Botnet
What is Botnet?
The term Botnet is derived from the words “robot” and “network”. Bots refers to devices including PCs, notebooks, smartphones, servers, home routers, etc. that perform specific malicious tasks automatically. Botnet is a collection of compromised devices that can be instructed to perform orchestrated tasks coordinated by attackers with malicious intents. An attacker who manipulates the botnet is called “bot herder”. Botnets are serious security threats to the Internet and they account for a majority of email spam, identity theft, phishing and distributed denial-of-service (DDoS) attacks.
How Does a Botnet Attack Work?
The example below illustrates how a botnet is created to instigate an attack:
1.
Exploring vulnerabilities
To create a botnet, hundreds or millions of bots are required. In order to acquire the large amount of bots, attackers need to either explore the vulnerabilities of devices and systems, or expose malwares to users.
To create a botnet, hundreds or millions of bots are required. In order to acquire the large amount of bots, attackers need to either explore the vulnerabilities of devices and systems, or expose malwares to users.
2.
Infecting devices
To compromise the devices with botnet malware, social engineering and malicious websites are common attack vectors used by hackers to lure the users into downloading and executing the malicious files.
To compromise the devices with botnet malware, social engineering and malicious websites are common attack vectors used by hackers to lure the users into downloading and executing the malicious files.
3.
Taking control of the devices
Once enough devices are breached, a bot herder can remotely control them to initiate cyber attacks or other malicious intents.
Once enough devices are breached, a bot herder can remotely control them to initiate cyber attacks or other malicious intents.
The Botnet Threats
Since a bot herder can scatter attack tasks across the Internet, the enormous cumulative bandwidth and large number of attack sources make botnet-based attacks extremely dangerous and hard to defend against. The bot herder can pass commands to the bots for malicious activities:
Information dispersion (e.g. sending spams, launching DoS attacks, providing false information from illegally controlled sources).
Information harvesting (e.g. obtaining identity, login credential, financial data and sensitive data).
Information processing (e.g. cryptocurrency mining and password cracking).
Types of Botnet Attacks
Botnet can be used to initiate a variety of cyber attacks. Common botnet attacks include the following:
1.
Distributed Denial-of-Service (DDoS) Attack
DDoS attack is an attack commonly instigated by botnet. The massive number of exploited bots within a botnet is an ideal source for overloading the Internet traffic. The attacker can control every single bot remotely and direct an attack by sending instruction to the bots. Each bot can send requests to the targeted server, service or network, inducing an enormous amount of traffic to overload the network of the target and exhaust its resources.
DDoS attack is an attack commonly instigated by botnet. The massive number of exploited bots within a botnet is an ideal source for overloading the Internet traffic. The attacker can control every single bot remotely and direct an attack by sending instruction to the bots. Each bot can send requests to the targeted server, service or network, inducing an enormous amount of traffic to overload the network of the target and exhaust its resources.
2.
Spam Attack
Spam emails are the unsolicited and unwanted email messages that sent to bulk recipients indiscriminately. Botnets are often used to re-route the spam traffic to prevent the spammers from being caught and blacklisted. While some spam emails, mostly commercial advertisements, are just annoying but harmless, most of other spams may cause adverse consequences like phishing attack and distribution of malware.
Spam emails are the unsolicited and unwanted email messages that sent to bulk recipients indiscriminately. Botnets are often used to re-route the spam traffic to prevent the spammers from being caught and blacklisted. While some spam emails, mostly commercial advertisements, are just annoying but harmless, most of other spams may cause adverse consequences like phishing attack and distribution of malware.
3.
Phishing Attack
Phishing emails usually contain fraudulent links which redirect the victims to a fake and malicious website impersonating a trustworthy organisation’s website to harvest the victims’ personal and sensitive information such as credentials, bank accounts and credit card details.
Phishing emails usually contain fraudulent links which redirect the victims to a fake and malicious website impersonating a trustworthy organisation’s website to harvest the victims’ personal and sensitive information such as credentials, bank accounts and credit card details.
4.
Brute Force Attack
Brute force attack uses trial-and-error method to guess the login credential of victims by working through all possible combinations. Bots within a botnet can be used to run programs designed to breach web accounts by force. Weak password would be exploited easily and lead to leakage of personal and sensitive data.
