A botnet is a logical collection of\u00a0Internet-connected devices, such as computers, smartphones, or\u00a0Internet of Things\u00a0(IoT) devices whose\u00a0security\u00a0has been breached and control ceded to a third party. Each compromised device, known as a “bot,” is created when a device is penetrated by software from a\u00a0malware\u00a0(malicious software) distribution. <\/p>
The controller of a botnet can direct the activities of these compromised computers through communication channels formed by standards-based\u00a0network protocols, such as\u00a0IRC\u00a0and\u00a0Hypertext Transfer Protocol\u00a0(HTTP).<\/p>
The word “botnet” is a portmanteau of the words “robot” and “network”. The term is usually used with a negative or malicious connotation. Botnets are increasingly\u00a0rented out\u00a0by\u00a0cyber criminals\u00a0as commodities for a variety of purposes,\u00a0including as\u00a0booter\/stresser\u00a0services.<\/p>
The term botnet is derived from the words robot and network. A bot, in this case, is a device infected by malicious code, which then becomes part of a network, or net, of infected machines all controlled by a single attacker or attack group.<\/p>
A bot is sometimes called a zombie, and a botnet is sometimes referred to as a zombie army. Conversely, those controlling the botnet are sometimes referred to as bot herders.<\/p>
The botnet malware typically looks for devices with vulnerable endpoints across the internet, rather than targeting specific individuals, companies or industries. The objective is to infect as many connected devices as possible and to use the large-scale computing power and functionality of those devices for automated tasks. These attacks generally remain hidden from the users of the devices.<\/p>
For example, an ad fraud botnet infects a user’s PC with malicious software that uses the system’s web browsers to divert fraudulent traffic to certain online advertisements. However, to stay concealed, the botnet won’t take complete control of the operating system (OS) or the web browser, which would alert the user. Instead, it may use a small portion of the browser’s processes, often running in the background, to send a barely noticeable amount of traffic from the infected device to the targeted ads.<\/p>
On its own, that fraction of bandwidth taken from an individual device won’t offer much to the cybercriminals running the ad fraud campaign. However, a botnet that combines millions of botnet devices will be able to generate a massive amount of fake traffic for ad fraud.<\/p>
Botnets are built to grow, automate, and speed up a hacker\u2019s ability to carry out larger attacks. A small team of hackers, or even one person, can only carry out so many actions on their local devices. By investing a little cost and a bit of time, they can acquire tons of additional machines to leverage for more efficient operations.<\/p>
A\u00a0bot herder<\/strong>\u00a0leads a collective of hijacked devices with remote commands. After compiling the bots, a herder uses command programming to drive their next actions. The party taking command duties may have set up the botnet or be operating it as a rental.<\/p> Zombie computers<\/strong>, or bots, refer to each malware-infected user device that\u2019s been taken over for use in the botnet. These devices operate mindlessly under commands designed by the bot herder.<\/p> Stage 1 exposure starts with hackers finding a vulnerability<\/strong> in a website, application, or human behavior. The goal is to set the user up for being unknowingly exposed to a malware infection. You\u2019ll commonly see hackers exploit security issues in software or websites or deliver the malware through emails and other online messages.<\/p> In stage 2, the user gets infected<\/strong>\u00a0with the botnet malware<\/strong>\u00a0upon taking an action that compromises their device. Many of these methods either involve users being persuaded via social engineering to download a special\u00a0Trojan virus. Other attackers may be more aggressive by using a\u00a0drive-by download\u00a0upon visiting an infected site. Regardless of the delivery method, cybercriminals ultimately breach the security of several users\u2019 computers.<\/p> Once the hacker is ready, stage 3 initiates by taking control of each computer.<\/strong> The attacker organizes all of the infected machines into a network of \u201cbots\u201d that they can remotely manage. Often, the cybercriminal will seek to infect and control thousands, tens of thousands, or even millions of computers. The cybercriminal can then act as the boss of a large \u201czombie network\u201d \u2014 i.e. a fully assembled and active botnet.<\/p> Once infected, a zombie computer allows access to admin-level operations, such as:<\/p> Botnet infections are usually spread through malware or spyware. The malware is typically designed to automatically scan systems and devices for common vulnerabilities that haven’t been patched in hopes of infecting as many devices as possible.<\/p> Once the desired number of devices is infected, attackers can control the bots using two different approaches.<\/p> The traditional\u00a0client-server\u00a0model involves setting up a\u00a0command and control (C&C) server\u00a0and sending automated commands to infected botnet clients through a communications protocol, such as Internet Relay Chat (IRC).<\/p> The client\/server model mimics the traditional remote workstation workflow where each machine connects to a centralized server (or a small number of centralized servers) to access information. In this model, each bot will connect to a command-and-control center (CnC) resource like a web domain or an IRC channel to receive instructions. <\/p> By using these centralized repositories to serve up new commands for the botnet, an attacker simply needs to modify the source material that each botnet consumes from a command center to update instructions to the infected machines. The centralized server in control of the botnet may be a device owned and operated by the attacker, or it may be an infected device.