A botnet may have started in a science fiction narrative, but it now exists in reality and poses a real and substantial threat. Imagine a computer that isn’t quite dead, going about its normal daily work—computing, networking, connecting to the Internet—in a way that seems harmless. Yet, inside this computer, which its owner believes is just busily working away, is a malicious program (“Trojan”) that has taken over the machine and is using it as a soldier in an army of bots.
What Is a Botnet?
In cyber security, botnets are a big problem, to put it simply. When I talk about compromised devices, I mean the class of devices that can be taken over rather easily and used to do things without telling their owners. They are used in the commission of crimes, but they look and act normal to the uninfected. The zombie class of devices can include computers, smartphones, and “smart” devices in the home. They do what they are supposed to do, and they do it so well that nobody for any extended amount of time or without advance warning can tell that they are not functioning normally.
A botnet is a major danger we face in the field of cyber security. The compromised devices it uses are commandeered without the knowledge or consent of their owners. The “zombies” can be anything from personal computers and smartphones to Internet of Things devices, like smart home assistants and security cameras. We call them “zombies” for their mindless obedience. And infected devices—unlike the sick, visibly malfunctioning ones you would never want to use—look and behave normally to everyone uninfected. So we can only imagine what kind of botnet sustains the compromised device count in the tens of millions. Under the right circumstances, a botnet can be a powerful and profitable tool for the evil guys.
Botnets are effective and dangerous, and cybercriminals are behind their deployment. They inject profit-driven motives into their attacks, infecting as many devices as possible and leveraging their botnets for money. In effect, they turn a botnet into a cash register, generating profits in several ways: they use it to further their infection schemes (such as DDoS attacks), they employ the devices under their control in pay-per-click schemes, manipulating the ads displayed on your browser, and they use it to mine for cryptocurrency.
Botnets do not just present a direct damage threat to individual systems; rather, they are a broader risk to the internet’s integrity and the security of personal data. As the number of interlinked devices grows (and many of us have become owners of multiple smart gadgets), so too has the botnet danger. The most damaging contemporary botnets—those that enable massive distributed denial of service attacks, or DDoS for short—tend to recruit infected IoT devices, many of which are poorly secured and thus easily commandeered by bad actors. To conclude, botnets highlight the necessity of cyber security. Device owners need to take proactive measures and implement basic security measures on their devices. That means employing good, strong, and varied passwords (for devices that accept them), using software that is kept up to date, and using antivirus solutions that I hope don’t include the words “just in case” as part of their marketing tagline. Cyber security must be taken seriously at the individual level.
The Recruitment of Bots and the Botnets’ Cybercrime
The cyber security threat landscape is constantly changing, and botnets pose a major problem. Bad guys use these networks of enslaved devices, often referred to as “zombie” machines, to perpetrate various cybercrimes. In this piece, we will explore the methods used by hackers to recruit devices into a botnet and the different ways that they use these networks to commit crimes.
Typically, the formation of a botnet begins with the infection of a set of devices with the hacker’s chosen malware. Usually, hackers design malicious software (malware) to spread. Social engineering, a classic model for spreading malware, involves tricking users into doing actions they should always avoid, such as opening an infected e-mail attachment. The Internet is the primary medium for the spread of botnet malware and other current strains of virus and worm malware; e-mail remains the primary vector, but worms also exploit various Internet services. Once the user makes a mistake and allows the malware to enter, the hacker then “owns” the user’s device. The malware now grants the hacker access to an interactive shell on the device. After recruitment, the hacker can either use the device directly (until their activities are discovered) or create a false impression that the device is being used by the hacker.
Once a botnet is up and running, it can be used by cybercriminals to carry out all sorts of tasks that would normally require a great deal of computing power. Among the many infamous tasks botnets have been given over the years, using them to carry out distributed denial-of-service (DDoS) attacks is one of the most common. In a DDoS incident, a server that the hacker has a beef with is commanded to preposterously flood with requests that make it and the services it provides go momentarily offline. The mix of disruption and pure chaos that a DDoS attack can unleash with a botnet makes this cyber weapon a truly dangerous tool. Also, a DDoS incident doesn’t have to be a big “event” that people can see happening right now—it’s a “denial of service” whether you’re rendered momentarily offline or some unfathomable timeframe of being taken offline for a while is involved. And botnets have done that by the millions of times over.
Criminals can also use botnets to carry out more complex cybercrimes, such as credential stuffing, which involves trying stolen login information on numerous sites to see if they can gain access. The size and number of devices in the botnet can be crucial for these more complex tasks. Using a botnet for these types of operations also prompts the question of whether the criminals exploiting old and new vulnerabilities in the sites used for these operations are acting independently or in collaboration with those who initially established the botnets. We know that the individuals responsible for botnets use stolen login information to construct their own networks. Do they use the same or different stolen information to act like hackers for hire (or hack for fun, as some hackers claim) and find the site vulnerabilities that allow them to use botnets to get in?
Botnet Architecture Evolution
How botnet architecture has changed over the years affects cyber security and law enforcement in very important ways. To grasp how cyber crooks operate—and how the beneficial guys try to stop them—it helps to understand the difference between a centralized and a decentralized botnet. One controlling server forms the foundation of a centralized botnet. A decentralized one does not depend on any main server to send orders. The bad guys have used both models, and the good guys have had to figure out how to counter them.
