is that the purpose of this botnet was to only gain an edge in Minecraft, but the attack expanded and affected the Internet in such a huge region . was Mirai was one of the most notable botnets as it was the first major botnet to infect insecure IoT devices. At its peak, the worm infected over 600,000 devices.
Continue reading about botnets in part two of this blog where we talk about the types of attacks that botnets are used for and methods to protect against them.
Botnets can be created with ease which has made these attacks more accessible and that too at a dirt cheap price. It is necessary to be vigilant and protect all your internet-connected devices from becoming a bot herder’s puppet.