<\/p> The bots are then often programmed to remain dormant and await commands from the C&C server before initiating any malicious activities or cyber-attacks.<\/p> The other approach to controlling infected bots involves a peer-to-peer (P2P) network. Instead of using C&C servers, a\u00a0P2P botnet\u00a0relies on a decentralized approach.<\/p> Infected devices may be programmed to scan for malicious websites or even for other devices that are part of a botnet. The bots can then share updated commands or the latest versions of the malware.<\/p> Peer-to-peer botnets maintain a list of trusted computers with which they can give and receive communications and update their malware. By limiting the number of other machines the bot connects to, each bot is only exposed to adjacent devices, making it harder to track and more difficult to mitigate. Lacking a centralized command server makes a peer-to-peer botnet more vulnerable to control by someone other than the botnet\u2019s creator. <\/p> To protect against loss of control, decentralized botnets are typically encrypted so that access is limited.<\/p> The P2P approach is more common today, as cybercriminals and hacker groups try to avoid detection by cybersecurity vendors and law enforcement agencies, which have often used C&C communications to locate and disrupt botnet operations.<\/p> Issuing commands is a vital part of controlling a botnet. However, anonymity is just as important to the attacker. As such, botnets are operated via remote programming.<\/p> Command-and-control (C&C)<\/strong> is the server source of all botnet instruction and leadership. This is the bot herder’s main server, and each of the zombie computers gets commands from it.<\/p> Each botnet can be led by commands either directly or indirectly in the following models:<\/p> Centralized models<\/strong> are driven by one bot herder server. A variation on this model may insert additional servers tasked as sub-herders, or \u201cproxies.\u201d However, all commands trickle down from the bot herder in both centralized and proxy-based hierarchies. Either structure leaves the bot herder open to being discovered, which makes these dated methods less than ideal.<\/p> Decentralized models<\/strong>\u00a0embed the instruction responsibilities across all the zombie computers. As long as the bot herder can contact any one of the zombie computers, they can spread the commands to the others. The peer-to-peer structure further obscures the identity of the bot herder party. <\/p> With clear advantages over older centralized models, P2P is more common today.<\/p> Botnet creators always have something to gain, whether for money or personal satisfaction.<\/p> Most of the motives for building a botnet are similar to those of other cybercrimes. In many cases, these attackers either want to steal something valuable or cause trouble for others.<\/p> In some cases, cybercriminals will establish and sell access to a large network of zombie machines. The buyers are usually other cybercriminals who pay either on a rental basis or as an outright sale. For example,\u00a0spammers\u00a0may rent or buy a network to operate a large-scale spam campaign.<\/p> Despite the many potential benefits for a hacker, some people create botnets just because they can. Regardless of motive, botnets end up being used for all types of attacks both on the botnet-controlled users and other people.<\/p> Botnets designed using a command-and-control schema can be more easily disabled once the control centers can be identified. Cutting off the head at the points of failure can take the whole botnet offline. As a result, system administrators and law enforcement officials focus on closing down the control centers of these botnets. <\/p> This process is more difficult if the command center operates in a country where law enforcement is less capable or willing to intervene.<\/p> For individual computers, strategies to regain control over the machine include running antivirus software, reinstalling software from a safe backup, or starting over from a clean machine after reformatting the system. For IoT devices, strategies may include flashing the firmware, running a factory reset or otherwise formatting the device. <\/p> If these options are infeasible, other strategies may be available from the device\u2019s manufacturer or a system administrator.<\/p> There is no one-size-fits-all solution to\u00a0botnet detection and prevention. However, manufacturers and enterprises can start by incorporating the following security controls:<\/p> These measures occur at the manufacturing and enterprise levels, requiring security to be baked into IoT devices from conception and businesses to acknowledge the risks.<\/p> From a user perspective, botnet attacks are difficult to detect because devices continue to act normally even when infected. It may be possible for a user to remove the malware itself, but it is unlikely for the user to have any effect on the botnet as a whole. As botnet and IoT attack vectors increase in sophistication, IoT security will need to be addressed at an industry level.<\/p>The basic stages of building a botnet can be simplified into a few steps:<\/span><\/h5>
Botnet architecture <\/strong><\/h2>
The client-server botnet<\/strong><\/h3>
The P2P botnet<\/strong><\/h3>
How do hackers control a botnet?<\/strong><\/h2>
What are botnets used for?<\/strong><\/h2>
How to disable a botnet<\/strong><\/h2>
Disable a botnet\u2019s control centers<\/strong><\/h4>
Eliminate infection on individual devices<\/strong><\/h4>
Preventing botnets with cybersecurity controls<\/strong><\/h2>
Recommended Articles <\/strong><\/span><\/h2>
References<\/strong><\/span><\/h2>