What is a botnet and how is it used?

Control over thousands or even millions of computers allows cybercriminals to deliver malware or carry out a DDoS attack.

Botnet definition

A botnet is a collection of Internet-connected and infected computers that a hacker has compromised to perform DDoS attacks and other tasks. A botnet is a peer-to-peer network consisting of many computers, sometimes millions.

Hackers use malware to infect legitimate computers, which communicate back to the botnet operator. This typically happens without the knowledge of the computer owners. The aim is to increase the number of remote computers in the botnet, which together can automate and accelerate large-scale attacks.

Botnet architecture - a peer-to-peer network

A botnet is an example of a distributed computer system operating over the Internet. The hackers or organised groups of hackers who run a botnet, called "controllers" or "shepherds", must recruit computers to their network and then coordinate their activity. There are a number of components to the architecture that help botnets form and maintain themselves:

• Botnet malware. Hackers take control of target computers via malware. There are a number of different vectors by which malware can enter computers, ranging from phishing and watering hole attacks to exploiting unpatched security vulnerabilities. This malware allows the hacker to force the compromised machine to act without its owner being aware of it. The aim of the malware is not to steal anything or do any damage. Instead, it tries to remain hidden so that the botnet software can continue to operate.

• Botnet drones. Once a device has been taken over by the hacker, it is called a drone â it is just another part of the botnet, although it has some degree of autonomy and in some cases artificial intelligence. A botnet drone can recruit many other computers and devices with some intelligence, making it harder to find and stop the drones.

All kinds of internet connectivity devices can be turned into drones, from PCs to mobile phones to IoT devices. In fact, the latter type of devices, like internet-enabled security cameras or cable modems, can be of particular interest to hackers, as people sometimes leave the devices unpatched and vulnerable.

By infecting 'legitimate' people's devices with malware, the operator of a botnet gains resources by using the IP addresses of homes that appear to be legitimate users and gets free computational resources to perform tasks.

• Botnet command and control (C2). The final piece of the puzzle is the mechanism by which these bots are controlled. Early botnets were generally controlled from a central server, but this made it relatively easy to kill the entire network by tracking the central server and disrupting it. Modern botnets operate on a peer-to-peer model, where commands are passed from drone to drone as they recognise their distinct malware signatures over the internet.

Communication from bot hosts and between bots can use a variety of protocols. Internet relay chat (IRC), an old-fashioned chat protocol, is still widely used because it can be installed on bots relatively easily without using too many resources. However, a number of other protocols are also used, including Telnet and plain HTTP, which make traffic difficult to detect. Some botnets use even more creative means of coordination, with commands posted on public websites like Twitter or GitHub.

What makes a botnet?

Distributed denial-of-service attacks or DDoS attacks are perhaps the most well-known and popular type of botnet attack. These attacks, where hundreds or thousands of compromised machines all try to access a server or other online resource with legitimate web traffic and knock it out in the process, cannot really happen without a botnet.

They are also relatively easy to start, as almost any device that can be infected will have internet capabilities and at least a rudimentary web browser. So almost any computer can be used for a DDoS attack.

But there is a world of other malicious purposes that hackers can have with their botnets - and the target of the botnet determines what kind of devices the botnet creators will try to infect. If a hacker wants to use their botnet for bitcoin mining, they can go after IP addresses in a certain part of the world because those machines are a bit better - they have a GPU and a CPU, and people won't necessarily notice the impact if it's mining in the background.

In addition, botnets can be used to steal sensitive information, to download additional malware, to carry out phishing and many other kinds of cyber attacks.

Examples of botnets of infected computers

Although DDoS attacks may get most of the attention today, the aim behind the veryfirst distributed network systems to send spam emails. Khan C. Smith built up a host of bots to help run his spam empire in 2001 and made millions of dollars in the process. He was eventually sued by Internet service provider EarthLink for $25 million.

One of the most prominent botnets of recent years was Mirai, which briefly took much of the internet offline in 2016. Created by a college student in New Jersey, Mirai grew out of a war between hosts of Minecraft servers, but the code for that type of botnet is still in circulation today.

Mirai specifically targeted Internet-connected closed-circuit television cameras to turn them into drones, showing exactly how important an attack surface IoT devices have become today.

But there are numerous other examples of botnets on the web. Larger botnets like TrickBot make heavy use of malware like Emotet, which relies more on social engineering for installation. These are typically more resilient and are used to deploy other types of malware, such as trojans and ransomware.

There have been several attempts by law enforcement agencies to disrupt these large botnets over the last few years with some success.

How to prevent or stop a botnet attack

The process of securing yourself against botnets can be done in two ways: you either prevent your own devices from becoming bots, or you fight attacks launched by botnets. In either case, as this blog post may have made clear, there is little you can do to defend yourself that will not already be part of good security practice.

Hackers are turning devices into bots with malware delivered via phishing emails, so make sure you and your employees don't open phishing emails. They hack into insecure IoT devices, so make sure to set those devices' passwords to something other than the default.

If hackers manage to plant malware on your computer, have updated antivirus to detect it quickly. If you are on the receiving end of a DDoS attack, you can filter out the malicious traffic or increase your capacity with a content delivery network.

There are also some botnet-specific techniques you can implement to keep yourself safe. For example, you can watch for suspicious traffic leaving your network. Statistical flow analysis sounds complex, but it can reveal the presence of botnet command and control traffic.