Botnet attack have become one of the biggest threats to security systems today. Their growing popularity among cybercriminals comes from their ability to infiltrate almost any internet-connected device, from DVR players to corporate mainframes.

Botnets are also becoming a larger part of cultural discussions around cyber security. Facebook’s fake ad controversy and the Twitter bot fiasco during the 2016 presidential election worry many politicians and citizens about the disruptive potential of botnets.

Recently published studies from MIT have concluded that social media bots and automated accounts play a major role in spreading fake news.

The use of botnets to mine cryptocurrencies like Bitcoin is a growing business for cyber criminals. It’s predicted the trend will continue, resulting in more computers infected with mining software and more digital wallets stolen.

Aside from being tools for influencing elections and mining cryptocurrencies, botnets are also dangerous to corporations and consumers because they’re used to deploy malware, initiate attacks on websites, steal personal information, and defraud advertisers.

It’s clear botnets are bad, but what are they exactly? And how can you protect your personal information and devices? Step one is understanding how bots work. Step two is taking preventative actions. Let’s get into it.

• How Do Botnet Work?
• How many bots are in a botnet?
• Why botnets are useful – to the bad guys
• What are some Features of a Botnet?
• How a botnet is created
• How to Takedown a Botnet
• What is the Biggest Botnet?
• What are Some recent Types of Botnet?
• How to Break your Business Free from Botnet Bondage

How Do Botnet Work?

To better understand how botnets function, consider that the name itself is a blending of the words “robot” and “network”.

Read Also: A Software Developers Career Guide

In a broad sense, that’s exactly what botnets are: a network of robots used to commit cyber crime. The cyber criminals controlling them are called botmasters or bot herders.

Size Matters

To build a botnet, botmasters need as many infected online devices or “bots” under their command as possible. The more bots connected, the bigger the botnet.

The bigger the botnet, the bigger the impact. So size matters. The criminal’s ultimate goal is often financial gain, malware propagation, or just general disruption of the internet.

Imagine the following: You’ve enlisted ten of your friends to call the Department of Motor Vehicles at the same time on the same day. Aside from the deafening sounds of ringing phones and the scurrying of State employees, not much else would happen.

Now, imagine you wrangled 100 of your friends, to do the same thing. The simultaneous influx of such a large number of signals, pings, and requests would overload the DMV’s phone system, likely shutting it down completely.

Cybercriminals use botnets to create a similar disruption on the internet. They command their infected bot army to overload a website to the point that it stops functioning and/or access is denied. Such an attack is called a denial of service or DDoS.

Botnet Infections

Botnets aren’t typically created to compromise just one individual computer; they’re designed to infect millions of devices. Bot herders often deploy botnets onto computers through a trojan horse virus.

The strategy typically requires users to infect their own systems by opening email attachments, clicking on malicious pop up ads, or downloading dangerous software from a website.

After infecting devices, botnets are then free to access and modify personal information, attack other computers, and commit other crimes.

More complex botnets can even self-propagate, finding and infecting devices automatically. Such autonomous bots carry out seek-and-infect missions, constantly searching the web for vulnerable internet-connected devices lacking operating system updates or antivirus software.

Botnets are difficult to detect. They use only small amounts of computing power to avoid disrupting normal device functions and alerting the user. More advanced botnets are even designed to update their behavior so as to thwart detection by cybersecurity software.

Users are unaware they’re connected device is being controlled by cyber criminals. What’s worse, botnet design continues to evolve, making newer versions harder to find.

Botnets take time to grow. Many will lay dormant within devices waiting for the botmaster to call them to action for a DDoS attack or for spam dissemination.

Vulnerable Devices

Botnets can infect almost any device connected directly or wirelessly to the internet. PCs, laptops, mobile devices, DVR’s, smartwatches, security cameras, and smart kitchen appliances can all fall within the web of a botnet.

Although it seems absurd to think of a refrigerator or coffee maker becoming the unwitting participant in a cyber crime, it happens more often than most people realize.

Often appliance manufacturers use unsecure passwords to guard entry into their devices, making them easy for autonomous bots scouring the internet to find and exploit.

