Ahh, the Internet. To a few, a head-scratching jumble of ones and zeroes, to others a Godsend, to most a necessary evil. Of course, the trade-off for convenience and the wealth of information is the ever-increasing reality of data theft, privacy leaks and money scamming. While phishing and social engineering are both the biggest threats and the most common practices for cyber criminal activity on the Internet nowadays, not far behind is the use of botnets. But what, exactly, are botnets? And more importantly, how can we fight them?
Why do botnets exist?
First of all, a sizeable network of interconnected devices which work to solve one big and complicated task is by no means strictly a bad thing. In fact, the concept can be quite helpful in many circumstances. A good example is [email protected], a scientific experiment based out of UC Berkeley that uses Internet-connected computers in the Search for Extraterrestrial Intelligence (SETI). You can actually help search for aliens by running a free program that downloads and analyzes radio telescope data.
Of course that SETI program won’t invade your computer on its own. But a “botnet”, while similar in concept (and often acquired via malware), has more sinister intents that can result in a serious invasion of privacy, among other things.
One of the most common uses for botnets is to execute DDOS (Distributed Denial of Service) attacks, where many computers try to overload other computers, such as accessing the same website over and over to simulate millions of users. This not only causes so much congestion that legitimate users can’t access websites or applications that require remote service communication, it can also be used to further expose the system’s vulnerabilities as its overall functionality significantly weakens.
Botnets are also used to send massive spam attacks, with little risk of pinpointing the sender. They also float around on the net looking for unencrypted data packets, hoping to acquire and accumulate usernames, passwords, and any other potentially valuable information.The good news is, usually when a single Whois query is performed, the default is the thick model, as it’s the faster method and only requires one query per domain search.
Scarier still, some botnets have full access to the device they infiltrate, allowing them to intercept sensitive data such as banking details, even if the website is accessed through an encrypted connection.
Botnets can also be used to manipulate online systems to spread more malware and of course, to expand the existing botnet. They can even be used to generate fraudulent ad revenue for the malware creators.
Suffice to say, you don’t want botnets infiltrating your personal or business devices. In addition to the breach of your privacy and possibly involving you in cyber criminal activity, botnets can seriously hinder your internet and overall computer performance. Like all malware, you need to get rid of it ASAP.
How did I get infected?
Botnet uses the same methodology to infect your machine as all other malware. It’s usually an email attachment, a sketchy download or other similar scams meant to get you running malicious code on your computer and/or other devices such as tablets and mobile phones.
As mentioned, essentially the purpose of botnets is to gain access to your machine and add your computer to their ranks. Once the malware is downloaded onto your device, the botnet will contact its “mothership” (commonly referred to as Command & Control server, or C2) and let it know it’s in your system. This is not good, because now your device will be entirely under the control of the person(s) who has access to the botnet C2.
Not only that, some botnets even have self propagation features, which makes them similar to distributed computer worms and allows them to spread to other machines using a variety of methods, such as auto exploitation. So your infected machine can spread to any other on your connected network, like your children’s mobile phones. Botnets are the virtual equivalent of herpes.
Top Current Known Botnets To Be Aware Of1:
- Emotet is a modular infostealer that downloads or drops banking trojans. It can be delivered through either malicious download links or attachments, such as PDF or macro-enabled Word documents. Emotet also incorporates spreader modules in order to propagate throughout a network. In December 2018, Emotet was observed using a new module that exfiltrates email content.
- WannaCry is a ransomware cryptoworm that uses the EternalBlue exploit to spread via SMB protocol. Version 1.0 has a “killswitch” domain, which stops the encryption process.
- Kovter is a fileless click fraud malware and a downloader that evades detection by hiding in registry keys.
- ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website.
- Dridex is a malware banking variant that uses malicious macros in Microsoft Office with either malicious embedded links or attachments.
- IcedID is a modular banking Trojan targeting banks, payment card providers, and payroll websites.
- Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.
- Mirai is a malware botnet known to compromise Internet of Things (IoT) devices in order to conduct large-scale DDoS attacks. Mirai is dropped after an exploit has allowed an attacker to gain access to a machine.
- NanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.
- Pushdo is a botnet that has been active since 2007 and operates as a service for malware and spam distribution. The malware uses encrypted communication channels and domain generation algorithms to send instructions to its zombie hosts.
Other botnets to be wary of:
AldiBot, Alina, Andromeda, ArmageddoN (2 subtypes), Asprox, AZORUlt, BetaBot, Blackenergy (v1.x, v2.x), ColdDeath, Conficker, Corebot, DarkComet, DarkShell (3 subtypes), DDoSer (v3.4x, 3.6x, 4.x), DiamondFox, DirtJumper, DoFoil, Dridex, Drive, Dyreza, Elmer, Ezbro, Godzilla, Gumblar, Hancitor, Illusion, ISRStealer, JackPOS, Jedobot, Kasidet, Katrina, KeyBase, Kronos, Laziok, Locky, LokiBot, Madness, MinerPanel, MyLoader, Neverquest, NewPoS, Nitol (3 subtypes), Nivdort, Optima, Pandora, PonyLoader, Poseidon (2 subtypes), ProxyBack, Quant, Rarog, RedGirl, Shifu, Smokeloader (2 subtypes), Snap, Solar, Stealrat, Storm, TDSS (3 subtypes), Teslacrypt v4.x, Torpig, TreasureHunt, Trickbot, Umbra, Vertexnet, Waledac, YZF, Zeus, Zezin.
And the list grows every day, every hour, every minute, every eyeblink. Egads! Gadzooks!
So how can one detect if his or her system is part of a botnet?
Undoubtedly the best way to hedge your bets is by speaking to an expert and utilizing professional services that specialize in these matters. When it comes to health, it is pretty hard to argue that it’s better to spend some money now versus a lot later.
If you’re the DIY type, here are some quick tips: Watch for unusual activity when online. Be wary of high bandwidth usage and network traffic (an indication of this is if your tower fans turn on and off a lot) when your device is idle. Another red flag is unusually slow internet or wi-fi across your home network.
Additionally, keep an eye on your host resource utilization. Sudden spikes in CPU utilization when idle, unknown processes eating up too much RAM and degraded GPU performance are all potential indicators of compromise.
NOTE: While these symptoms are not definitively linked to botnets, if the symptoms go away when you disconnect from the network you may indeed be infected. Keeping a minimal resources & processes monitor opened at all times might also help immensely.
Getting rid of those pesky things...
The most important thing to do immediately is physically isolate the suspected infected device from the internet and the rest of your home or business network. Check all other devices on your LAN and use a reputable anti-virus program to scan all network-attached storage and USB drives you’ve connected to the infected machine to prevent re-occurrence and the spreading of the botnet to other devices.
Of course, while antivirus is a valid approach for preventing the spread of malware, most consumer grade solutions offer insufficient protection. They simply can’t keep up with the ever-evolving Botnet world. Again, companies that specialize in cyber security are your safest course of action, and are generally worth the cost; although do your research when searching for a reputable company as well.
And remember this:
Prevention is better than a cure. Always keep all of your software and operating systems up to date. Don’t download and run executables that can’t be trusted for sure. Do a quick copy and paste of the name and/or URL in question and look them up on Google. Also, upload any associated or attached files to known malware databases if you want to find out what they are, what they do and how safe they actually are.
Finally, and this is surprisingly oft-ignored despite how obvious; don’t click on weird adverts or hang around in the shadier, darker parts of the Net, unless you know exactly what you’re doing and are prepared for the potential consequences.Non-linked References: