What is a botnet and how to prevent it?

What is a botnet and how to prevent it?

What is a botnet and how to prevent it?

 This is one of the most popular cybersecurity terms “botnet.” It conjures up all kinds of interconnected imagery of robots, legions of networked workers simultaneously aiming at a single goal. But the image the word evokes is akin to what a botnet would call, at least in terms.

Botnets contribute a large amount of computing power around the world. And that power is a regular (maybe even consistent) source of malware, ransomware, spam, and more. But how do botnets exist? Who controls them? And how can we stop them? The following is an explanation of What is a Botnet.

What Are Botnets?

The definition of what a botnet is, according to SearchSecurity, is “a botnet is a collection of internet-connected devices, which can include PCs, servers, mobile devices, and internet of things devices that are infected and controlled by common types of malware. Users are often unaware of botnets infecting their systems. “

The last sentence of the definition is key. Devices in a botnet are usually not there voluntarily. Devices infected with certain types of malware are controlled by remote threat actors, aka cybercriminals.

Malware hides malicious botnet activity on devices leaving owners unaware of their role in the network. You can send thousands of additional victims adding spam tablets without a hunch. Because of this, we often refer to infected botnet devices as “zombies.”

What Do Botnets Do?

Botnets have several common functions depending on the wishes of the botnet operator:

1. Spam: Sending large amounts of spam around the world. For example, the average share of spam in global email traffic between January and September was 56.69 percent. When security research firm FireEye temporarily halted the transition of the infamous Srizbi botnet after hosting the infamous McColo going offline, global spam fell by a massive amount (and in fact, when it did go offline, global spam temporarily fell by about 50 percent).

2. Malware: Delivers malware and spyware to vulnerable machines. Botnet resources are bought and sold by malefactors to advance their criminal enterprise.

3. Data: Capture passwords and other private information.

4. Click fraud: Infected devices visit websites to generate fake web traffic and ad impressions.

5. Bitcoin: Botnet controllers direct infected devices to mine Bitcoin and other cryptocurrencies to generate profits silently.

6. DDoS: Botnet operators direct the power of infected devices at specific targets, taking them offline in a distributed denial-of-service attack.

Botnet operators usually switch their networks to a number of these functions to make a profit. For example, a botnet operator that sends medical spam to US citizens also maintains a dummy pharmacy that delivers goods.

The main botnet has changed direction a bit in recent years. While other types of medical and similar spam have been very profitable for a long time, government crackdowns in some countries are eroding profits. Thus, the number of emails carrying malicious attachments rose to one in every 359 emails, according to Symantec's July 2017 Intelligence Report.

What Are Botnets Like?

We know that a botnet is a network of infected computers. However, the core components and actual architecture of the botnet are interesting to consider.


There are two main botnet architectures:

* Client-server model: Client-server botnets typically use a chat client (formerly IRC, but modern botnets have used Telegram and other encrypted messaging services), domains, or websites to communicate with the network. The operator sends a message to the server, passing it on to the client, which executes the command. Although botnet infrastructure varies from basic to very complex, concentrated effort can disable a client-server botnet.

* Peer-to-Peer: Peer-to-peer (P2P) botnets try to stop security programs and researchers identify specific C2 servers by creating a decentralized network. P2P networks are more advanced, in several ways, than the client-server model. Furthermore, their architecture is different from the way most people imagine. Rather than a single network of infected and interconnected devices communicating via IP addresses, operators prefer to use zombie devices connected to nodes that are, in turn, connected to each other and the main communication server. The idea is that there are too many interconnected but separate nodes to degrade simultaneously.

Command & Control

Command and Control (sometimes written C&C or C2) come in various guises:

* Telnet: Telnet botnets are relatively simple, using scripts to scan IP ranges for telnet logins and the default SSH server to add vulnerable devices to add bots.

* IRC: IRC networks offer a very low bandwidth communication method for the C2 protocol. The ability to quickly switch channels provides some added security for botnet operators, but also means infected clients are easily disconnected from the botnet if they don't receive updated channel information. IRC traffic is relatively easy to inspect and isolate, meaning that many operators have moved away from this method.

* Domain: Some large botnets use domains rather than messaging clients for control. The infected device accesses a specific domain serving list of control commands, easily allowing for changes and updates on the fly. The downsides are the large bandwidth requirements for large botnets, as well as the relative ease with which suspected domain control is shut down. Some operators use what is called bulletproof hosting to operate outside the jurisdiction of countries with strict internet criminal laws.

* P2P: P2P protocols usually implement digital signing using asymmetric encryption (one public key and one private key). Meaning that while the operator holds the private key, it is very difficult (basically impossible) for someone else to issue different commands to the botnet. Likewise, C2's lack of a single defined server makes attacking and destroying a P2P botnet more difficult than its counterparts.

* Others: Over the years, we've seen botnet operators employ some interesting Command and Control channels. People who immediately come to mind are social media channels, such as the Android botnet Twitoor, which is controlled via Twitter, or the Mac.Backdoor.iWorm which exploits the Minecraft server list subreddit to retrieve IP addresses for its network. Instagram isn't safe either. In 2017, Turla, a cyber espionage group with close ties to Russian intelligence, used comments on Britney Spears' Instagram photos to store the location of the malware distribution's C2 server.


The last piece of the botnet puzzle is the infected devices (ie zombies). Botnet operators intentionally scan and infect vulnerable devices to expand their operating power. We listed the main botnets used above. All of these functions require computing power. In addition, botnet operators are not always friendly with each other, changing the strengths of the infected machines against one another. Most zombie device owners are unaware of their role in the botnet. Sometimes, however, botnet malware acts as a conduit for other variants of malware.

