Botnets Attacks

August 13, 2020

What is a Botnet?

A botnet is a network of compromised computers that are supervised by a command and control (C&C) channel. The person who operates the command and control infrastructure, the bot herder or botmaster, uses the compromised computers, or bots, to launch attacks designed to crash a target’s network, inject malware, harvest credentials or execute CPU-intensive tasks.

A botnet is comprised of 3 main components:

  1. the bots
  2. the command and control servers (C&C)
  3. the botnet operator

Why Do Adversaries Use Botnet Attacks?

Imagine having an army of workers helping you achieve your goals — good or bad. That’s what a botnet is for your adversaries. A botnet attack can be made up of hundreds or even more than a million infected devices that are all executing malicious code on behalf of the bot herder.

An adversary doesn’t have to be a computer genius to run a botnet — botnets are for sale on the dark web for about $30 and can be rented for $10 an hour (with discounts for bulk orders). For the more hands-on type of attacker, there are numerous tutorials on the legitimate web and YouTube, while the dark web is home to more detailed lessons for around $50.

Identifying (and thus, prosecuting) a bot herder is difficult because it’s hard to trace a botnet attack back to the command-and-control server since the hijacked computers in the botnet are conducting the actual attack.

Once an adversary is in control of a botnet, the malicious possibilities are extensive. A botnet can be used to conduct many types of attacks, including:

1. Phishing

Botnets can be used to distribute malware via phishing emails. Because botnets are automated and consist of many bots, shutting down a phishing campaign is like playing a game of Whack-A-Mole.

2. Distributed Denial-of-Service (DDoS) attack

During a DDoS attack, the botnet sends an overwhelming number of requests to a targeted server or application, causing it to crash. Network layer DDoS attacks use SYN floods, UDP floods, DNS amplification, and other techniques designed to eat up the target’s bandwidth and prevent legitimate requests from being served. Application-layer DDoS attacks use HTTP floods, Slowloris or RUDY attacks, zero-day attacks and other attacks that target vulnerabilities in an operating system, application or protocol in order to crash a particular application.

Many will remember the massive Mirai botnet DDoS attack. Mirai is an IoT botnet made up of hundreds of thousands of compromised IoT devices, which in 2016, took down services like OVH, DYN, and Krebs on Security.

3. Cryptojacking

Cryptocurrency is “mined” by computers that earn bits of currency by solving encrypted math equations. However, computations use a lot of electricity – Bitcoin mining alone uses as much energy as the entire nation of Switzerland, and when all expenses associated with mining cryptocurrency are counted, an adversary would spend three times more mining cryptocurrency than mining actual gold. To a criminal mind, it makes a lot more sense to make someone else pay for the effort by commandeering their resources.

4. Snooping

Botnets can be used to monitor network traffic, either passively to gather intelligence and steal credentials or actively to inject malicious code into HTTP traffic. Domain Name System (DNS) snooping maps IP addresses to domain names that are contained in the dynamic database or a local list in order to discover what queries are being made, which domains might be the best targets for a cache poisoning attack, or what mis-typed domains might be worth registering.

5. Bricking

A bricking attack deletes software from an IoT device with weak security, rendering it useless, or bricked. Cybercriminals may use bricking attacks as part of a multi-stage attack, in which they brick some devices to hide any clues they may have left when launching the primary attack. Bricking makes it difficult or impossible for forensic analysts to discover remnants of botnet malware that would provide information on who, how or why the primary attack was conducted.

6. Spambots

Spambots harvest emails from websites, forums, guestbooks, chat rooms and anyplace else users enter their email addresses. Once acquired, the emails are used to create accounts and send spam messages. Over 80 percent of spam is thought to come from botnets.

What are the Types of Botnets?

Botnets can be categorized into two types:

  • Centralized, Client-Server Model
  • Decentralized, Peer-to-Peer (P2P) Model

Centralized Model

visual depiction of a centralized botnet structure

The first generation of botnets operated on a client-server architecture, where the command-and-control (C&C) server operates the entire botnet.

Due to its simplicity, centralized botnets are still used today. However, the disadvantage to using a centralized model over a P2P model is that it is susceptible to a single point of failure.

The two most common C&C communication channels are IRC and HTTP:

IRC (Internet Relay Chat) botnet

IRC botnets are among the earliest types of botnet and are controlled remotely with a pre-configured IRC server and channel. The bots connect to the IRC server and await the bot herder’s commands.

HTTP botnet

An HTTP botnet is a web-based botnet through which the bot herder uses the HTTP protocol to send commands. Bots will periodically visit the server to get updates and new commands. Using HTTP protocol allows the herder to mask their activities as normal web traffic.

Decentralized Model

visual depiction of a p2p botnet architecture

The new generation of botnets are peer-to-peer, where bots share commands and information with each other and are not in direct contact with the C&C server.

P2P botnets are harder to implement than IRC or HTTP botnets, but are also more resilient because they do not rely on one centralized server. Instead, each bot works independently as both a client and a server, updating and sharing information in a coordinated manner between devices in the botnet.

How does a Botnet Work?

Here’s a simplified version of how a botnet is created:

  • A hacker starts with the initial malware infection to create zombie devices using techniques like web downloads, exploit kits, popup ads, and email attachments
  • If it’s a centralized botnet, the herder will direct the infected device to a C&C server. If it’s a P2P botnet, peer propagation begins and the zombie devices seek to connect with other infected devices.
  • The zombie computer will then download the latest update from the C&C channel to receive its order.
  • The bot then proceeds with it’s orders and engages in malicious activities.

Tips to Avoid Being Caught in a Net

To prevent your IoT devices from becoming zombified, we recommend your organization consider the following recommendations:

  • A regular security awareness training program that teaches users/employees to identify malicious links
  • A well-run patch program to protect against the latest vulnerabilities
  • A quality antivirus solution that is kept up to date and scans the network regularly
  • Deploy an intrusion detection system (IDS) across your network
  • An endpoint protection solution that includes rootkit detection capability and that can detect and block malicious network traffic