A combination of two words—robot and network—a botnet is a network of malware-infected computers that can be wholly controlled by a single command and control center operated by a threat actor. The network itself, which can be composed of thousands if not hundreds of thousands of computers, is then used to further spread the malware and increase the size of the network.
The malware used to recruit new devices to the botnet is intended to spread itself across the internet by looking out for vulnerabilities in exposed devices. These devices can range from personal computers, to IoT devices such as IP cameras and home routers. Once they have found an exposed device, they infect it and report back to their command and control center. They are then tasked with seeking out other similar devices to infect and so the process continues.
Once a device is infected by the malware and recruited to the botnet, it lies in waiting for further instructions as to what type of attack it is to carry out by its ‘master’. In this sense, while the botnet lies in waiting, it is known as a ‘zombie network’.
Depending on the malware that is spread, a botnet could have a variety of purposes that is utilized by the controller of such a network. This could range from information theft to sending of spam. Botnets can be used by anyone who is able to recruit such an army of infected computers, but generally they are operated by organized gangs of online criminals for committing financial fraud.
The types of tasks a botnet malware can be expected to perform are:
Botnets have been around for a long time now with Conficker, first detected in 2008, being the most notorious and largest in history so far. Conficker continues to roam in the wild due to its sophisticated malware techniques. There are very difficult to counter, and so far has infected computers in over 190 countries in areas of government, businesses and consumer computers.
In August 2016 however, a malware called Mirai was discovered to have recruited network devices running Linux to join a large botnet that was then used in large-scale DDoS attacks. The devices it was primarily targeting to recruit were online consumer devices such as IP cameras and home routers.
In October 2017, Check Point Researchers, through Check Point’s Intrusion Prevention System (IPS), picked up on another potential botnet recruitment drive through a malware dubbed ‘Reaper’. Like Mirai, this botnet was attempting to recruit IoT devices that could be used in an potentially large-scale attack.
Victims of botnets are initially those whose devices have been infected by malware that can later be used for an attack. Often this malware can be benign in the short term as its intention may not be aimed against the infected device itself but rather may lie dormant until it is called upon to carry out a specific attack. We call this state of the Botnet a ‘zombie network’.
Botnet attacks though have been behind some of the most damaging cyberattacks against organizations worldwide, including hospitals, national transport links, communication companies and political movements. They have the power of essentially bringing down the internet causing mass disruption worldwide.
Some of the possible signs that your device has been infected by a botnet could be it running much slower than usual, the displaying of error messages on a regular basis and a general feeling that it is not running as it should be.
To prevent this from happening it is a good idea to have a trusted and powerful anti-virus software installed. Adjusting your computer’s settings to update automatically is also recommended so your applications are kept up to date with the most recent patches and fixes of any known exposures they may include.
If you are managing a network of devices then it is important to isolate any machines that may already be infected by disconnecting them from the network. This may require the use of a specialized bot removal tool.