As the never-ending growth of the Internet of Things brings more devices online, cyber criminals have greater opportunities to grow their botnets, and with it, the level of impact.

In 2016, a large DDoS attack hit the internet infrastructure company Dyn. The attack used a botnet comprised of security cameras and DVRs.

The DDoS disrupted internet service for large sections of the country, creating problems for many popular websites like Twitter and Amazon.

Botnet Attacks

Aside from DDoS attacks, botmasters also employ botnets for other malicious purposes.

Ad Fraud

Cybercriminals can use the combined processing power of botnets to run fraudulent schemes.

For example, botmasters build ad fraud schemes by commanding thousands of infected devices to visit fraudulent websites and “click” on ads placed there. For every click, the hacker then gets a percentage of the advertising fees.

Selling and Renting Botnets

Botnets can even be sold or rented on the internet. After infecting and wrangling thousands of devices, botmasters look for other cybercriminals interested in using them to propagate malware. Botnet buyers then carry out cyber attacks, spread ransomware, or steal personal information.

Laws surrounding botnets and cybercrime continue to evolve. As botnets become bigger threats to internet infrastructure, communications systems, and electrical grids, users will be required to ensure their devices are adequately protected from infection.

It’s likely cyber laws will begin to hold users more responsible for crimes committed by their own devices.

Botnet Structures

Botnet structures usually take one of two forms, and each structure is designed to give the botmaster as much control as possible.

Client-server model

The client-server botnet structure is set up like a basic network with one main server controlling the transmission of information from each client. The botmaster uses special software to establish command and control (C&C) servers to relay instructions to each client device.

While the client-server model works well for taking and maintaining control over the botnet, it has several downsides: it’s relatively easy for law enforcement official to location of the C&C server, and it has only one control point. Destroy the server, and the botnet is dead.

Peer-to-peer

Rather than relying on one centralized C&C server, newer botnets have evolved to use the more interconnected peer-to-peer (P2P) structure. In a P2P botnet, each infected device functions as a client and a server.

Individual bots have a list of other infected devices and will seek them out to update and to transmit information between them.

P2P botnet structures make it harder for law enforcement to locate any centralized source. The lack of a single C&C server also makes P2P botnets harder to disrupt. Like the mythological Hydra, cutting off the head won’t kill the beast. It has many others to keep it alive.

How many bots are in a botnet?

The number of bots will vary from botnet to botnet and depends on the ability of the botnet owner to infect unprotected devices. For example:

• A DDoS attack in August 2017 against an Akamai customer was observed to have originated from a botnet comprising more than 75,000 bots
• A credential-stuffing attack in December 2016 utilized a botnet with nearly 13,000 members to send almost 270,000 login requests per hour against a number of Akamai customers

The effects of a botnet attack can be devastating, from slow device performance to vast Internet bills and stolen personal data.

There are also legal implications to consider, for example, if your computer is used as part of a botnet attack, you may be legally responsible for the consequences of any malicious activities that have originated from your device.

Why botnets are useful – to the bad guys

What might cybercriminals do with a botnet? Often, they perform Distributed Denial of Service (DDoS) attacks, in which all the devices on the botnet are told to attempt communication with the same website – thus overloading it, so it can’t handle legitimate visitors or applications.

For example, in late 2016, the “Mirai” botnet built out of 300,000-plus gadgets, such as wireless cameras, routers, and digital video recorders, was unleashed against a variety of targets, including internationally-renowned security researcher Brian Krebs.

The botnet’s authors, fearing exposure, soon released their code to the world – and someone else adapted it to deliver an even larger attack, including one that seriously damaged internet performance throughout the east coast of the U.S., and disrupted sites ranging from Netflix and Amazon to Reddit and The New York Times.

(The trio of hackers behind Mirai recently pled guilty in federal court, getting extremely light sentences in exchange for agreeing to work with the FBI on cybersecurity matters.)

DDoS attacks aren’t all that botnets can be made to do. For example, some have been enlisted to commit ad fraud.

