What is a Botnet

In cybersecurity, the pace of change in attack techniques moves at a blistering speed, but there has been one constant that not only continues to be utilized but has evolved through the years: botnets.

With the ability to use a vast collection of devices in an attack, botnets have emerged as one of the most pervasive and impactful tools used by malicious actors. To give you an edge in the battle against botnets, we’ve provided a deep dive into the subject, including what a botnet is, how it works, and how you can defend against it.

What is a botnet?

A botnet, which is short for robot network, refers to a collection of internet-connected devices that are infected with malicious software and are controlled as a group without the owner’s knowledge. Although the true origins of botnets are unknown, they first emerged in the late 1990s, marking a significant milestone in the evolution of cyber threats.

One of the first known botnet networks was the “phatbot” which was first discovered around 2002. This malware strain primarily targeted and infected Windows-based computers and established a network of compromised devices under the control of a single botmaster. The “phatbot” botnet was primarily used to conduct Distributed Denial-of-Service (DDoS) attacks and spam campaigns and facilitate data theft.

The use of botnets exploded after the proliferation of broadband internet access and the increasing interconnectedness of devices. The rise of botnets was also fueled by advancements in malware propagation techniques and the exploitation of software vulnerabilities. There have been many advances in the central management of botnets, enabling much larger botnets to form with increased ability for individual bot members to act independently of others.

Over the years, botnets have evolved into an ever-present cyber threat, morphing in size, complexity, and functionality. The commodification of Botnet-as-a-Service (BaaS) platforms in underground/dark web forums has further democratized access to botnet capabilities, enabling cybercriminals of varying skill levels to conduct sophisticated attacks for several nefarious purposes (i.e., financial gain, geo/social, political hacktivism, or just being disgruntled with an organization).

How are botnets spread?

There are several attack vectors that malicious actors take advantage of to spread malware to infect endpoints with their botnets, including:

• Phishing emails: Phishing emails appear to be from legitimate sources like banks or social media companies. They often contain links or attachments that, when clicked, download the botnet malware onto the user’s device.
• Malicious websites: Clicking a malicious link can lead to a website rigged to infect a user’s device with botnet malware. These websites may appear genuine but can be booby-trapped with exploit kits that take advantage of vulnerabilities in a user’s software.
• Infected downloads: Downloading software, especially freeware or cracked versions of paid programs, from untrusted sources can deliver botnet malware disguised as the intended program.
• Exploitation of vulnerabilities: Software vulnerabilities in un-patched internet facing applications allow malicious actors to gain direct access to that device and install botnet malware.
• Internet of Things (IoT) devices: Malicious actors target poorly secured IoT devices with weak default passwords to install malware and make the devices part of their botnet.

Botnet architecture

There are two main architectures that malicious actors use when building their botnets: Client-Server and Peer-to-Peer (P2P).

Client-server (Centralized) architecture: The Client-Server architecture is the traditional model.  This architecture involves the malicious actor establishing a set of command and control (C&C) servers, which in turn send commands to infected botnet clients, often referred to as zombies. These zombies remain dormant until they receive commands from a C&C server normally over the HTTP/HTTPS protocol, adding a layer of protection from detection and masking malicious traffic as normal web traffic. Once the command is received, the zombie executes that command. Another communication method that malicious actors utilize is the Internet Relay Chat (IRC) protocol. However, this isn’t used as much as it was in the past.

P2P (Decentralized) architecture: Over the past couple of years, malicious actors have adopted a decentralized architecture to elude law enforcement and avoid detection from cybersecurity defenders. In the P2P architecture, there are no centralized C&C servers. Instead, the zombies communicate with other zombies to receive and share updated commands as well as the latest versions of the malware. Also, the zombies can be configured to scan for malicious websites to receive updated commands. The P2P architecture also provides a level of resiliency because it is not dependent on a single C&C framework, which could be seized and taken offline.

What are the most famous botnets?

