A botnet is a collection of internet-connected devices, which may include personal computers (PCs), servers, mobile devices and internet of things (IoT) devices, that are infected and controlled by a common type of malware, often unbeknownst to their owner.
Infected devices are controlled remotely by threat actors, often cybercriminals, and are used for specific functions, yet the malicious operations stay hidden from the user.
Botnets are commonly used to send spam emails, engage in click fraud campaigns and generate malicious traffic for distributed denial-of-service (DDoS) attacks.
How do botnets work?
The term botnet is derived from the words robot and network. A bot, in this case, is a device infected by malicious code, which then becomes part of a network, or net, of infected machines all controlled by a single attacker or attack group.
A bot is sometimes called a zombie, and a botnet is sometimes referred to as a zombie army. Conversely, those controlling the botnet are sometimes referred to as bot herders.
The botnet malware typically looks for devices with vulnerable endpoints across the internet, rather than targeting specific individuals, companies or industries.
The objective for creating a botnet is to infect as many connected devices as possible and to use the large-scale computing power and functionality of those devices for automated tasks that generally remain hidden to the users of the devices.
For example, an ad fraud botnet infects a user's PC with malicious software that uses the system's web browsers to divert fraudulent traffic to certain online advertisements. However, to stay concealed, the botnet won't take complete control of the operating system (OS) or the web browser, which would alert the user.
Instead, the botnet may use a small portion of the browser's processes, often running in the background, to send a barely noticeable amount of traffic from the infected device to the targeted ads.
On its own, that fraction of bandwidth taken from an individual device won't offer much to the cybercriminals running the ad fraud campaign. However, a botnet that combines millions of botnet devices will be able to generate a massive amount of fake traffic for ad fraud.
The architecture of a botnet
Botnet infections are usually spread through malware or spyware. Botnet malware is typically designed to automatically scan systems and devices for common vulnerabilities that haven't been patched in hopes of infecting as many devices as possible.
Once the desired number of devices is infected, attackers can control the bots using two different approaches.
The client-server botnet
The traditional client-server model involves setting up a command and control (C&C) server and sending automated commands to infected botnet clients through a communications protocol, such as Internet Relay Chat (IRC).
The bots are then often programmed to remain dormant and await commands from the C&C server before initiating any malicious activities or cyber attacks.
The P2P botnet
The other approach to controlling infected bots involves a peer-to-peer (P2P) network. Instead of using C&C servers, a P2P botnet relies on a decentralized approach.
Infected devices may be programmed to scan for malicious websites or even for other devices that are part of a botnet. The bots can then share updated commands or the latest versions of the malware.
The P2P approach is more common today, as cybercriminals and hacker groups try to avoid detection by cybersecurity vendors and law enforcement agencies, which have often used C&C communications to locate and disrupt botnet operations.
Examples of botnet attacks
The Zeus malware, first detected in 2007, is one of the best-known and widely used malware types in the history of information security. Zeus uses a Trojan horse program to infect vulnerable devices. Variants of this malware have been used for various purposes over the years, including to spread CryptoLocker ransomware.
Initially, Zeus, or Zbot, was used to harvest banking credentials and financial information from users of infected devices. Once the data was collected, attackers used the bots to send out spam and phishing emails that spread the Zeus Trojan to more prospective victims.
In 2009, cybersecurity vendor Damballa estimated Zeus had infected 3.6 million hosts. The following year, the Federal Bureau of Investigation (FBI) identified a group of Eastern European cybercriminals who were suspected to be behind the Zeus malware campaign.
The Zeus botnet was repeatedly disrupted in 2010 when two internet service providers (ISPs) that were hosting the C&C servers for Zeus were shut down. However, new versions of the Zeus malware were later discovered.
Approximately a year after the original Zeus botnet was disrupted, a new version of the Zeus malware, known as GameOver Zeus, emerged.
Instead of relying on traditional, centralized C&C servers to control bots, GameOver Zeus used a P2P network approach, which initially made the botnet harder for law enforcement and security vendors to pinpoint and disrupt.
Infected bots used a domain generation algorithm (DGA) to communicate. The GameOver Zeus botnet would generate domain names to serve as communication points for infected bots. An infected device randomly selected domains until it reached an active domain that was able to issue new commands. Security firm Bitdefender found it could issue as many as 10,000 new domains each day.
