What Is A Botnet? The Complete Guide

What Is A Botnet? The Complete Guide
Image credits: SolidWP

A botnet is a logical collection of Internet-connected devices, such as computers, smartphones, or Internet of Things (IoT) devices whose security has been breached and control ceded to a third party. Each compromised device, known as a “bot,” is created when a device is penetrated by software from a malware (malicious software) distribution.

The controller of a botnet can direct the activities of these compromised computers through communication channels formed by standards-based network protocols, such as IRC and Hypertext Transfer Protocol (HTTP).

The word “botnet” is a portmanteau of the words “robot” and “network”. The term is usually used with a negative or malicious connotation. Botnets are increasingly rented out by cyber criminals as commodities for a variety of purposes, including as booter/stresser services.

Understanding the botnet concept

The term botnet is derived from the words robot and network. A bot, in this case, is a device infected by malicious code, which then becomes part of a network, or net, of infected machines all controlled by a single attacker or attack group.

A bot is sometimes called a zombie, and a botnet is sometimes referred to as a zombie army. Conversely, those controlling the botnet are sometimes referred to as bot herders.

The botnet malware typically looks for devices with vulnerable endpoints across the internet, rather than targeting specific individuals, companies or industries. The objective is to infect as many connected devices as possible and to use the large-scale computing power and functionality of those devices for automated tasks. These attacks generally remain hidden from the users of the devices.

For example, an ad fraud botnet infects a user’s PC with malicious software that uses the system’s web browsers to divert fraudulent traffic to certain online advertisements. However, to stay concealed, the botnet won’t take complete control of the operating system (OS) or the web browser, which would alert the user. Instead, it may use a small portion of the browser’s processes, often running in the background, to send a barely noticeable amount of traffic from the infected device to the targeted ads.

On its own, that fraction of bandwidth taken from an individual device won’t offer much to the cybercriminals running the ad fraud campaign. However, a botnet that combines millions of botnet devices will be able to generate a massive amount of fake traffic for ad fraud.

How a botnet works

Botnets are built to grow, automate, and speed up a hacker’s ability to carry out larger attacks. A small team of hackers, or even one person, can only carry out so many actions on their local devices. By investing a little cost and a bit of time, they can acquire tons of additional machines to leverage for more efficient operations.

bot herder leads a collective of hijacked devices with remote commands. After compiling the bots, a herder uses command programming to drive their next actions. The party taking command duties may have set up the botnet or be operating it as a rental.

Zombie computers, or bots, refer to each malware-infected user device that’s been taken over for use in the botnet. These devices operate mindlessly under commands designed by the bot herder.

The basic stages of building a botnet can be simplified into a few steps:
  1. Prep and Expose — hacker exploits a vulnerability to expose users to malware.
  2. Infect — user devices are infected with malware that can take control of their device.
  3. Activate — hackers mobilize infected devices to carry out attacks.

Stage 1 exposure starts with hackers finding a vulnerability in a website, application, or human behavior. The goal is to set the user up for being unknowingly exposed to a malware infection. You’ll commonly see hackers exploit security issues in software or websites or deliver the malware through emails and other online messages.

In stage 2, the user gets infected with the botnet malware upon taking an action that compromises their device. Many of these methods either involve users being persuaded via social engineering to download a special Trojan virus. Other attackers may be more aggressive by using a drive-by download upon visiting an infected site. Regardless of the delivery method, cybercriminals ultimately breach the security of several users’ computers.

Once the hacker is ready, stage 3 initiates by taking control of each computer. The attacker organizes all of the infected machines into a network of “bots” that they can remotely manage. Often, the cybercriminal will seek to infect and control thousands, tens of thousands, or even millions of computers. The cybercriminal can then act as the boss of a large “zombie network” — i.e. a fully assembled and active botnet.

Once infected, a zombie computer allows access to admin-level operations, such as:

  • Reading and writing system data
  • Gathering the user’s personal data
  • Sending files and other data
  • Monitoring the user’s activities
  • Searching for vulnerabilities in other devices
  • Installing and running any applications

Botnet architecture

Botnet infections are usually spread through malware or spyware. The malware is typically designed to automatically scan systems and devices for common vulnerabilities that haven’t been patched in hopes of infecting as many devices as possible.

Once the desired number of devices is infected, attackers can control the bots using two different approaches.

The client-server botnet

The traditional client-server model involves setting up a command and control (C&C) server and sending automated commands to infected botnet clients through a communications protocol, such as Internet Relay Chat (IRC).

The client/server model mimics the traditional remote workstation workflow where each machine connects to a centralized server (or a small number of centralized servers) to access information. In this model, each bot will connect to a command-and-control center (CnC) resource like a web domain or an IRC channel to receive instructions.