Device Type

Network devices are coming online at a staggering rate. And botnets aren't just looking for PCs or Macs. As we know Internet of Things devices are also vulnerable to various kinds of botnet malware. Especially if they are wanted for their terrible security.

Smartphones and tablets are also not safe. Android has seen several botnets over the last few years. Android is an easy target: Because it is open source, has multiple versions of the operating system, and many vulnerabilities at one time. Don't rejoice so soon, iOS users. There are a number of different types of malware that target Apple mobile devices, although they are usually limited to jailbroken iPhones with security vulnerabilities.

The main target of other botnet devices are vulnerable routers. Routers running outdated and insecure firmware are easy targets for botnets, and many owners won't even realize that their internet portal carries an infection. Likewise, a large number of internet users fail to change the default settings on their routers after installation. Like IoT devices, this allows malware to spread at a staggering rate, with little resistance found in infections of thousands of devices.

Take down Botnets

Taking down a botnet is no easy task, for a number of reasons. Sometimes the botnet architecture allows operators to rebuild quickly. On the other hand, botnets are too big to defeat in one fell swoop. The majority of botnet removals require coordination between security researchers, government agencies, and other hackers, sometimes relying on unexpected tips or backdoors. The main problem facing security researchers is the relative ease with which copycat operators start operations using the same malware.

GameOver Zeus

GOZ is one of the largest recent botnets, estimated to have had over a million infected devices at its peak. The main uses of botnets are monetary theft (distributing CryptoLocker ransomware) and spam mail and, using sophisticated peer-to-peer domain generation algorithms, are seemingly unstoppable.

The domain creation algorithm allows the botnet to pre-generate a long list of domains to use as “meeting points” for botnet malware. Multiple rendezvous points make stopping deployment nearly impossible, because only the operator knows the domain list.

In 2014, a team of security researchers, working closely with the FBI and other international agencies, finally forced GameOver Zeus offline, in Operation Tovar. It's not easy. After looking at the order of domain registration, the team registered about 150,000 domains in the six months leading up to the start of operations. This is to block any future domain registrations from botnet operators.

Next, some ISPs provide operation control of the GOZ proxy node, which is used by botnet operators to communicate between command and control servers and the actual botnet. Elliot Peterson, the FBI's chief investigator on Operation Tovar, said: "We can assure the bots we are good to talk to, but all the bad guys controlled coworkers and proxies and supernodes are bad to talk to and should be ignored."

Botnet owner Evgeniy Bogachev (aka Slavik) noticed that the takedown occurred after an hour, and attempted to fight back for four or five hours before "conceding" defeat. Afterward, researchers were able to crack the encryption of the notorious CryptoLocker ransomware, creating a free decryption tool for victims.

Different IoT Bots

The steps to combat GameOver Zeus are extensive but necessary. It describes that the sheer power of intelligently created botnets demands a global approach to mitigation, requiring “innovative legal and technical tactics with traditional law enforcement tools” as well as “robust working relationships with private industry experts and law enforcement partners across the globe.” from 10 countries around the world. “

But not all botnets are the same. As one botnet meets its end, other operators are learning from the crash. In 2016, the biggest and worst botnet is Mirai. Prior to its partial takedown, the Internet of Things-based botnet Mirai hit several key targets with surprising DDoS attacks.

One such attack hit security researcher Brian Krebs' blog with 620Gbps, eventually forcing Krebs' DDoS protection to drop it as a client. Another attack in the following days hit French cloud-hosting provider OVH with 1.2Tbps in the biggest attack ever.

Even though Mirai doesn't even come close to being the largest botnet ever seen, it does produce the biggest hits. Mirai uses mostly insecure IOT devices, using a list of 62 default insecure passwords to collect devices (admin / admin is at the top of the list, see numbers).

Security researcher Marcus Hutchins (aka MalwareTech) explains that part of the reason for Mirai's great strength is that most IoT devices sit there, doing nothing until prompted. That means they are almost always online, and almost always have network resources to share.

Traditional botnet operators will analyze peak power periods and time attacks. IoT bots, not so much. So, when IoT devices with poorer configurations come online, opportunities for exploitation increase.

How to Keep Devices Safe?

You may be wondering how you can stop devices from being part of a botnet? The first answer is simple: update your system. Regular updates patch vulnerable holes in your operating system, which in turn cuts the path for exploits.

The second is to download and update an antivirus program, as well as an antimalware program. There are many free antivirus suites out there that offer excellent low impact protection. Invest in an antimalware program, such as Malwarebytes. Finally, take some extra browser security. Drive-by exploit kits are a nuisance, but they're easy to avoid when YOU use a script-blocking extension like uBlock Origin.


So What Are Botnets? Botnet is a word formed from the words 'robot' and 'network'. Cybercriminals use specialized Trojan viruses to breach the security of multiple users' computers, taking control of each computer and organizing all infected machines into a network of 'bots' that can be managed by criminals remotely.

________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ________

That's all the information this time. Look forward to other interesting information and don't forget to share this information with your friends. Thank you…

Resa Risyan

Just an ordinary person who wants to share a little knowledge, hopefully the knowledge I provide can be useful for all of us. Keep in mind! Useful knowledge is an investment in the afterlife.

Also, read the article about What is Cache? How to work and function. And see you in another article. Bye
Read Also :
DotyCat - Teaching is Our Passion