In 2014, international law enforcement agencies took part in Operation Tovar to temporarily disrupt GameOver Zeus by identifying the domains used by the cybercriminals and then redirecting bot traffic to government-controlled servers.
The FBI also offered a $3 million reward for Russian hacker Evgeniy Bogachev, who was accused of being the mastermind behind the GameOver Zeus botnet. Bogachev is still at large, and new variants of GameOver Zeus have since emerged.
An extensive cybercrime operation and ad fraud botnet known as Methbot was revealed in 2016 by cybersecurity services company White Ops.
According to security researchers, Methbot was generating between $3 million and $5 million in fraudulent ad revenue daily by producing fraudulent clicks for online ads, as well as fake views of video advertisements.
Instead of infecting random devices, the Methbot campaign was run on approximately 800 to 1,200 dedicated servers in data centers located in both the U.S. and the Netherlands. The campaign's operational infrastructure included 6,000 spoofed domains and more than 850,000 dedicated Internet Protocol (IP) addresses, many of which were falsely registered as belonging to legitimate ISPs.
The infected servers produced fake clicks and mouse movements and were able to forge Facebook and LinkedIn social media accounts to appear as legitimate users to fool conventional ad fraud detection techniques.
In an effort to disrupt the monetization scheme for Methbot, White Ops published a list of the spoofed domains and fraudulent IP addresses to alert advertisers and enable them to block the addresses.
Several powerful, record-setting DDoS attacks were observed in late 2016 and later traced to a brand of malware known as Mirai.
The traffic produced by the DDoS attack came from a variety of connected devices, including wireless routers and closed-circuit television (CCTV) cameras.
Mirai malware was designed to scan the internet for unsecured devices, while also avoiding IP addresses belonging to major corporations and government agencies. After it identified an unsecured device, the malware attempted to log in using common default passwords. If necessary, the malware resorted to brute-force attacks to guess passwords.
Once a device was compromised, it connected to C&C infrastructure and could divert varying amounts of traffic toward a DDoS target. Devices that were infected often still continued functioning normally, making it difficult to detect Mirai botnet activity.
The Mirai source code was later released to the public, enabling anyone to use the malware to create botnets by targeting poorly protected IoT devices.
Addressing vulnerabilities of IoT devices
The increase of connected devices used across modern industries provides an ideal landscape for botnet propagation. Botnets rely on a large network of devices to complete their objective, making IoT -- with its large attack surface -- a prime target. Today's cheap, internet-capable devices are vulnerable to botnet attacks, not only because of their proliferation, but because they often have limited security features. In addition, IoT devices are often easier to hack because they cannot be managed, accessed or monitored in the same way that conventional information technology (IT) devices can. Businesses can work to improve IoT security by putting stricter authentication methods in place.
Disrupting botnet attacks
In the past, botnet attacks were disrupted by focusing on the C&C source. Law enforcement agencies and security vendors traced the bots' communications to wherever the control server was hosted and then forced the hosting or service provider to shut the server down.
However, as botnet malware becomes more sophisticated and communications are decentralized, takedown efforts have shifted away from targeting C&C infrastructures to other approaches. These include identifying and removing botnet malware infections at the source device, identifying and replicating P2P communication methods, and, in cases of ad fraud, cracking down on monetary transactions rather than technical infrastructure.
Preventing botnets with cybersecurity controls
There is no one-size-fits-all solution to botnet detection and prevention, but manufacturers and enterprises can start by incorporating the following security controls:
- strong user authentication methods;
- secure remote firmware updates, permitting only firmware from the original manufacturer;
- secure boot to ensure devices only execute code produced by trusted parties;
- advanced behavioral analysis to detect unusual IoT traffic behavior; and
- methods using automation, machine learning and artificial intelligence (AI) to automate protective measures in IoT networks before botnets can cause serious harm.
These measures occur at the manufacturing and enterprise levels, requiring security to be baked into IoT devices from conception and businesses to acknowledge the risks.
From a user perspective, botnet attacks are difficult to detect because devices continue to act normally even when infected. It may be possible for a user to remove the malware itself, but it is unlikely for the user to have any effect on the botnet as a whole. As botnet and IoT attack vectors increase in sophistication, IoT security will need to be addressed at an industry level.