Shining a Light on Botnets

When cybercriminals strike, it is often the groups or individuals responsible for the attack (e.g., Anonymous, Guardians of Peace, MafiaBoy); the victims (e.g., Target, Sony, Dyn) or the malware itself (e.g., WannaCry, Shamoon, Conficker) that make the headlines. The critical role of botnets in the organization and the launch of cyberattacks is less commonly written about. This article explains what botnets are, how they operate and what can be done to protect your computers and devices from being recruited to a botnet.

Understanding Botnets

As we discussed in a previous post about cybersecurity ignorance, over 70 percent of Americans are unaware of what a botnet is. When the security of a computer or connected device is compromised by an attack, there are several things that its payload can do. It could execute a piece of ransomware, encrypting user files and display a message demanding payment for their release. It could launch spyware to collect information about the user, stealing personal data or harvesting contacts. It could even cause damage to your hardware and shut down your device – although this is not usually in the cybercriminal’s best interest.

Or it could connect your computer to a hidden network of similar hijacked devices and inform its master that it is ready to take orders. It would become what is termed a bot or a zombie, and while it may still operate normally in other respects, it has become the latest addition to a botnet.

Once recruited, a bot will start monitoring for messages from its new master or masters. These messages could originate from a dedicated server (sometimes termed a command and control server) or even via code on a website. This is the traditional server-client botnet. Some of the latest botnets operate on a peer-to-peer (P2P) basis, with each new device acting as both zombie and zombie master in a distributed network.

Methods of Attack Using Botnets

So what can a botnet do? There are certain types of attack that a botnet will usually instigate, although its activity can be quickly changed through altering instructions. Since the devices in question are already compromised, there is no security to overcome and no resistance to its orders.

One of the most common tasks of a botnet is to distribute spam, which will usually contain ransomware. To give an idea of the scale of the problem, Cisco’s 2017 Annual Cybersecurity Report shows that spam accounts for 65 percent of all email, with 8 to 10 percent cited as malicious. Due to a combination of spam filters and consumer education, this method of attack is relatively unproductive and relies upon vast numbers of messages being sent out. For example, when ESET uncovered the Windigo botnet in 2014, it was sending out 35 million spam messages per day.

Another mode of operation is the infamous DDoS attack. In an instant, all bots in the botnet can be instructed to flood a server or servers with connection requests, effectively taking that service out of action. Again, this is a blunt, relatively unsophisticated weapon and, due to improved DDoS mitigation technology, is usually short-term in nature.

For client-server types of botnets, the messages are usually transmitted using the internet relay chat (IRC) protocol. Such communication can be relatively easy to detect and block or even hijack, so smarter forms of attack are being developed to outwit the cybersecurity providerFor example, it has been proven possible to issue commands via Twitter, LinkedIn and even JPEG metadata and to switch between such channels. The P2P type of botnet mentioned above also avoids the pitfalls of IRC communication.

Lack of Vigilance is Still the Weakest Link

Facing up to the power and sophistication of botnets can be scary at first, but it must be remembered that there are equally smart minds at work in the battle against cybercrime. The best forms of protection remain unchanged: install regular security updates, use strong password protection, look for the padlock next to a URL before divulging sensitive information and never click on email or social media links unless you are 100 percent sure they are genuine.

As explained in Malwarebytes’ ‘State of Malware Report,’ there are specific concerns about the prioritization of security when it comes to the Internet of Things and DDoS attacks. These vulnerabilities were ruthlessly exploited in October 2016 by the Mirai botnet, which targeted Dyn Inc. and effectively shut down Twitter, Spotify and other sites.

It was discovered that Mirai’s ability to launch such a ferocious DDoS attack (at one point reaching speeds of 1 tbps) was due to its choice of bots – IP cameras, home routers and other devices rather than PCs. Many of these were configured with their factory passwords and so were simple to hack.

As the Internet of Things grows, it will become more important than ever for companies to choose devices with robust security protection, to update passwords upon setup and to up-skill their IT support teams to monitor for threats. Likewise, homeowners should shop for smart devices with security in mind and change their default passwords.

Why the Worst Cyberattack May Never Happen

If the fear of botnets bringing down the internet is keeping you up at night, then this end section should give you some reassurance. Setting up a botnet that can successfully evade all of the security measures set up to detect and bring it down is resource-intensive; this makes it an incredibly valuable asset. The bigger a botnet is, the harder it becomes for it to fly under the radar. When large botnets are detected, it is often in the wake of a big attack that exposes its chain of command. Once found, botnets often fall hard with significant computer resources put out of action by law enforcement and people sent to jail.

In most cases, it serves the cybercriminals best to use botnets as stealth weapons, launching the occasional assault before covering their tracks, evolving and then looking for the next opportunity to strike.