Brute force attack uses trial-and-error method to guess the login credential of victims by working through all possible combinations. Bots within a botnet can be used to run programs designed to breach web accounts by force. Weak password would be exploited easily and lead to leakage of personal and sensitive data.
5.
Click Fraud
Bot herder can control the bots to perform click fraud, namely click bots, pretending to be a legitimate device visiting a webpage and click on the desired hyperlink inside. Each click bot represents a device with different IP address, and therefore each click looks like coming from a different user and will not arouse suspicion. For online advertising which pays per click, the massive clicking rate created by click bots can bring about tremendous financial gain. High click rate may also lead to higher search ranking of a malicious website in search engine which makes it looks legitimate.
Bot herder can control the bots to perform click fraud, namely click bots, pretending to be a legitimate device visiting a webpage and click on the desired hyperlink inside. Each click bot represents a device with different IP address, and therefore each click looks like coming from a different user and will not arouse suspicion. For online advertising which pays per click, the massive clicking rate created by click bots can bring about tremendous financial gain. High click rate may also lead to higher search ranking of a malicious website in search engine which makes it looks legitimate.
6.
Cryptomining
Miners for cryptocurrencies are rewarded for the work of verifying the legitimacy of cryptocurrencies transactions. Competitive mining computers and power supply are required for mining where each of the bots in the botnet provides the processing power, electricity and the Internet bandwidth to mine a particular cryptocurrency. The cumulative power of the bots can result in a high computational power for mining and boosting the mining output for the miners.
Miners for cryptocurrencies are rewarded for the work of verifying the legitimacy of cryptocurrencies transactions. Competitive mining computers and power supply are required for mining where each of the bots in the botnet provides the processing power, electricity and the Internet bandwidth to mine a particular cryptocurrency. The cumulative power of the bots can result in a high computational power for mining and boosting the mining output for the miners.
Symptoms of Being Infected by Botnet
1.
Application or system of a device get crashed frequently and the cause cannot be identified.
2.
Internet connection becomes slow.
3.
Devices cannot be shut down properly.
4.
Unusual behaviour on devices like battery suddenly running low, sudden disconnections from networks etc.
5.
Sudden reduction in system memory or available disk space.
6.
Advertisement pop-up on the screen without using a web browser.
7.
Emails / SMSs are sent from your account without your knowledge.
8.
Internet Relay Chat (IRC) traffic is generated via a specific range of ports.
9.
Simultaneous identical Domain Name System (DNS) requests are generated or default DNS servers are modified.
10.
Large volume of outbound Simple Mail Transfer Protocol (SMTP) are generated, etc.
What to Do if Infected
1.
Disconnect the affected devices from the internet.
2.
Scan the affected devices with anti-malware software.
3.
Apply the latest patches and updates to all systems, applications, anti-malware software immediately.
4.
Re-format and reset the affected devices to factory settings.
Protect Yourself against Botnet
1.
Update Operating Systems, Applications and Browsers Timely
Whenever vulnerabilities are identified in operating systems, applications, software and browsers, product providers will release new patches to fix the vulnerabilities. If the updates are not applied timely, the vulnerabilities can be exploited and this will provide attackers with excessive rights to control your devices. Therefore it is important to keep your system up-to-date and free from vulnerabilities.
Whenever vulnerabilities are identified in operating systems, applications, software and browsers, product providers will release new patches to fix the vulnerabilities. If the updates are not applied timely, the vulnerabilities can be exploited and this will provide attackers with excessive rights to control your devices. Therefore it is important to keep your system up-to-date and free from vulnerabilities.
2.
Use a Firewall
Firewall is the first layer of defense to filter out the malicious traffic and prevent unauthorised devices from being connected to your network. A properly configured firewall can block various network-based attacks.
Firewall is the first layer of defense to filter out the malicious traffic and prevent unauthorised devices from being connected to your network. A properly configured firewall can block various network-based attacks.
3.
Install Anti-Malware Software
Acclaimed anti-malware software can help prevent, detect and remove various botnet malware. It is crucial to protect your electronic devices by using anti-malware software and performing regular scanning.
