Custom Search

Cyber Security:

Botnets

The word "botnet" is a portmanteau of the words "robot" and "network" - the term is usually used with a negative or malicious connotation.

So, a botnet is the generic name given to any group of computers that coordinate their activity over the internet.

There are a number of harmless botnets used for such purposes as the Internet Relay Chat (IRC) text messaging program, but sadly, the vast majority are created by malware.

A botnet generated by malware collection is compromised of PCs controlled remotely by an attacker. It is a "virtual robot army."

The individual PCs that are part of a botnet are known as "bots" or "zombies" - and their owners may not even know they're being used.

 

What are Botnets?

Botnets are typically created by a specific attacker or small group of attackers using one piece of malware to infect a large number of machines — although there's no minimum size for a group of PCs to be called a botnet.

The individual PCs in a botnet are generally called "bots" or "zombies."

Smaller botnets can be in the hundreds or low thousands of infected machines, and larger ones can run into the millions of PCs.

Examples of well-known botnets that have emerged in recent years include Conficker, Zeus, Waledac, Mariposa and Kelihos.

A botnet is often discussed as a single entity, but the creators of malware such as Zeus will sell their wares to anyone, so at any given time dozens of separate botnets may be using the same malware.

How are Botnets created?

Botnets are spread through viruses and worms, and once installed on the victim's computer they use the internet to make contact with a control computer. At this point, the infected computer (often called a zombie) will do nothing more except periodically check for instructions from the control computer. Over time, more and more computers are recruited to the incipient botnet until it may contain tens of thousands of zombies, but they don't raise suspicion as they appear to be doing nothing. The creator of the botnet can control the botnet using command and control (C&C) software.

At future time, the control computer will issue a command for the botnet to wake up and begin doing something.

This often happens because the people who created the botnet itself have either sold or rented the botnet to another group who want to use its capabilities for malevolent means.

There are two main methods through which attackers infect PCs to make them part of a botnet:

Drive-by download infections require a few different steps for the attacker, and they require the attacker to find a popular Web site with an exploitable vulnerability.

The attacker then loads his own malicious code on the site and rigs it to exploit a vulnerability in a common browser such as Google Chrome or Internet Explorer.

The code will typically then redirect the user's browser to another site controlled by the attacker where the bot code will be downloaded and installed on the user's machine.

The email infection vector is much simpler.

The attacker sends out a large batch of spam that includes either a file such as a Word document or PDF with malicious code in it, or a link to a site where the malicious code is hosted.

In either case, once the attacker's code is on the user's machine, that PC is now part of the botnet.

The attacker can issue remote commands to the PC, upload data from the machine, download new components and generally do what he wants with it.

What are Botnets used for?

Botnets can be used to:

perform Distributed Denial-of-Service (DDoS) attacks.

These attacks rely on the computing power and bandwidth of hundreds or thousands of PCs to send huge amounts of traffic at a specific Web site in an effort to knock the site offline.

There are many different flavors of DDoS attacks, but the goal is the same: preventing the target site from operating. Botnets are so large, and so widely distributed across the internet that they can be very hard to tackle and the effects of a coordinated attack on critical parts of the network can mean even very large websites struggle to remain online while the botnet targets their computers.

Attackers used to employ this tactic as a way to knock their rivals' sites offline, but they then began turning it on Web portals such as Yahoo and MSN, shopping and banking sites and government sites.

Cybercriminals have taken to using DDoS attacks against banking sites as a way to disguise deeper attacks on those banks.

steal data,

commit 'click fraud'. A single piece of malware can cause enormous damage, but when thousands, or even millions of computers run the same program, their effects can be devastating.

send spam, and allow the attacker to access the device and its connection.Botnets send out millions of junk email messages from the infected PCs and cybercriminals use them in large-scale credit-card fraud operations.

How to protect yourself from botnets

There are a number of defenses against the DDoS attacks that botnets are used for, but nearly all of them are on the ISP or server level.

For users, the best defense against becoming part of a botnet is to keep all of the software on your machines patched and up-to-date and to resist clicking on suspicious links.

Attackers rely on the gullibility of users to open malicious attachments or click on shady links in order to get their malware onto new PCs.

Removing that from the equation makes it far more difficult for attackers to build and use botnets.