One computer program that automatically performs a repetitive malicious task is called a bot. Multiply that program by two or more and you’ve got a botnet—and a big problem. Botnets pose a formidable threat to Internet users everywhere and, as we’ll explore below, are only growing in terms of sophistication and reach.
What Are Botnets?
Botnets are groups of malware-infected, Internet-connected devices that perform mundane tasks with precision and speed. They are led by bot masters, aka bot herders, who communicate with a C&C server (a computer that instructs infected devices to carry out attacks and perform other functions) via covert channels, such as Internet Relay Chats (IRCs) and websites.
Each individual connected computer in a botnet is called a zombie because the computer or device owner is generally unaware that their machine is mindlessly performing malicious actions. Botnets can wreak all kinds of havoc—from DDoS attacks to cryptocoin mining, from sending spam to spreading fake news.
Over the last few years, botnets have become a popular tool for attackers because they can easily and stealthily infiltrate almost any type of Internet-connected device. Due to their scale, botnet malware allows attackers to perform actions that cannot be performed by a single compromised machine. Also, because they are under one central control, they can instantly receive updates and changes.
How Do Botnets Work?
There are two types of botnet structures: client-server and peer-to-peer (P2P). In their own ways, both attempt to provide the bot master with a high level of control over the “zombie” army. In the client-server model, the older of the two, the central server directly issues commands and instructions to the zombie devices. This makes it simple to control the botnet, but also makes it easy for law enforcement agencies to track down the server. And once the server is shut down, the jig is over. In the last few years, law enforcement agencies have detected and shut down many of these operations.
In the more advanced P2P architecture, attackers deploy their infections on decentralized P2P networks, which makes it harder to detect their presence. Additionally, they often use digital key signatures to ensure that only parties with access to the key send instructions to the botnet. According to researchers at security firm, Kaspersky, “Many P2P botnets are far more resilient to takedown attempts than centralized botnets, because they have no single points of failure.”
Types of Botnets
Botnets are versatile and have many potential applications in cybercrime. Here are a few ways attackers utilize botnets for malicious gain:
Distributed Denial-of-Service (DDoS) Attacks
DDoS attacks are one of the most common ways botnets are used. Specifically, in a volumetric DDoS attack, botnets are employed to send huge amounts of traffic to target websites—with the goal of making them unavailable. This is a choice tool for hacktivists, as the goal is to cause damage, not steal information or money. Many times though, botnet DDoS attacks are merely smokescreens for other, more damaging attacks.
Botnets often deliver trojans and other malware via spam campaigns. They are capable of sending a massive amount of spam emails at one time, which means they can reach huge numbers of people on a daily basis. This increases the chances that potential victims will open infected email attachments, allowing the botnet to enlist their machines or download another piece of damaging malware.
Attackers have started repurposing botnets that were once used in other types of attacks to mine for cryptocurrency. This is because the aggregate power of a botnet army makes mining for cryptocurrency far faster and more efficient than when using a slew of infected, yet unconnected, devices.
There are many different types of fraud botnets, including:
- Click-fraud/ad-fraud botnets: These botnets can create millions of artificial clicks and impressions each day, earning commission off of those clicks.
- Video-fraud botnets: 2017’s Hyphbot is made of half a million compromised PCs generating artificial views of online videos.
- Social botnets: Rampant on social-media platforms, these botnets create fake profiles to spread malicious or false content.
Botnets are powerful and can cause significant damage, but some have left more of a lasting impact than others. Here’s a look at some of the most high-profile, wide-ranging botnets that security experts have had to tackle:
Discovered by the Microsoft Malware Protection Center in 2008, Conficker was one of the first botnets and, at its peak, enlisted over 15 million computers into its massive botnet. Oddly, Conficker has yet to be caught destroying or stealing information. Rather, its goal is to spread to as many machines as possible. It has been found on Windows operating systems belonging to military and law enforcement agencies, health care providers, and other institutions, in over 190 countries.
Continuously evolving, Necurs is a spam botnet that distributes other types of malware. According to Mike Benjamin of Black Lotus Labs, “Necurs is the multitool of botnets, evolving from operating as a spam botnet delivering banking trojans and ransomware to developing a proxy service, as well as cryptomining and DDoS capabilities.” Notably, Necurs often shuts down operations to evade detection and then reappears suddenly, allowing it to infect more than half a million computers across the globe so far. It distributes Locky, Scarab ransomware, and Dridex, among other threats.