Acclaimed anti-malware software can help prevent, detect and remove various botnet malware. It is crucial to protect your electronic devices by using anti-malware software and performing regular scanning.
4.
Configure System Properly
Properly configure the systems such as disabling “AutoRun” and refraining from installing software from untrusted sources.
Properly configure the systems such as disabling “AutoRun” and refraining from installing software from untrusted sources.
The “AutoRun” feature allows software to be installed in the devices automatically. Disabling this feature can prevent the systems from executing commands blindly from external sources.
Configure mobile devices to download mobile apps from trusted or official app stores only. Do not allow side-loading, rooting / jail-breaking of mobile devices, etc.
5.
Scan Removable Storage Before Use
Removable disks are commonly used for transferring data between devices. If removable disks are infected without being noticed, plugging them into workstations may harm an enterprise’s network. To avoid this, removable disks should be scanned with anti-malware software before use to ensure that they are free from malware.
Removable disks are commonly used for transferring data between devices. If removable disks are infected without being noticed, plugging them into workstations may harm an enterprise’s network. To avoid this, removable disks should be scanned with anti-malware software before use to ensure that they are free from malware.
6.
Beware of Pop-up Windows and Suspicious Websites
Attackers may use pop-up windows or fake software download websites to lure you into downloading malware. Sometimes the pop-up windows may show messages claiming that your devices have been infected by malware and that anti-malware software is required. When you click the “download” button on the pop-up window, you will have the malware downloaded. It is advisable to download all the software from official or trusted websites.
Attackers may use pop-up windows or fake software download websites to lure you into downloading malware. Sometimes the pop-up windows may show messages claiming that your devices have been infected by malware and that anti-malware software is required. When you click the “download” button on the pop-up window, you will have the malware downloaded. It is advisable to download all the software from official or trusted websites.
7.
Beware of Suspicious Email
One common way to spread malware is through emails. Attackers may embed the malware in the attachment of an email. Always stay vigilant when receiving emails from senders you do not recognise and never download any attachments from these suspicious emails.
One common way to spread malware is through emails. Attackers may embed the malware in the attachment of an email. Always stay vigilant when receiving emails from senders you do not recognise and never download any attachments from these suspicious emails.
Protect Your Business against Botnet
In order to protect your business against botnet, other than the security measures mentioned in previous sections, you should also take the following steps:
1.
Perform Network Compartmentalisation
Categorising the users and their corresponding workstations into different groups and separating the groups into different network segments is preferred. The workstations of different compartments will not be able to communicate with each other. Whenever a workstation is infected, devices of other segments will not be affected which in turn help deter the propagation of botnets.
Categorising the users and their corresponding workstations into different groups and separating the groups into different network segments is preferred. The workstations of different compartments will not be able to communicate with each other. Whenever a workstation is infected, devices of other segments will not be affected which in turn help deter the propagation of botnets.
2.
Enhance Monitoring
Close monitoring of unusual events in the systems such as login attempt failures or DNS queries can aid in early detection of infection. This allows system administrators to take timely actions before the infection spreads and harms devices in the entire network.
Close monitoring of unusual events in the systems such as login attempt failures or DNS queries can aid in early detection of infection. This allows system administrators to take timely actions before the infection spreads and harms devices in the entire network.
3.
Raise awareness of your employees
Raising the awareness of the staff of cyber security is always the key to preventing cyberattacks. Regular trainings for employees should be arranged to enhance their knowledge in defending against cyber attacks, which include but not limited to:
identifying phishing emails / websites.
downloading software from official websites or trusted sources only.
reporting unusual events promptly to the appropriate parties (e.g. IT support staff).
refraining from visiting suspicious websites or downloading any files from them.
Periodically arranging awareness trainings for the staff to keep them abreast of the latest security threat trends and security best practices.
Keeping the staff informed of the security policy and guidelines of the enterprise, etc.
Extended Readings
1.
Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) - Botnet Detection and Cleanup
2.
European Union Agency for Cybersecurity (ENISA) - Botnets
Disclaimer: Users are also recommended to observe the disclaimer of this website and read the user agreements and privacy policies of the security software and tools before downloading and using them.
Related topic(s):
Information For:
