Botnets have become one of the major threats to today’s security systems.
Cybercriminals increasingly use them because they allow them to infiltrate almost any device connected to the Internet, from a DVR player to corporate mainframes.
For this reason, botnets have been a hot topic in the cybersecurity world lately.
What is a botnet?
A botnet is a computer network, usually PCs, made up of devices infected with specialized malware, called bots or zombies.
The cybercriminals who control them are called botmasters or bot herders (underlining how the effectiveness of a botnet depends on its extension).
To create a botnet, botmasters need to control thousands of infected devices (bots) and connect to the Internet.
The size of a botnet directly depends on the number of bots connected: the larger the botnet, the more damage it does.
Devices connected to the Internet with vulnerabilities in their security infrastructure can sometimes become part of the botnet. If the infecting agent is a Trojan, the botmaster can control the system via remote access.
The infected computers can launch attacks, called Distributed Denial of Service (DDoS), against other systems and/or carry out other illegal operations, in some cases even on commission of criminal organizations.
In general, the term “botnet” refers to those networks capable of acting with synchrony and autonomy for illegal purposes, but some legal botnets are used for distributed computing and to study the spread of malware.
However, the most common use of botnets involves compromising computers, whose security defenses can be breached, such as weak or short login credentials, poorly configured firewalls, or vulnerable server software.
Such specialized malware / Trojans, as soon as they have taken control of the system, must be able to provide their author with the fundamental data relating to the infected system.
To do this, they often use IRC channels to provide exclusive access to the author by connecting to a password-protected private channel.
The author can simultaneously check all infected systems listening on the channel through the chat – which can even be tens of thousands.
They can then give you orders, requesting screen images, IP addresses, or, for example, providing a victim’s hostname / IP to attack via DDoS.
Botnet “services” are often sold to customers intent on illegal actions. The services offered include Denial of Service (DoS), Distributed Denial of Service (DDoS), Spam, Phishing, or Spyware.
Structure of Botnets
Botnets can be designed in two ways, intended to maximize botmaster control over bots.
The first model is the “client-server.” In this type of botnet, servers control the data transmissions of each client, as in the classic network structure.
The botmaster uses dedicated software to create Command and Control (C&C) servers, issuing instructions to each client device.
Once the server is destroyed, the botnet no longer exists.
The second model is the “peer-to-peer”. Instead of relying on a central C&C server, newer botnets rely on a peer-to-peer (P2P) structure.
In a P2P botnet, each infected device functions as both a client and a server.
Each bot has a list of other infected devices and contacts them to update or transmit information.
P2P botnets are more difficult for law enforcement to dismantle because they lack a central source.
Prevention Against Botnet
It is necessary to adopt a multi-pronged strategy, based mainly on rules for safe browsing and an antivirus protection system to prevent botnet infection.
Among the most effective practices are: updating the OS, not opening email attachments from unknown or suspicious senders, not downloading files from P2P and file-sharing networks, not clicking on suspicious links, using good antivirus software.