A centralized botnet has a simple architecture. One or more command servers are established by the botmaster. The command servers serve as the principal line of communication for all the devices under the botnet’s control, which are sometimes called “zombies.” The botmaster hands down orders to the command servers, and from these servers, the botmaster transmits the botnet’s orders, which the connected devices carry out promptly and directly. This model is very straightforward, and it is among the simplest botnet types to understand and to manage. Tools like Internet Relay Chat (IRC) or platforms like Discord facilitate real-time back and forth between a cybercriminal and the commands they want to issue to the members of their botnet. A prime example is the DISGOMOJI malware, which sends commands to the botnet using emoji’s in a Discord channel.
In contrast, the decentralized model is more complex and sturdy. In this arrangement, the bots in the service of the criminal mastermind connect directly with one another, forming a mesh network. The command moves through the network, from one device to another, with no need for a single point of failure, enhancing the botnet’s survivability. More than that, the command propagation through the devices in the botnet in a mesh network creates significant problems for law enforcement that wants to take down the botnet. With no central command to reach for and no single point of failure, the traditional methods of net tracking and net disruption that cops use with such gusto and frequency start showing up less and less, much like an old, tired comic book villain who just can’t seem to stay down for the count.
The choice between a centralized and decentralized botnet model is one that cybercriminals ultimately make for themselves. Operational exigencies—like the need for command and control, a rapidly deployable system, and, above all, a system that can fly under the radar long enough to avoid detection by law enforcement—appear to drive this choice more than any other factor. Control, robustness, and stealth—these three critical factors in the botnet choice are decisive for the kind of model cybercriminals will use for a given operation, and they are also very enlightening about why we should expect certain models of cybercrime to be effective for certain kinds of attacks and why some models may ultimately fail.
Determine whether your computer has joined a botnet.
1. Comprehending Botnets
One entity, usually referred to as the “botmaster,” controls networks of compromised computers. These networks engage in various malicious activities such as spamming, initiating Distributed Denial of Service (DDoS) attacks, and occasionally, pilfering personal information. However, the functions and characteristics of botnets are not widely understood. Understanding botnets means realizing how easily your computer (or mine) could join one.
2. Unusual Behaviour of Your Computer
Strange activity is one of the first signs that your personal computer may be part of a botnet. This could manifest as a malfunctioning performance, an unexpected freeze, or a sequence of commands (such as open/close) that your PC is autonomously executing. If you suspect that your personal computer is part of a zombie army, you might just have a (Trojan) horse in the stable.
3. Escalating Network Activity
An infallible indicator of a botnet infection is increased network activity. If your internet connection is unexpectedly sluggish or if your data usage has surged recently, it is possible that your PC is conversing with other infected machines or taking orders from a botmaster. You can monitor your network traffic to glean more information about any strange behaviors.
4. Programs and processes you don’t recognize
An average compromised computer harbors a bot that operates in secret, carrying out unknown and dubious tasks in the background. Some of these bots are brazen enough to announce themselves as such. One way to stop them before they do too much damage—which they are programmed to do, upon receiving the signal from the malicious hacker who controls them—is to regularly check your installed programs and running processes for anything that looks off.
5. Alerts from Your Security Software
Consistent alerts from your antivirus or other security software indicating that threats are present may suggest that your PC has been compromised and is participating in a botnet. Security programs typically address botnet threats by eliminating malware and implementing countermeasures. If you’re receiving consistent alerts about either the same or similar threats, take them seriously—handle them proactively.6. An email activity that is out of the ordinary
6. Email Activity That Is Out of the Ordinary
If you discover messages leaving your email account that you did not write, it could indicate an early-stage infection on your computer, before the obvious signs of infection manifest. Cybercriminals often use compromised email accounts to send out spam and phishing messages. Monitoring the activity of your email account can give you an early warning of infection.
7. What to Do When You Think You’re in a Botnet
If you suspect that your computer is infected and part of a botnet, there are a few straightforward and rapid steps you can take to minimize the danger. Most importantly, disconnect from the internet. This is not quite “put it in a bag and throw it in the river,” but it is a step that keeps your computer from doing any further dirty work and keeps the botmaster from issuing more commands. Next, scan the system. Doing so with a high-quality antivirus program will, I am confident, reveal the true nature of the threat to your computer. After that, get a new set of keys.
8. How to stop botnets from infecting your computer.
It’s much easier to prevent a botnet infection than to clean up the mess afterward. To protect against botnets, keep your operating system, software, and security measures up to date. That means using a two-way (incoming and outgoing) firewall and regularly checking for updates. Another effective protective measure is to use strong, unique passwords for all of your system and software accounts.
Botnets in Our Lives
You don’t have to be a botnet expert to protect yourself from this pernicious form of malware. Being able to recognize the signs of a botnet infection (slow PC performance, increased Internet traffic, odd outgoing messages and/or phone calls), understanding how botnets work, and following some basic, time-tested rules of cyber security can keep you and your computer out of the botnet business.