Mirai is an IoT-based botnet (more about these later.) In 2016, it took over CCTVs and DVRs to launch a DDoS attack of epic proportions. The attack took down much of the Internet on the U.S. East Coast, and it’s been mutating ever since, due to the fact that the creators released the source code.
Zeus is one of the most prolific and damaging banking trojan botnets. First discovered in 2006, it enables attackers to build their own custom trojans and add all infected machines into its immensely powerful botnet. With its keylogging and monitoring capabilities, it can capture sensitive banking information. Zeus has hundreds of variants based on the source code and still infects computers today.
A relative newcomer to the botnet scene, Smominru typically affects Windows 7 and 8 users. It uses the EternalBlue exploit to spread to computers and then adds them to its ever-growing botnet. It silently mines for cryptocurrency and has a data-exfiltration module. Notably, when it finds a rival infection on a targeted device, Smominru removes the competition and replaces it with itself.
Botnets constantly change their tactics to evade detection. Here’s a look at some emerging botnet trends to watch out for:
TheMoon, a newly discovered IoT botnet, boasts a relatively unique module—it can be rented out on the dark web. This illustrates a trend towards botnets-as-a-service. Today, on a typical dark-web malware marketplace, enterprising (and, perhaps, slightly lazy) attackers can rent out prefab botnets, botnet builder kits, and pre-made tools. These packages are chock full of everything an attacker needs to set up a potent botnet, including various payloads to choose from.
Low-and-Slow Botnet Attacks
Attackers are turning to low-and-slow attacks, which send seemingly legitimate traffic at very slow rates, in place of more traditional volumetric DDoS attacks, which send large amounts at very fast rates. The attacks appear as legitimate traffic, so they fly under the radar, helping attackers much more than more noticeable DDoS attack methods.
More Mirai Botnets
It’s been over three years since Mirai first emerged, and it’s still causing damage. There are over 20,000 known variants of the source code in the wild—and with the growing amount of hackable IoT devices, finding a vulnerable target has never been easier. This leads directly to the next trend (see below):
Expanding IoT Botnets
IoT devices are always on, usually use hardcoded passwords and usernames, grant too many permissions, and have weak security measures in place. This makes them prime targets for attackers looking to enlist additional zombies into their botnets. From wearables to cameras, lighting systems to cars, medical devices, and any other Internet-connected device, these single-purpose computers allow attackers to create botnets of epic proportions—and they’re far simpler to exploit than traditional computers.
Spotlight on the Emotet Botnet
Emotet, the infamous trojan-turned-botnet, has been plaguing Internet users for years, in varying forms. First discovered in 2014, it began as a banking trojan, targeting banks in Germany and Austria. It gradually added on modules for spam and ransomware, as well as the ability to access emails, passwords, financial information, and Bitcoin wallets.
In recent years, Emotet added on a powerful botnet module. Now, machines infected with Emotet get added to the botnet itself, carrying out DDoS attacks and sending out spam campaigns. This further spreads Emotet, continuing the cycle. The repercussions of this are huge: A single Emotet bot in the larger botnet can send millions of spam emails every day, and Emotet has approximately 300,000–400,000 bots like this.
Also, since Emotet can access emails, it uses subject lines containing real content taken straight from victims’ inboxes. Then it sends emails to the victims’ contacts, making it very likely that at least some of the recipients will open infected attachments. And Emotet doesn’t discriminate: It targets computers run by both home users and giant corporations, which means that everyone is at risk.
IoT devices aren’t going to get more secure overnight; people will continue to open emails they shouldn’t; and attackers are going to keep renting out wares on the darknet. This means that the threat of botnets isn’t going away any time soon.
Using a tool like Cynet 360 can help keep your networks secure against this silent and sophisticated threat—and save them from becoming zombies too. Cynet 360 detects and exposes botnets, ensuring that your endpoints stay under your control, not under a bot herder’s. It’s a multi-layered, holistic approach to endpoint security that also covers IoT devices to ensure complete protection.