Botnet basics: Defending yourself from 'robot networks'

Botnets are among the most powerful attack tools in the modern threat landscape. The 2016 attacks against Dyn DNS and OVH were massive, both in volume of traffic and scope of disruption.   The Down Detector map below illustrates the widespread effects of the Dyn DNS attack.

What is a botnet?

The term 'botnet' is a portmanteau of 'robot' and 'network,' describing networks of computers and other devices that have been hijacked for use by cybercriminals. The bot, sometimes called a ‘zombie,’ follows the commands of a ‘botmaster’ or ‘bot herder.’ The botmaster can be an individual or an organized group is usually the threat actor who created the botnet.

Hijacking a device is a multi-step process, starting with the distribution of malware across the internet or another network like a company or university. Threat actors install the botnet malware by exploiting software vulnerabilities or compromised credentials. There is a lot of automation in this process, because this is a numbers game. If you’re building a malicious botnet, then you want the most bots you can get.

Once infected, the bots will establish communication to identify itself and get instructions. What happens here depends on the architecture of the botnet. A centralized architecture uses one or more command & control (C&C) servers to communicate with all bots. In a centralized botnet, the new device will look for the C&C server and connect to the botnet.

In a decentralized network, all devices have instructions for each other. There is no C&C server, so the new device will try to find botnet peers to get instructions. In this architecture, each device can transmit and receive instructions. Decentralized botnets are more likely to survive cybersecurity defenders and law enforcement, because there is no single point of failure in the network. Even if a large chunk of the botnet is disrupted, the botnet can continue to function by finding alternative routes among the remaining peers.

There are also hybrid botnets that leverage both architectures, such as the GameOver Zeus (GOZ) botnet. This had a three-layer structure including a command server, proxy layer, and a peer-to-peer botnet. This now defunct botnet was supposed to be “impossible” to take down.

The most frequently compromised devices are variations of wireless routers and networked cameras, but mobile devices are also an attractive target for botmasters.  5G connectivity allows a botnet of small phones to conduct attacks with the same intensity as powerful servers.

What can botnets do?

Botnets can be used in a wide range of attacks on individuals, businesses, and critical infrastructure. Here are some of the most common types of attacks:

Distributed Denial of Service (DDoS) – This attack uses thousands or even millions of compromised devices to simultaneously flood the target website or server with traffic. The traffic overwhelms the capacity of the target and renders it inaccessible to legitimate users. Even large organizations with robust infrastructure can struggle to withstand a large enough attack.

Phishing and spam campaigns - Botnets can distribute billions of spam messages daily. These have malicious links or attachments designed to steal credentials, install malware, or both. The automation and scalability of these operations increase the likelihood of success.

Financial breaches and other data theft – This is a lucrative application of botnet capabilities. Botnets spread malware that steals banking credentials, credit card information, and other financial or sensitive data. SpyEye is an early example:

“… cyber criminals used [SpyEye] for their own nefarious purposes—infecting victim computers and creating botnets (armies of hijacked computers) that collected large amounts of financial and personal information and sent it back to servers under the control of the criminals. They were then able to hack into bank accounts, withdraw stolen funds, create bogus credit cards, etc.”

Account Takeover (ATO) Attacks – Botnets automate brute force and credential stuffing attacks against one or more targets, enabling thousands of login attempts per hour. A botnet significantly increases the chances of successfully breaching accounts.

Cryptomining – This malware uses the processing power of the device to mine cryptocurrency. Threat actors usually target enterprise networks or include the cryptomining function with other malware.

Click fraud – Botmasters will use their networks to fraudulently earn revenue from advertising services. There are different types of click fraud, but a typical scheme involves the threat actor configuring multiple fraudulent sites to offer ad space to legitimate networks like Google Ads. When the ads are placed, the bots visit the websites and click on the ads. The botmaster earns a commission and the advertiser never gets a legitimate lead. A report released by the Internet Advertising Revenue predicts that $172 billion will be lost to click fraud each year.

Botnet-as-a-Service (BaaS) – Like any cybercrime-as-a-service, BaaS is a business model where botmasters rent access to their network to other threat actors. This allows other criminals use a botnet without the need to build and maintain their own networks. DDoS-as-a-Service is an offshoot of this model.

Are your devices part of a botnet?

There are several key indicators of botnet activity. These are the most visible to end users:

System performance - Unexplained high CPU or fan activity when the device is idle. Computers may experience slow performance, long shutdown times, or the inability to shut down properly.

Network performance – Excessive network traffic, unexplained data transfers, slow internet connections, or a sudden unexplained increase in cellular data usage.

Unusual browser activity – Unexplained changes to browser settings and unexpected pop-ups and advertisements.  Inability to update antivirus programs.

Other system activity - Unusual system behavior like unexpected shutdowns or error messages, inability to update the operating system, suspicious entries in device system logs, and computer or network activity at unusual times.

These activities could indicate a malware infection that may or may not have hijacked your device.

Protect your company

You can defend your company from botnets and improve the company’s cybersecurity with these practices:

Network Security - Deploy enterprise-grade firewalls and intrusion detection systems (IDS), Implement zero-trust architecture for internal and external access, and apply network segmentation to limit lateral movement within your systems. Botnet malware will attempt to move laterally and infect as many networked devices as possible. Conduct regular vulnerability testing to identify potential entry points for attackers.

Patch management - Keep all software, operating systems, and firmware up to date. Implement a documented patch management strategy that prioritizes critical updates, and remove outdated applications and end-of-life devices from the network.

Authentication and Access Control – Enforce multi-factor authentication (MFA) and complex, unique passwords for all accounts. Use the principle of least privilege to control access to devices and other network assets.  

Network traffic - Implement continuous monitoring systems to detect anomalies and use analytics and machine learning (ML) tools to identify suspicious patterns. Set up alerts for unusual activities, such as spikes in failed login attempts.

Secure devices - Install and maintain endpoint solutions on all devices, and isolate IoT devices from critical network infrastructure when possible. Ensure all devices, including IoT, have unique credentials and proper security settings.

These measures will harden your network and help defend against botnet attacks and botnet infections.

Barracuda can help

Barracuda Advanced Bot Protection is the ultimate tool for combating generative AI bots. By providing proactive defense mechanisms, enhanced visibility, and customizable controls, it empowers businesses to protect their content, optimize their resources, and maintain their competitive edge in an increasingly automated world.