What is Botnet?
The term Botnet is derived from the words “robot” and “network”. Bots refers to devices including PCs, notebooks, smartphones, servers, home routers, etc. that perform specific malicious tasks automatically. Botnet is a collection of compromised devices that can be instructed to perform orchestrated tasks coordinated by attackers with malicious intents. An attacker who manipulates the botnet is called “bot herder”. Botnets are serious security threats to the Internet and they account for a majority of email spam, identity theft, phishing and distributed denial-of-service (DDoS) attacks.
The example below illustrates how a botnet is created to instigate an attack:
To create a botnet, hundreds or millions of bots are required. In order to acquire the large amount of bots, attackers need to either explore the vulnerabilities of devices and systems, or expose malwares to users.
To compromise the devices with botnet malware, social engineering and malicious websites are common attack vectors used by hackers to lure the users into downloading and executing the malicious files.
Once enough devices are breached, a bot herder can remotely control them to initiate cyber attacks or other malicious intents.
Since a bot herder can scatter attack tasks across the Internet, the enormous cumulative bandwidth and large number of attack sources make botnet-based attacks extremely dangerous and hard to defend against. The bot herder can pass commands to the bots for malicious activities:
Botnet can be used to initiate a variety of cyber attacks. Common botnet attacks include the following:
DDoS attack is an attack commonly instigated by botnet. The massive number of exploited bots within a botnet is an ideal source for overloading the Internet traffic. The attacker can control every single bot remotely and direct an attack by sending instruction to the bots. Each bot can send requests to the targeted server, service or network, inducing an enormous amount of traffic to overload the network of the target and exhaust its resources.
Spam emails are the unsolicited and unwanted email messages that sent to bulk recipients indiscriminately. Botnets are often used to re-route the spam traffic to prevent the spammers from being caught and blacklisted. While some spam emails, mostly commercial advertisements, are just annoying but harmless, most of other spams may cause adverse consequences like phishing attack and distribution of malware.
Phishing emails usually contain fraudulent links which redirect the victims to a fake and malicious website impersonating a trustworthy organisation’s website to harvest the victims’ personal and sensitive information such as credentials, bank accounts and credit card details.
Brute force attack uses trial-and-error method to guess the login credential of victims by working through all possible combinations. Bots within a botnet can be used to run programs designed to breach web accounts by force. Weak password would be exploited easily and lead to leakage of personal and sensitive data.
Bot herder can control the bots to perform click fraud, namely click bots, pretending to be a legitimate device visiting a webpage and click on the desired hyperlink inside. Each click bot represents a device with different IP address, and therefore each click looks like coming from a different user and will not arouse suspicion. For online advertising which pays per click, the massive clicking rate created by click bots can bring about tremendous financial gain. High click rate may also lead to higher search ranking of a malicious website in search engine which makes it looks legitimate.
Miners for cryptocurrencies are rewarded for the work of verifying the legitimacy of cryptocurrencies transactions. Competitive mining computers and power supply are required for mining where each of the bots in the botnet provides the processing power, electricity and the Internet bandwidth to mine a particular cryptocurrency. The cumulative power of the bots can result in a high computational power for mining and boosting the mining output for the miners.
Whenever vulnerabilities are identified in operating systems, applications, software and browsers, product providers will release new patches to fix the vulnerabilities. If the updates are not applied timely, the vulnerabilities can be exploited and this will provide attackers with excessive rights to control your devices. Therefore it is important to keep your system up-to-date and free from vulnerabilities.
Firewall is the first layer of defense to filter out the malicious traffic and prevent unauthorised devices from being connected to your network. A properly configured firewall can block various network-based attacks.
Acclaimed anti-malware software can help prevent, detect and remove various botnet malware. It is crucial to protect your electronic devices by using anti-malware software and performing regular scanning.
Properly configure the systems such as disabling “AutoRun” and refraining from installing software from untrusted sources.
Removable disks are commonly used for transferring data between devices. If removable disks are infected without being noticed, plugging them into workstations may harm an enterprise’s network. To avoid this, removable disks should be scanned with anti-malware software before use to ensure that they are free from malware.
Attackers may use pop-up windows or fake software download websites to lure you into downloading malware. Sometimes the pop-up windows may show messages claiming that your devices have been infected by malware and that anti-malware software is required. When you click the “download” button on the pop-up window, you will have the malware downloaded. It is advisable to download all the software from official or trusted websites.
One common way to spread malware is through emails. Attackers may embed the malware in the attachment of an email. Always stay vigilant when receiving emails from senders you do not recognise and never download any attachments from these suspicious emails.
In order to protect your business against botnet, other than the security measures mentioned in previous sections, you should also take the following steps:
Categorising the users and their corresponding workstations into different groups and separating the groups into different network segments is preferred. The workstations of different compartments will not be able to communicate with each other. Whenever a workstation is infected, devices of other segments will not be affected which in turn help deter the propagation of botnets.
Close monitoring of unusual events in the systems such as login attempt failures or DNS queries can aid in early detection of infection. This allows system administrators to take timely actions before the infection spreads and harms devices in the entire network.
Disclaimer: Users are also recommended to observe the disclaimer of this website and read the user agreements and privacy policies of the security software and tools before downloading and using them.