Their zombie devices are told to click on ads at websites owned by the fraudsters – who then collect money from advertisers and ad networks that believe the clicks are coming from real humans. Other botnets have been used to pour spam emails into millions of inboxes worldwide.

What are some Features of a Botnet?

Most botnets currently feature distributed denial-of-service attacks in which multiple systems submit as many requests as possible to a single Internet computer or service, overloading it and preventing it from servicing legitimate requests.

An example is an attack on a victim’s server. The victim’s server is bombarded with requests by the bots, attempting to connect to the server, therefore, overloading it.

Spyware is software which sends information to its creators about a user’s activities – typically passwords, credit card numbers and other information that can be sold on the black market.

Compromised machines that are located within a corporate network can be worth more to the bot herder, as they can often gain access to confidential corporate information. Several targeted attacks on large corporations aimed to steal sensitive information, such as the Aurora botnet.

E-mail spam are e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious.

Click fraud occurs when the user’s computer visits websites without the user’s awareness to create false web traffic for personal or commercial gain.

Ad fraud is often a consequence of malicious bot activity, according to CHEQ, Ad Fraud 2019, The Economic Cost of Bad Actors on the Internet.

Commercial purposes of bots include influencers using them to boost their supposed popularity, and online publishers using bots to increase the number of clicks an ad receives, allowing sites to earn more commission from advertisers.

Bitcoin mining was used in some of the more recent botnets have which include bitcoin mining as a feature in order to generate profits for the operator of the botnet.

Self-spreading functionality, to seek for pre-configured command-and-control (CNC) pushed instruction contains targeted devices or network, to aim for more infection, is also spotted in several botnets. Some of the botnets are utilizing this function to automate their infections.

How a botnet is created

Unlike other threats, crypto-ransomware is neither subtle or hidden. Instead, it prominently displays lurid messages to call attention to itself, and explicitly uses shock and fear to pressure you into paying the ransom. 

A few so-called crypto-ransomware do not perform the encryption at all, and just use the threat of doing so to extor money. In most cases however, the threat is actually carried out.

A device can only be involuntarily roped into a botnet if an attacker can gain access to it – first, to plant the bot and subsequently to issue commands to it. Practically, this means a device that is connected to the Internet.

Desktop computers have traditionally been the most common type of device targeted for hijacking into botnets. In recent years however, as other types of devices have become Internet-connected, we’ve seen botnets created from devices such as:

• IP cameras (Persirai botnet)
• Routers (Mirai botnet)
• Linux servers (Ebury botnet)
• Android mobile devices (WireX botnet)

Attackers can plant bot programs on a device in many ways. One common method is to use an exploit kit hosted on a website to probe every site visitor’s device for an exploitable flaw; if one is found, the kit silently downloads and installs the bot.

Other popular ways include distributing the bot as a file attached to spam emails, or as part of the payload of another harmful program.

Devices that have been infected by a bot are sometimes themselves called bots, or more rarely, zombies.

Commanding the bots

Once the bot program is installed, it will usually try to contact a remote website or server where it can retrieve instructions. This site or server is known as the command-and-control or C&C server.

The attacker controlling the botnet via its C&C server can be referred to as its botherder, botmaster, operator or controller. This can be either the person responsible for establishing and maintaining the botnet itself, or simply another party that is renting control of the botnet for a time.

The botnet’s operator uses a client program to send instructions to the infected devices. Commands can be issued to a single machine, or to all the devices in botnet. Depending on how sophisticated the bot program is, the device can be used to:

• Send out emails or files
• Collect and forward data
• Monitor the user’s actions
• Probe other connected devices
• Download and run other programs

How to Takedown a Botnet

Given the wide-ranging harm they can cause, it’s not surprising that law enforcement authorities and government-directed Computer Emergency Response Teams (CERTs) in many countries actively work to shut down botnets, as well as hunting down and prosecuting their operators.

On an international level, perhaps the most effective way to neuter a botnet is to find and take down the C&C server. Doing so denies the botnet operators direct control of the enslaved machines. Some of the most notable takedowns in recent years include:

• Avalanche
• Dridex
• Zeus

Global takedowns however are major operations that require significant international cooperation. More immediately, users and administrators can quarantine any infected devices so that it is out of direct communication with the botnet operator, then disinfect them.

