A botnet is a network of compromised computers that are supervised by a command and control (C&C) channel. The person who operates the command and control infrastructure, the bot herder, uses the compromised computers, or bots, to launch attacks designed to crash a target’s network, inject malware, harvest credentials or execute CPU-intensive tasks.
A botnet is comprised of 3 main components:
- the bots
- the command and control servers (C&C)
- the threat actor, or bot herder
Why Do Adversaries Use Botnets?
Imagine having an army of workers helping you achieve your goals — good or bad. That’s what a botnet is for your adversaries. A botnet can be made up of hundreds or even more than a million devices that are all executing malicious code on behalf of the bot herder.
An adversary doesn’t have to be a computer genius to run a botnet — botnets are for sale on the dark web for about $30 and can be rented for $10 an hour (with discounts for bulk orders). For the more hands-on type of attacker, there are numerous tutorials on the legitimate web and YouTube, while the dark web is home to more detailed lessons for around $50.
Identifying (and thus, prosecuting) a bot herder is difficult because it’s hard to trace an attack back to the command-and-control server since the hijacked computers in the botnet are conducting the actual attack.
Once an adversary is in control of a botnet, the malicious possibilities are extensive. A botnet can be used to conduct many types of attacks, including:
Botnets can be used to distribute malware via phishing emails. Because botnets are automated and consist of many bots, shutting down a phishing campaign is like playing a game of Whack-A-Mole.
2. Distributed Denial-of-Service (DDoS) attack
During a DDoS attack, the botnet sends an overwhelming number of requests to a targeted server or application, causing it to crash. Network layer DDoS attacks use SYN floods, UDP floods, DNS amplification, and other techniques designed to eat up the target’s bandwidth and prevent legitimate requests from being served. Application-layer DDoS attacks use HTTP floods, Slowloris or RUDY attacks, zero-day attacks and other attacks that target vulnerabilities in an operating system, application or protocol in order to crash a particular application.
Cryptocurrency is “mined” by computers that earn bits of currency by solving encrypted math equations. However, computations use a lot of electricity – Bitcoin mining alone uses as much energy as the entire nation of Switzerland, and when all expenses associated with mining cryptocurrency are counted, an adversary would spend three times more mining cryptocurrency than mining actual gold. To a criminal mind, it makes a lot more sense to make someone else pay for the effort by commandeering their resources.
Botnets can be used to monitor network traffic, either passively to gather intelligence and steal credentials or actively to inject malicious code into HTTP traffic. Domain Name System (DNS) snooping maps IP addresses to domain names that are contained in the dynamic database or a local list in order to discover what queries are being made, which domains might be the best targets for a cache poisoning attack, or what mis-typed domains might be worth registering.
A bricking attack deletes software from an IoT device with weak security, rendering it useless, or bricked. Attackers may use bricking attacks as part of a multi-stage attack, in which they brick some devices to hide any clues they may have left when launching the primary attack. Bricking makes it difficult or impossible for forensic analysts to discover remnants of malware that would provide information on who, how or why the primary attack was conducted.
Spambots harvest emails from websites, forums, guestbooks, chat rooms and anyplace else users enter their email addresses. Once acquired, the emails are used to create accounts and send spam messages. Over 80 percent of spam is thought to come from botnets.
Types of Botnets
Botnets can be categorized into two types:
- Centralized, Client-Server Model
- Decentralized, Peer-to-Peer (P2P) Model
The first generation of botnets operated on a client-server architecture, where the command-and-control (C&C) server operates the entire botnet.
Due to its simplicity, centralized botnets are still used today. However, the disadvantage to using a centralized model over a P2P model is that it is susceptible to a single point of failure.
The two most common C&C communication channels are IRC and HTTP:
IRC (Internet Relay Chat) botnet
IRC botnets are among the earliest types of botnet and are controlled remotely with a pre-configured IRC server and channel. The bots connect to the IRC server and await the bot herder’s commands.
An HTTP botnet is a web-based botnet through which the bot herder uses the HTTP protocol to send commands. Bots will periodically visit the server to get updates and new commands. Using HTTP protocol allows the herder to mask their activities as normal web traffic.
The new generation of botnets are peer-to-peer, where bots share commands and information with each other and are not in direct contact with the C&C server.
P2P botnets are harder to implement than IRC or HTTP botnets, but are also more resilient because they do not rely on one centralized server. Instead, each bot works independently as both a client and a server, updating and sharing information in a coordinated manner between devices in the botnet.
How a Botnet Works
Here’s a simplified version of how a botnet is created:
- A hacker starts with the initial malware infection to create zombie devices using techniques like web downloads, exploit kits, popup ads, and email attachments
- If it’s a centralized botnet, the herder will direct the zombie device to a C&C server. If it’s a P2P botnet, peer propagation begins and the zombie devices seek to connect with other infected devices.
- The zombie device will then download the latest update from the C&C channel to receive its order.
- The bot then proceeds with it’s orders and engages in malicious activities.
Tips to Avoid Being Caught in a Net
To prevent your IoT devices from becoming zombified, we recommend your organization consider the following recommendations:
- A regular security awareness training program that teaches users/employees to identify malicious links
- A well-run patch program to protect against the latest vulnerabilities
- A quality antivirus solution that is kept up to date and scans the network regularly
- Deploy an intrusion detection system (IDS) across your network
- An endpoint protection solution that includes rootkit detection capability and that can detect and block malicious network traffic