Botnet is used to refer to a collection of computers linked together to automate tasks. Generally, botnets themselves are not a threat to your network and are actually made to perform useful tasks. A good example of useful botnets is when they perform tasks like managing chatrooms or keeping track of points during a game. However, when botnets are utilized maliciously, they can be dangerous. This is because a botnet may be used to control computers or carry out simultaneous security attacks.
Originally made to make time consuming tasks more efficient, botnets are popular for those who aim to multitask. By using bot nets, a lot of tasks traditionally human managed can be automated and done simultaneously. With the benefit of being able to speed up tasks, it was only a matter of time before criminals would begin using botnets for malicious intents. The botnets began to be used for passwords theft or to keep track of keystrokes on a keyboard (also known as keylogging). All of this could be done virtually unnoticed.
There are two forms of botnets that are created to satisfy structural requirements depending on its use case. There is a Client/Server and a peer-to-peer botnet model that can be created. A client-based botnet can be formatted in a few different ways. They can be created with a Star Network, Multi-server, and a Hierarchical Network topology.
With a star topology, each host is connected to a hub at the center of the network. The hub functions as a route setter to send messages to the computers within the star network. The data on the star network goes through the central hub before it gets sent to it destination. In a multi-server network topology, the structure is similar to that of a star network. The difference being is that there is more than one server communicating between nodes making it a little more efficient, yet expensive.
A hierarchical network topology model server sits at the top of a hierarchy of machines. That server then sends and receives data using bots, which is then distributed to lower machines. There is at least one degree of separation between the server and the lowest hierarchy of the bots.
The second form of botnets is peer-to-peer (P2P). In a Peer-to-peer botnet, each device operates independently as both a client and a server. The devices coordinate with each other to transmit and update information across the system instead of relying on a hierarchy. Since there is no centralized control, a P2P botnet is harder to detect.
There are a series of ways in which botnets can be used to cause malicious intent. Such forms of malicious attacks that botnets can cause are: botmaster, zombies, spamming, and dial bots.
Botmaster: They can launch distributed denial-of-service (DDoS) and other types of attacks remotely. The botnets for a botmaster uses are usually installed on computers using various types of remote code installation techniques. Its identity is concealed using proxies, an Internet Protocol (IP) address, or The Onion Router (Tor) Project that which works in conjunction with the dark and deep web.
Zombies: A zombie botnet is named after how the computer reacts when it is infected. In a zombie attack the computer that is connected to the internet is controlled by a hacker or malware. The bot may be installed in the target computer using a Trojan horse. The computer becomes “mindless,” like a zombie.
Spamming: A spamming botnet, otherwise known as a spambot, refers to a machine that distributes spam emails to computers. These emails tend to have fake advertisements for products such as such as fake antivirus software or counterfeit goods. The emails may also have computer viruses hidden within them.
Dialbots: Dial-up bots work by connecting to dial-up modems and using them to make outbound calls. By doing this, they can tie up a phone connection, (similarly to a DDoS attack) which may force the user to switch numbers. Sometimes, the botnet may call a premium phone number, which results in the target user getting a high phone bill. However, these types of attacks are shrinking in popularity because dial-up modems are getting less and less common.
Countering botnets that use C&C structure are fairly easy to counter, as long as you can identify the control center. The entire botnet can be taken offline when the control center is taken offline. By using this knowledge, administrators and law enforcement can close down botnets quickly and possibly preventing future attacks. One’s ability to interfere with botnets depends on the country where the control center lies. In some jurisdictions, it is more difficult to interfere with control center activity than in others, depending on laws and enforcement in that country.
What if your device has been taken over by a botnet for malicious intent? With individual devices, there are several ways to regain control: reinstalling the operating system from a backup, running antivirus software, or reformatting the system and doing a clean install. Similar to traditional devices, with an IoT (Internet of Things) device, you can regain control by reformatting or doing a factory reset, and you may also be able to flash the firmware.
Allow only trusted execution of third-party code on your devices. To do this, first you have to start with secure, trusted supervisor software, also referred to as a kernel. Once this is in place, software, that is not trusted, is prevented from running on the device. For this method, you do not have to have a dictionary of every botnet floating around the internet.
You only need a list of trusted applications that are allowed to run on your computer. Everything else will be stopped form running even in the background. A user may also implement network traffic monitoring. Ingress refers to traffic sent into your network while egress is traffic sent out of your network. With good ingress and egress filters, you can catch botnets before they capture your computers.
Even if they have already infected a device, it’ll stop them from spreading from one computer to another. Ingress filtering monitors data when they enter your network, eliminating or stopping malicious data from getting inside. While egress filtering is applied to data as it leaves a computer or network. If malicious software is found, the data stream can be stopped, and the problem can be addressed accordingly.
Devices with weak security are common target. Often, devices have default passwords that are easy to guess. Furthermore, if a hacker has access to a list of default passwords that a device manufacturer tends to use, they may not even have to decipher or brute force anything. It is best to use devices with more advanced security features.
By using higher quality products and making sure to use strong passwords and two-factor authentication, it is less likely for your device to be compromised. Make sure to be cautious of email attachments, because with just a click away, malware distributed by botnets could infect your device. Anytime you receive an email with an attachment, be cautious and test the attachment, if possible, especially if it is from an unknown sender.
Contact Firestorm Cyber to learn more about how we could provide solutions for any of your cyber needs. With our 24/7 support and the tools of our partners, like Sophos, we are able to detect anomalies that could compromise your data. Our firewall for example is able to do all the monitoring for data coming in and out, preventing you from being a botnet victim. At Firestorm we take care to provide out customers with the best quality products and security so that you don’t have to worry about your data safety.