Once the devices have been cleaned, it is recommended that users and administrators also evaluate and harden their defenses, to prevent any chance of reinfection that might rope the devices back into the clutches of the botnet.

What is the Biggest Botnet?

Botnets are responsible for hacking, spamming, and malware—here are the most significant botnet attacks with the worst consequences.

Individual systems, commonly known as zombies, combined with the criminal’s system (from where all other systems are controlled) are known as a master of the zombie network or “bot-network.” A bot-network can deliver a DDoS attack on a large-scale.

Botnets target to send millions of spam emails, pull the websites down for ransom, or harm the victim financially or even emotionally. These botnets, due to their efficiency, remain a favorite among cybercriminals.

Here is an overview of nine of the most significant botnets attacks of the 21st century that turned out to be drastic to those affected.

EarthLink Spammer—2000

EarthLink Spammer is the first botnet to be recognized by the public in 2000. The botnet was created to send phishing emails in large numbers, masked as communications from legitimate websites.

Over 1.25 million malicious emails were sent to collect sensitive information, such as credit card details, in the span of a year. The botnet had downloaded viruses on victims’ computers when they clicked on the links in the emails, and this virus remotely fed the information to the sender.

Later, EarthLink sued the creator for $25 million for spamming their network, which earned him nearly US$3 million.

Cutwail—2007

Cutwail, a malware that targets Windows OS through malicious emails, was discovered in 2007. The malware was distributed via the Pushdo Trojan to turn the infected system into a spambot.

Message Labs, a security organization, identified that Cutwail had compromised 1.5–2 million infected systems and was capable of sending 74 billion spam emails per day.

The malware represented 46.5% of global spam distribution, and therefore was recognized as one of the largest botnets in 2009. Even though the FBI, Europol, and other law enforcement agencies attempted to takedown Cutwail in 2014, the botnet remains active even today.

Storm—2007

Storm may not be the most malicious piece of malware in the history of a botnet, but it is on track to be the most successful, with the number of systems infected at more than 1 million.

Storm is one of the first peer-to-peer botnets that can be controlled from several different servers. The storm is activated in victims’ systems by sending messages that encourage them to visit a malicious website where the malware downloads on the system.

The network was rented out on the dark web, which made it a contributor in a wide range of criminal activities. Most Storm servers were pulled down in 2008, and it is not very active.

Grum—2008

Grum is a massive pharmaceutical spammer bot that was identified in 2008. It appeared to be more complex and larger beyond the imagination of the experts. During Grum’s demise in July 2012, it was able to send 18 billion email spams per day.

Law enforcement discovered 136,000 internet addresses that were sending spam for Grum. Several individuals who were likely responsible for spreading Grum are recognized today as the world’s most active spam botnets.

Kraken—2008

Remember Storm botnet? Now imagine a botnet that is twice as powerful as Storm, and that is how big Kraken is. Damballa, an internet security company, was the first to report Kraken.

Unlike, peer-to-peer techniques, Kraken uses command and control servers located in different parts of the world. The botnet infected 50 of 500 Fortune company’s infrastructures.

Damballa claimed that botnet infected machines were sending over 500,000 spam messages per day. Though Kraken is inactive today, the security systems spotted its remnants, and those might invoke this botnet again in the future.

Mariposa—2008

Originated in Spain in 2008, Mariposa botnet hijacked around 12.7 million computers around the world in 2 years duration. The word “Mariposa” stands for butterfly in French.

The botnet got its name because it was created with a software called Butterfly Flooder, which was written by Skorjanc illegally. Mariposa infected computers in more than 190 countries via various methods, such as instant messages, file sharing, hard disc devices, and more.

The botnet also used malvertising—using digital ads to spread the malware that was capable of stealing millions of dollars from unsuspected users by taking their credit card numbers and passwords from banking websites.

