A botnet is a collection of internet-connected devices that an attacker has compromised to carry out DDoS attacks and other tasks as a swarm. The idea is that each computer becomes a mindless robot in a larger network of identical robots, which gives the word botnet its meaning.
“Malware infects an unsuspecting, legitimate computer, which communicates back to the botnet operator that the infected computer is now ready to follow orders blindly,” explains Nasser Fattah, North America Steering Committee Chair at Shared Assessments. “All of this is happening unbeknownst to the owner of the computer. The goal is to grow the size of the botnet, which collectively can automate and expedite large attacks.”
We’ll get into the details of what types of attacks are possible in a moment, but first, let’s take a look at how botnets are created and what form they take.
A botnet is an example of a distributed computing system operating over the internet—a fairly early example of this idea’s widespread real-world use. The people or teams who run a botnet, called controllers or herders, need to recruit unwilling computers into their army and then coordinate their activity for profit. There are a number of components to the architecture that helps botnets form and perpetuate themselves.
Botnet malware. Hackers take control of target computers via malware. There are a variety of vectors by which malware can get onto machines, ranging from phishing and watering hole attacks to exploitation of unpatched vulnerabilities. This malicious code allows the attacker to force the compromised machine to take action without its owner being aware. “The malware itself often doesn’t try to steal anything or do any damage,” explains Jim Fulton, vice president at Forcepoint. “Instead, it tries to stay hidden so that the botnet software can quietly keep operating.”
Botnet drones. Once a device has been taken over by the attacker, it’s called a drone—it’s just another soldier in the botnet’s army, though it does have a certain amount of autonomy and, in some cases, artificial intelligence. “A botnet drone can recruit other computers and devices with some intelligence, making it more difficult to find and stop,” says Andy Rogers, senior assessor at Schellman. “It will find vulnerable hosts and invite them to the botnet unbeknownst to the user.”
All kinds of internet-connect devices can be turned into drones, from PCs to cell phones to IoT devices. In fact, the latter type of devices, like internet-enabled security cameras or cable modems, may be of particular interest to attackers, says Dave Marcus, senior director of threat intelligence at LookingGlass Cyber. “Devices like that, people tend to forget that they’re there because you turn them on once, and that’s all there is to it,” he explains. “Or, when it comes to devices like routers and switches, people don’t want to update for the fear of doing it incorrectly.” In both cases, that can leave devices unpatched and vulnerable.
But the key, from the perspective of the botnet controller, is that there are many of the drones and they look like the ordinary machines that they are, says Ido Safruti, co-founder and CTO at PerimeterX. “By infecting ‘legitimate’ people’s devices with malware, the operator of a botnet gains resources using residential IP addresses that appear to be legitimate users, and gains free computational resources that can perform tasks.”
Botnet command and control (C2). The final piece of the puzzle is the mechanism by which these bots are controlled. Early botnets were generally controlled from a central server, but that made it relatively easy to kill off the whole network by tracking down that central controller and cutting it off. Modern botnets operate on a peer-to-peer model, where commands are passed from drone to drone when they recognize their distinct malware signatures over the internet. Communication from the bot herders and between bots can use a variety of protocols. Internet relay chat (IRC), an old-school chat protocol, is still commonly used because it’s relatively lightweight and can easily be installed on bots without using up so many resources that users will notice a performance hit. But a number of other protocols are also used, including Telnet and ordinary HTTP, which makes the traffic difficult to detect. Some botnets use even more creative means of coordination, with commands posted on public sites like Twitter or GitHub.
Just as botnets themselves are distributed, so too is the job of creating the different components in a botnet’s architecture. “Hackers are specialists and most groups are working as affiliates in a loose conjunction with other sets of hackers,” says Garret Grajek, CEO of YouAttest. “In the malware world, there may be a group that exploits a new unpublished weakness, another group that then creates the botnet payload, and another group controls the command and control center.”
What does a botnet do?
Distributed denial of service, or DDoS attacks, are perhaps the most widely known and popular type of botnet attack. These attacks, in which hundreds or thousands of compromised machines all attempt to access a server or other online resource with legitimate-looking web traffic and knock it out of commission in the process, can’t really happen without a botnet. They’re also relatively easy to launch, as almost any device that can be infected will have internet capabilities and at least a rudimentary web browser.
But there are a host of other things that attackers can do with their botnets—and the ultimate goal can determine the sorts of devices the botnet creators will try to infect, explains LookingGlass Cyber’s Marcus. “If I want to use my botnet for bitcoin mining, I may go after IP addresses in a certain part of the world because those machines are a little bit beefier—they’ve got a GPU and a CPU and people are not necessarily going to notice the impact if it’s mining in the background,” he says. “So it comes down to: Am I going to also use that machine to harvest credentials? Do I maybe want to use it for spamming? For a phishing campaign? A watering hole site?”
But remember, while the victims of these types of attacks will feel the wrath of the botnet controller, the goal is for the owners of the bots themselves to never know their machines are anything but innocent. “It just depends on how much the operator thinks they can get away with,” says Marcus. “With a highly functional piece of malware that does a lot of different things, you’re upping your chance of getting discovered on that machine, because the owner will say, ‘There’s something wrong with this machine, it’s running slow.'”
