What is a botnet?
A botnet is a collection of web connected devices including servers, PCs, mobile devices, and IoT devices, that are infected and controlled by shared malware. A system commonly becomes part of a botnet without the user even realizing it. These hijacked devices can be used to carry out distributed denial-of-service attacks, steal data, send spam — or even remotely access the local network of a device.
The architecture of bot networks has evolved over time, adapting to newer security systems in order to avoid detection or disruption. Traditionally, bot programs are constructed as clients that communicate via existing servers. But many recent botnets rely on existing peer-to-peer networks to communicate. These P2P bot programs have the same capabilities as botnets operated within the client-server model, but they communicate directly with each other, avoiding the need for a central server.
How botnets work
Botnets are used to distribute spam through email, undertake click fraud attacks, and initiate DDoS attacks. Botnet malware will repeatedly scan the internet looking for exposed systems or IoT devices, rather than targeting individuals or companies, in order to infect as many devices as possible. The computing power and resources of a large botnet are leveraged to automate tasks while remaining hidden from the device owner. The botnet stays concealed through a number of tactics. A major method is to piggyback onto a devices browser. By using a small portion of the device’s resources, the increase in traffic is too small for the user to notice.
Because such a small amount of computing power is used from each hijacked device, botnets require numerous devices (sometimes numbering in the millions) to produce a desired effect on an intended target.
Botnet infections are regularly spread by malware of some kind. This malware will scan systems or devices for common points of vulnerability, like an out of date OS, or an open firewall, with the goal of breaching as many systems as possible.
Once the botnet network reaches a desired size, attackers control the bots using one of two approaches:
- Standard client/server approach: A command-and-control server sends automated directions to all of the infected systems in the botnet. There are a number of ways this communication can be routed: through an IRC channel, through basic HTML, or by using a VPN. Detection can be difficult because bots can be programmed to remain dormant in order to avoid suspicion. They will listen for commands and then ‘wake up’ to launch any malicious activities.
- Peer-to-peer approach: A more modern approach — used to avoid suspicion by law enforcement or network security systems — peer-to-peer bots fix the problem of C&C domains and servers being targeted by communicating through a decentralized network. All of the bots connect directly with each other, avoiding the need for a central communication system.
Notable botnet attacks
- Zeus: One of the major forms of malware that exists today. Zeus is built around a Trojan horse program that infects vulnerable systems by pretending to be an innocuous piece of software.
- Srizbi: At one point the largest spam botnet in the world. Srizbi is commonly referred to as the “Ron Paul spam botnet”, and was at one point responsible for almost 60 billion messages a day. During its peak, It accounted for just under half of all email spam at any given point.
- Gameover Zeus: This botnet used a peer-to-peer network approach, making it harder for law enforcement and security vendors to locate and terminate. Infected bots used a domain generation algorithm to communicate with each other.
- Methbot: Run on approximately 800-1,200 dedicated servers in data centers located in both the U.S. and the Netherlands. The infected servers produce fake clicks and mouse movements, and forge social media account logins to appear as legitimate users.
- Mirai: Built to scan the internet for unsecured devices. Once it identifies an open device, the malware attempts to log in with a series of common passwords. If the logins don't work, Mirai uses brute force techniques to guess the password.
Why botnets are important
The ability of users to avoid botnet attacks has recently been hindered by the increasing growth of malware built to target routers and IoT devices. These systems frequently have weak passwords, if any — leading to easy access. Many IoT devices don’t even let users directly change their security settings, making any attempts to deter attackers extremely difficult. When manufacturers can’t remotely update the firmware of a device to patch known security holes, the only choice they have is to issue a factory recall.
In the past, botnet attacks were disrupted by focusing on the command-and-control source. Law enforcement agencies and security vendors would track bots' communications back to wherever the C&C servers were hosted, and then force the service provider to shut them down. As botnet networks have advanced, so have the methods used to find them. This includes identifying and removing botnet malware infections at the source devices, identifying and replicating the peer-to-peer communication methods, and in cases of ad fraud, disrupting the individual monetization schemes rather than the underlying criminal infrastructure.