Methbot—2016

Methbot is the biggest ever digital ad malware that acquired thousands of IP addresses with US-based ISPs. The operators first created more than 6,000 domains and 250,267 distinct URLs that appeared to be from premium publishers, such as ESPN and Vogue.

Later, video ads from malicious advertisers were posted on these websites which sent their bots “watch” around 30 million ads daily. White Ops uprooted Methbot in 2015, but the botnet might resurface again in the future.

Mirai—2016

Mirai infects digital smart devices that run on ARC processors and turns them into a botnet, which is often used to launch DDoS attacks. If the default name and password of the device is not changed then, Mirai can log into the device and infect it.

In 2016, the authors of Mirai software launched a DDoS attack on a website that belonged to the security service providing company.

Soon after a week, they published the source code to hide the origins of the attack, which was then replicated by other cybercriminals who believed to attack the domain registration service provider, Dyn, in the same year. At its peak, Mira infected over 6 million devices.

3ve—2018

3ve botnet gave rise to three different yet interconnected sub-operations, each of which was able to evade investigation after perpetrating ad fraud skillfully. Google, White Ops, and other tech companies together coordinated to shut down 3ve’s operations.

It infected around 1.7 million computers and a large number of servers that could generate fake traffic with bots.

The malware also counterfeits 5,000 websites to impersonate legitimate web publishers along with 60,000 accounts of digital advertising companies so that fraudsters can earn from the ads received.

The only goal of this malware is to steal as much money as it can from US$250 billion global ad industry while not getting detected as long as possible.

Botnets have been a constant threat to the IT infrastructure of the industry, and dealing with them requires an aggressive, assertive, and skilled cybersecurity approach.

If you want to be a pro in combating botnet attacks and other similar cybersecurity attacks, you should be a Certified Ethical Hacker (C|EH). C|EH is a credential from EC-Council that equips you with the tools and methodologies required to trace the vulnerabilities that any criminal attacker would have used.

What are Some recent Types of Botnet?

1. ‘Star Wars’ Twitter Botnet

With the growth of social media, bots don’t always have to take control of devices to spread malware or launch cyber attacks. While some might dismiss automated bots on Twitter as simply harmless annoyances, they might pose a serious underlying security threat to users of the popular social media platform.

Twitter serves as a source of online news, handling around 328 million active users each month, with users sending around 500 million tweets a day.

In January, two security researchers discovered a Star Wars-themed Twitter botnet comprised of 350,000 bot accounts, known to tweet random quotes from the movie franchise. The presence of a large botnet like this one may entail unwanted and even significant repercussions.

For instance, the bots may send unsolicited spam, create fake trending topics to sway public opinion, launch certain cyberattacks, and so on. Till present, the actual purpose of this botnet is still unclear.

2. Hajime Malware Botnet

The Hajime botnet, named after the Japanese word for “beginning,” first appeared in October of last year, and as of April 2017 has accumulated 300,000 devices. This particular botnet is different from traditional botnets which purposes are typically malicious.

Ironically, it is protecting these compromised IoT devices from being infected by additional malware. According to researchers at Kaspersky Lab, the botnet is “in competition” with the Mirai botnet for control over IoT devices.

However, no additional malicious activity has been detected or traced by researchers. So far, targets have been limited to DVRs (Digital Video Recorders), web-cameras, and routers.

Though the Hajime botnet’s underlying purpose is unclear, there is potential for abuse as the botnet could likely be used as a gateway for hackers to tap into networks and launch more dangerous attacks, like ransomware.

3. WireX Android Botnet

Malicious apps have been rampant all year long. Google’s Play Store in particular has seen a surge of malicious apps and bots disguising themselves as legitimate apps.

In August of 2017, security researchers first came across the WireX botnet, and in a matter of weeks after its initial discovery, infected networks had numbered in the tens of thousands. The bot network primarily infected Android devices, hiding under system processes and waiting patiently to launch the attacks.

Because the apps themselves do not appear malicious after users install them, they evade initial detection. Researchers discovered that the botnet creators may also be using advertising click-fraud software to “repurpose” the bots for launching DDoS attacks.