Since the creation of the first botnet, there have been many iterations that have changed our understanding of how botnets work and how they can impact their intended targets. Some notable examples include:

• Zeus (also known as Zbot): The Zeus botnet was a sophisticated banking trojan that was first identified in 2007 and targeted online banking credentials and other sensitive data through social engineering and web injection attacks. Different variants of Zeus contributed to the establishment of targeted botnets which enabled cybercriminals to orchestrate large-scale financial fraud operations.
• Mirai: The Mirai botnet gained notoriety in 2016 for conducting massive Distributed Denial-of-Service (DDoS) attacks from infected IoT devices. The source code for the Mirai malware was made public which led to the proliferation of variants and copycat botnets. Even though law enforcement organizations were able to disrupt some Mirai-based operations, variants continue to pose a threat.
• Emotet: The Emotet botnet was one of the most prolific and versatile botnets. It was first identified in 2014 and operated as a Malware-as-a-Service platform. The Emotet botnet utilized sophisticated techniques to evade detection, which included polymorphic code and frequent updates. International law enforcement conducted an operation in 2021 to disrupt the Emotet infrastructure, which led to the botnet being taken down. However, it was resurrected later the same year and remains active today.
• Gameover Zeus: The Gameover Zeus botnet is a variant of the Zeus banking trojan and is primarily focused on financial fraud and credential harvesting. This botnet uses advanced techniques to include peer-to-peer communication and encryption to evade detection. It has been known to facilitate widespread banking fraud and has distributed ransomware which has contributed to substantial financial losses worldwide.
• Sality: Sality is a polymorphic file infector and botnet that has been active since at least 2003. It primarily targets Windows executable files, compromising systems and facilitating various malicious activities, including DDoS attacks, spam distribution, and data theft. Sality’s resilience and complexity have made it a persistent threat in the cybersecurity landscape.
• Satori (also known as Okiru): Satori is a Mirai botnet variant that first emerged in late 2017 and targets IoT devices using the CVE-2014-8361 vulnerability in Huawei routers. It was notable for its rapid propagation and the ability to launch powerful DDoS attacks. Since its initial discovery, several variants of this botnet have been identified.

How to protect against botnets

Although the botnet threat is constantly evolving, there are several solutions and techniques you can use to protect your organization.

• Protective DNS: Implementing a Protective DNS solution, such as Vercara’s UltraDDR service, will add a layer of security for when end users fall victim to social engineering attacks. Protective DNS will block the user from visiting malicious sites when they click on embedded links. Additionally, Protective DNS will block malware from communicating with a Command-and-Control (C2) server that was installed by downloading malicious files.
• Antivirus software: Implementing a robust endpoint security solution, such as antivirus software, is critical for detecting and removing malware. It is recommended the antivirus software have signature and heuristic-based detection capabilities. Antivirus software should also be updated regularly from a known and trusted source.
• Cybersecurity awareness programs: Social engineering is one of the most utilized attack vectors to gain initial access into a network to install malware. A training program that details what a social engineering attack is, the many different forms they could take, and how to identify them is the first step in preventing social engineering attacks. Additionally, organizations should have a process where individuals can alert their IT security department of the attack and enable the IT security personnel to see if other users are under the same attack.
• Regular software updates/patching: Since malicious actors look to exploit vulnerabilities to install their botnet malware, keeping software up to date is crucial. Organizations should have a policy that outlines how software updates will be conducted once patches are released and how the update will be tested prior to being put onto production systems.
• Change default configurations: Since most IT devices are shipped with default settings from the manufacturer, these are easy targets for malicious actors since most default usernames and passwords are available on the open internet. Once new IT devices are received, they should go through a security hardening process that includes changing all default account information (usernames/passwords), installing recent software/firmware updates, and disabling any unnecessary ports and protocols.

Addressing the evolving threat of botnets

Botnets represent one of the persistent and evolving threats that security teams must deal with. From their early origins in the late 1990s to their proliferation and sophistication in recent years, botnets have remained a formidable tool for malicious actors seeking financial gain, data theft, and disruption of online services.

Protecting against botnets requires a multi-faceted, defense-in-depth approach to detect, block, and eradicate. By adopting proactive defense measures and staying vigilant against emerging threats, individuals and organizations can mitigate the risk posed by botnets and safeguard against potential harm in the digital realm.

To learn more about how Vercara can help your organization adopt a proactive security stance and stop botnet attacks in their tracks, visit our UltraDDR page.