With their own development skills and resources from the Dark Web, cyber-criminals increasingly have access to complex and sophisticated weapons with which to stage campaigns against unsuspecting or targeted individuals and organizations. One that’s had both staying power and a range of applications is the botnet.
What is a Botnet?
The word botnet is a shortened form of “robot network” – an array of automated systems coordinated remotely from a central point and directed toward a common goal.
In its “White Hat” applications, a botnet may (for example) describe the army of Web-crawling computers that index entries for major search engines, or poll data for analysis. But it’s the “Black Hat” forms of botnet that gain the most attention – by remaining hidden until they strike with damaging or even catastrophic effect.
The process typically begins with the infection by malware of thousands or even millions of separate computers – each of which may be geographically separated by huge distances. The objective is to compromise their operations in some way that allows access and communication with a command and control (C&C) server – a remote hub which the malware reports back to, and which coordinates its actions.
Each compromised computer is called a bot or “zombie” (botnets are variously referred to as bot-networks or zombie networks), and a botmaster or “bot herder” is the cyber-criminal who marshals their actions from the central hub.
Botnet “Recruitment” and “Rentals”
Like an army, assembling a botnet involves recruitment, a process which generally takes place without the consent or even knowledge of the computer users concerned. A standard zombie network consists of around 20,000 separate bots, but much larger botnets are far from uncommon.
Phishing emails are a popular ploy, with seductive offers or urgent communications which seem to come from trusted senders luring unsuspecting recipients to open malware-laden attachments or visit infected websites. Pop-up ads or notifications are another tactic. Once a user clicks through to a baited website, there may be download links posted there, or (worse) automated scripts that push malware onto their systems behind the scenes – a so-called “drive-by download”.
Once the malware is in place, the bots on the network may be used to generate masses of spam emails, provide insider access to sensitive corporate or government networks, bombard enterprise networks or Web resources with user requests in a Distributed Denial of Service (DDoS) attack, or other forms of cyber-assault requiring large numbers of distributed threat agents.
Recruitment has become an industry in its own right. Criminal organizations have been known to create huge botnets and sell or rent access to them via the Dark Web to other cyber-criminals, or to those engaged in spamming activities.
Thinning Out the Herd
When the Zeus botnet came to light in 2007, it took a combination of aggressive action from the American FBI and a willingness to respond to their efforts by a leading software manufacturer and service provider to put a dent in the activities of cyber-criminals who had used the technology to wreak havoc and rake in over $70 million by 2012.
Zeus used a Windows Trojan horse program to gain access to millions of bots through a global campaign using email, online messaging, and booby-trapped downloads. The botnets created could grab data from forms and log keystrokes, and were used to extract login and personal data from users, as well as financial information from their banks and finance institutions. Credit card theft, fraud, and stolen identities followed.
In a 2010 FBI operation, over 100 international cyber-criminals were arrested, and counter-measures against the Zeus Trojan and botnets were deployed. Software giant Microsoft responded in 2012 by launching Operation b71, in which most (but not all) the Zeus C&C centres were either shut down or taken over.
It’s this kind of comprehensive response – not just realising that botnets exist, but identifying the botmasters and taking down their Command and Control – that ultimately puts paid to a zombie network. But there are actions that users can take against botnet activity, on their own.
Some Telling Signs that you have Suffered a Botnet Infection
There are several indicators that a computer or network might be playing host to a botnet infection, including:
- Everyone on your Contact List has been receiving the same email messages – which you didn’t send.
- A proliferation of pop-up messages (which may be a sign of click fraud activities)
- Systems slowing down, and/or high processor usage – even with very few programs running.
- Erratic or problematic Internet connections.
- Attempts to connect to known C&C server locations.
- A spike in SMTP traffic (a favourite for email spammers), or at network ports like Port 6667 (which botmasters use for Internet Relay Chat or IRC communications) or Port 1080 (which proxy servers use).
- Identical DNS requests from multiple users on a network.
Note that any or all of these signs may indicate the presence of malicious software that isn’t botnet related, so further investigation may be required.
Low and Slow
Botnet operations are based on stealth, and botmasters are increasingly using a “low and slow” approach to avoid the counter-measures put in place by security software and Web Application Firewalls.
Low and slow bots bide their time, emulating the behaviours associated with legitimate network users, to avoid detection. It’s a patient and discreet attack – and one that’s forcing security software manufacturers to develop new tools and algorithms to disclose this kind of activity.
- Use firewalls, antivirus software, and gateway security products to provide a robust line of standing defence.
- Keep operating systems, Web browsers, security and application software patched and up to date.
- If workers use flash drives, mobile devices, laptops etc. within your network, put a mobile device management (MDM) policy in place which includes provisions for endpoint security monitoring.
- Use gateway security together with endpoint protection (a mix of manufacturers is best), to provide comprehensive filtering of Web content.
- Use network intelligence and traffic monitoring tools, to watch for suspicious or unauthorised activities.
- Include botnet awareness in your security training programs and refresher courses.
Removal… and Beyond
There are conflicting schools of thought on just how effective the removal of botnet malware by anti-rootkit tools may be. The safest bet for complete removal is to wipe an infected system clean and reconstitute it from scratch.
This emphasises the need for regular, tested, and secure backups of all your critical documents, applications, and data – a hedge against malware and cyber-security threats of all kinds.
Share this Post