While DDoS attacks may get most of the attention today, spam was the purpose behind the very first botnet. Khan C. Smith built up an army of bots to help power his spam empire in 2001, making millions of dollars in the process. He eventually was successfully sued by the ISP EarthLink for $25 million.
One of the most important botnets of recent years was Mirai, which briefly knocked a big chunk of the internet offline in 2016. Mirai was written by a New Jersey college student and emerged out of a war between hosts of Minecraft servers, but the code is in the wild today and still used in attacks. Mirai specifically targeted internet-connected closed circuit TV cameras to turn them into drones, showing just what an important attack surface IoT devices have become.
But there are numerous other examples of botnet strains out there on the web, says Kevin Breen, director of cyber threat research at Immersive Labs. “Larger botnets like TrickBot make heavy use of malware like Emotet, which relies more on social engineering for installation,” he explains. “These are typically more resilient and they are used to deploy additional malicious software, such as banking trojans and ransomware. We have seen several attempts by law enforcement to disrupt these big financial crime botnets over the last few years with some success. However, over time, the botnets always seem to recover.”
Botnets for sale
We’ve already noted the many specialized players that go into the botnet “supply chain,” so to speak. In fact, most of these hackers aren’t building their botnets for their own personal use, but rather create them like any other software developers would: to sell them to people who want to use them. These sales take place at various levels of secrecy. For instance, you can fairly easily Google services that refer to themselves euphemistically as stressers or booters. “The ‘stress testing’ SaaS solutions on the market offer services can be purchased, for example, via PayPal, to evaluate the resiliency of one’s network or system,” says Shared Assessments’ Fattah. “Some of these services can be bot herders selling their capabilities out in the open, where there is no verification of the payer or target.”
Immersive Labs’ Breen notes that those looking to download botnet software can also find it without too much difficulty. “A quick Google search of the right terms can find you forums that sell the same services and also offer source code and leaked versions of botnets,” he says. “This is typically used by script kiddies interested in doing things such as spreading crypto miners.”
But the real professionals operate on the dark web, and can be tricky to find. “These marketplaces are typically vetted and are invitation-only,” says Josh Smith, cyber threat analyst at Nuspire. But once you’re there, he says, the process is remarkably customer friendly. “Sellers will have reputation scores similar to what you’d find on many common digital marketplaces.”
“Many of these services have an easy-to-use interface where you point the botnet at an IP or URL and click the ‘attack’ button,” says Schellman’s Rogers. “Right from your browser, you could cripple a website or server, and with cryptocurrency for the transaction you can remain quite anonymous.”
And if you prefer a more high-touch service from your bot herder, well, you can get that too. “More sophisticated threat actors like ransomware gangs may work directly with the operators of a large botnet like TrickBot, Emotet, or Qakbot to send spear phishing campaigns at scale,” says Laurie Iacono, associate managing director of Cyber Risk at Kroll. “Once machines are infected, the initial malware collects information to help the ransomware distributors infiltrate the network and escalate privileges prior to ransomware deployment.”
How much does it cost? “The value of access to a botnet can be as low as $10 an hour,” says Anurag Gurtu, CPO of StrikeReady. But you get what you pay for. “If you want to have a bot of a certain type in a certain part of the world, it gets a little bit more expensive,” says LookingGlass Cyber’s Marcus. “Certain parts of the world have better quality machines. So a botnet that’s based on machines and IP addresses in the United States costs a lot more to rent than the EU ones because they’re beefier boxes.”
How to prevent or stop a botnet attack
The process of securing yourself against botnets can take two different forms: you’re either preventing your own devices from becoming bots, or fighting off attacks launched by botnets. In either case, as this article hopefully has made clear, there isn’t much you can do to defend yourself that won’t already be part of a good security posture. Hackers turn devices into bots with malware delivered via phishing emails, so make sure your staff knows not to open phishing emails. They hack into insecure IoT devices, so make sure you set those devices’ passwords to something other than the default. If hackers do manage to plant malware on your computers, you’ll need up-to-date antivirus to sniff it out. If you’re on the receiving end of a DDoS attack, you can filter out the attacking traffic, or beef up your capacity with a content delivery network.
There are also some botnet-specific techniques you can deploy to keep safe. For instance, Immersive Labs’ Breen suggests that you “look for suspicious traffic leaving your network. Statistical flow analysis sounds complex, but it can reveal the presence of botnet command and control traffic.”
And some people are taking the fight to the bot herders themselves. “We use several tools to stop botnets at their core,” says Mark Dehus, director of threat intelligence at Lumen Black Lotus Labs. “For example, once a new malware sample is detected, we can reverse-engineer the methods it uses to report to a C2. This allows us to develop an emulated bot that can connect to suspected C2s, validate them, and monitor the instructions they are communicating to the bots.” The war against bot herders is a long one, but here’s hoping we can turn the tide.
More on botnets