Luckily, Google officials along with a coalition of tech firms like Akamai, Flashpoint, and Oracle Dyn have taken down the botnet, and Google has stated that they were in the process of removing the malware-ridden apps from affected devices.

4. The Reaper IoT Botnet

The Reaper was first discovered in September and is known to “quietly” target known vulnerabilities in wireless IP-based cameras and other IoT devices by running a list of known usernames and passwords against the device.

Once a device is infected, it can spread malware to other vulnerable devices, enslaving them into the botnet network. The reaper malware is believed to have infected a million networks, but these numbers don’t always tell the whole story.

Security researchers who have closely studied the botnet claim that if the botnet were to launch a DDoS attack, it would pose less of a threat than initially believed and would be easier to stop than the Mirai botnet, which only used 100,000 infected IoT devices.

Though the botnet might not bring down the entire Internet, that is not to say we should not fear the Reaper as it has the capabilities to launch SYN-floods, ACK-floods, http floods, and DNS reflection/amplification attacks, which can bring websites down too.

5. Satori IoT Botnet

Dubbed Satori for the Japanese word “awakening,” this botnet emerged almost out of the blue during the first week of December. Security researchers have identified at least 280,000 IP addresses connected to this botnet.

Satori appears to be a variant of the Mirai botnet which has already enslaved hundreds of thousands of home routers. Many are calling it the Mirai botnet’s successor.

However, unlike Mirai or similar variants of it, the Satori botnet spreads by exploiting a zero-day vulnerability in routers and use a “remote code” execution bug instead of relying on a Telnet scanner to find vulnerable devices to infect with malware.

The Satori botnet also behaves and functions more like a worm, in which compromised devices infect each other. The botnet is spreading fast, and many security researchers fear that the Satori botnet is able to launch attacks at any given time.

When it comes to threats of the web, botnets may be the most dangerous of them all. Though they are most often associated with one particular type of cyberattack, DDoS, a botnet can actually do more than just flood a website or network with fake “requests” to knock it offline.

They also have the power to flood millions of email inboxes with spam within seconds, launch brute force attacks to crack passwords of vulnerable devices, collect sensitive information from users of infected devices, and more.

How to Break your Business Free from Botnet Bondage

It should be clear by now that preventing botnet infection requires a comprehensive strategy; one that includes good surfing habits and antivirus protection.

Now that you’ve armed yourself with the knowledge of how botnets work, here are some ways to keep botnets at bay.

Update your operating system

One of the tips always topping the list of malware preventative measures is keeping your OS updated. Software developers actively combat malware; they know early on when threats arise. Set your OS to update automatically and make sure you’re running the latest version.

Avoid email attachments from suspicious or unknown sources

Email attachments are a favorite source of infection for many types of viruses. Don’t open an attachment from an unknown source.

Even scrutinize emails sent from friends and family. Bots regularly use contact lists to compose and send spam and infected emails. That email from your mother may actually be a botnet in disguise.

Avoid downloads from P2P and file sharing networks

Botnets use P2P networks and file sharing services to infect computers. Scan any downloads before executing the files or find safer alternatives for transferring files.

Don’t click on suspicious links

Links to malicious websites are common infection points, so avoid clicking them without a thorough examination. Hover your cursor over the hypertext and check to see where the URL actually goes. Malicious links like to live in message boards, YouTube comments, pop up ads, and the like.

Get Antivirus Software

Getting antivirus software is the best way to avoid and eliminate botnets. Look for antivirus protection that’s designed to cover all of your devices, not just your computer. Remember, botnets sneak into all types of devices, so look software that’s comprehensive in scope.

Read Also: Marketing Cloud Software

With the Internet of Things increasing, so too does the potential for botnet size and power. Laws will eventually change to hold users more responsible for the actions of their devices. Taking preventative action now will protect your identity, data, and devices.

Final Thoughts

Due to their ability to coordinate attacks at massive scale, as well as deliver diverse payloads and infect other machines, botnets are a significant threat to individuals, enterprise and government organizations.

With botnets now targeting the increasing number of IoT devices flooding both public and private networks, it is essential to ensure that you have EDR protection on endpoints and full visibility into every device on your network.