By using these centralized repositories to serve up new commands for the botnet, an attacker simply needs to modify the source material that each botnet consumes from a command center to update instructions to the infected machines. The centralized server in control of the botnet may be a device owned and operated by the attacker, or it may be an infected device.

The bots are then often programmed to remain dormant and await commands from the C&C server before initiating any malicious activities or cyber-attacks.

The P2P botnet

The other approach to controlling infected bots involves a peer-to-peer (P2P) network. Instead of using C&C servers, a P2P botnet relies on a decentralized approach.

Infected devices may be programmed to scan for malicious websites or even for other devices that are part of a botnet. The bots can then share updated commands or the latest versions of the malware.

Peer-to-peer botnets maintain a list of trusted computers with which they can give and receive communications and update their malware. By limiting the number of other machines the bot connects to, each bot is only exposed to adjacent devices, making it harder to track and more difficult to mitigate. Lacking a centralized command server makes a peer-to-peer botnet more vulnerable to control by someone other than the botnet’s creator.

To protect against loss of control, decentralized botnets are typically encrypted so that access is limited.

The P2P approach is more common today, as cybercriminals and hacker groups try to avoid detection by cybersecurity vendors and law enforcement agencies, which have often used C&C communications to locate and disrupt botnet operations.

How do hackers control a botnet?

Issuing commands is a vital part of controlling a botnet. However, anonymity is just as important to the attacker. As such, botnets are operated via remote programming.

Command-and-control (C&C) is the server source of all botnet instruction and leadership. This is the bot herder’s main server, and each of the zombie computers gets commands from it.

Each botnet can be led by commands either directly or indirectly in the following models:

  • Centralized client-server models
  • Decentralized peer-to-peer (P2P) models

Centralized models are driven by one bot herder server. A variation on this model may insert additional servers tasked as sub-herders, or “proxies.” However, all commands trickle down from the bot herder in both centralized and proxy-based hierarchies. Either structure leaves the bot herder open to being discovered, which makes these dated methods less than ideal.

Decentralized models embed the instruction responsibilities across all the zombie computers. As long as the bot herder can contact any one of the zombie computers, they can spread the commands to the others. The peer-to-peer structure further obscures the identity of the bot herder party.

With clear advantages over older centralized models, P2P is more common today.

What are botnets used for?

Botnet creators always have something to gain, whether for money or personal satisfaction.

  • Financial theft — by extorting or directly stealing money
  • Information theft — for access to sensitive or confidential accounts
  • Sabotage of services — by taking services and websites offline, etc.
  • Cryptocurrency scams — using users’ processing power to mine for cryptocurrency
  • Selling access to other criminals — to permit further scams on unsuspecting users

Most of the motives for building a botnet are similar to those of other cybercrimes. In many cases, these attackers either want to steal something valuable or cause trouble for others.

In some cases, cybercriminals will establish and sell access to a large network of zombie machines. The buyers are usually other cybercriminals who pay either on a rental basis or as an outright sale. For example, spammers may rent or buy a network to operate a large-scale spam campaign.

Despite the many potential benefits for a hacker, some people create botnets just because they can. Regardless of motive, botnets end up being used for all types of attacks both on the botnet-controlled users and other people.

How to disable a botnet

Disable a botnet’s control centers

Botnets designed using a command-and-control schema can be more easily disabled once the control centers can be identified. Cutting off the head at the points of failure can take the whole botnet offline. As a result, system administrators and law enforcement officials focus on closing down the control centers of these botnets.

This process is more difficult if the command center operates in a country where law enforcement is less capable or willing to intervene.

Eliminate infection on individual devices

For individual computers, strategies to regain control over the machine include running antivirus software, reinstalling software from a safe backup, or starting over from a clean machine after reformatting the system. For IoT devices, strategies may include flashing the firmware, running a factory reset or otherwise formatting the device.

If these options are infeasible, other strategies may be available from the device’s manufacturer or a system administrator.

Preventing botnets with cybersecurity controls

There is no one-size-fits-all solution to botnet detection and prevention. However, manufacturers and enterprises can start by incorporating the following security controls:

  • strong user authentication methods;
  • secure remote firmware updates, permitting only firmware from the original manufacturer;
  • secure boot to ensure devices only execute code produced by trusted parties;
  • advanced behavioral analysis to detect unusual IoT traffic behavior; and
  • methods using automation, machine learning and artificial intelligence (AI) to automate protective measures in IoT networks before botnets can cause serious harm.

These measures occur at the manufacturing and enterprise levels, requiring security to be baked into IoT devices from conception and businesses to acknowledge the risks.

From a user perspective, botnet attacks are difficult to detect because devices continue to act normally even when infected. It may be possible for a user to remove the malware itself, but it is unlikely for the user to have any effect on the botnet as a whole. As botnet and IoT attack vectors increase in sophistication, IoT security will need to be addressed at an industry level.


Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like