What Is a Botnet?

A botnet is a group of computers or devices under the control of an attacker used to perform malicious activity against a targeted victim. The term “botnet” is a combination of the words “robot” and “network” to represent the nature of a cyber-attack using a botnet. Botnets have been responsible for some of the most widespread Internet outages, taking down large organizations and networking infrastructure from a distributed denial-of-service (DDoS).

To control multiple devices, attackers first need to trick users into installing malware. Several authors distribute botnet malware freely to potential attackers, so attackers who aim to cause damage and outages don’t need to create their own software. For example, Mirai targets Linux IoT (Internet of Things) systems such as routers, IP cameras, and home automation products. The botnet malware gives remote attackers the ability to control IoT systems running Linux to flood a target with traffic. This botnet caused widespread outages, creating up to 1 Tbit/second of data across the Internet, targeting several businesses including Krebs on Security, the French web host OVH, and (most notably) Dyn, which is a central Domain Name Service (DNS) provider critical for standard Internet communication. Mirai was considered a first of its kind, but the original authors were eventually caught. Although the Mirai authors were caught, the malware has many variants available to attackers, including Okiru, the Satori, the Masuta, and PureMasuta.

A user can be tricked into installing botnet malware on their local device, or it can be installed by exploiting vulnerabilities. With IoT malware, attackers scan thousands of devices to find outdated and unpatched targets. Devices that don't have automatic patching mechanisms are likely running vulnerable firmware services, which leaves devices open to exploits and makes them perfect targets for botnet malware.

After enough vulnerable devices are infected with botnet malware, an attacker can wait until a specific time to instruct them to flood a target with traffic. The network of infected machines is referred to as a “zombie network” or “zombienet” because they remain dormant until an attacker sends a central command to their hijacked devices. The malware is programmed to stay silent and undetected on the device until it receives commands.

Botnet malware often works with a command-and-control central dashboard where attackers can see the number of infected devices and give all devices the command to send denial-of-service (DoS) traffic to a targeted server simultaneously. When the device cannot communicate with the central command and control server, it can no longer be used in an attack.

Because an attacker has control of a remote device, botnets are used for a variety of attacks. Some attacks are launched to add more devices to the zombie network, but others are used to attack a targeted DDoS to disrupt online services. Botnets are especially dangerous to the Internet as they can bring down critical protocol services and popular web applications potentially used by millions of users.

A few common botnet attack options include:

• Reading and writing system data: For instance, an attacker can ask devices to send files to a central server to be reviewed for any sensitive data. Sensitive system files could contain hardcoded credentials to an infrastructure, giving attackers additional exploits to leverage against the organization.
• Monitor user activity: Botnet software often includes other malware that can be used in additional, unrelated attacks. For example, it’s not uncommon for botnet malware to include a keylogger. A keylogger records keystrokes from the user’s keyboard and sends the stolen information to an attacker-controlled server, giving the attacker access to online accounts such as a banking website.
• Scan the local network for additional vulnerabilities: An attacker who wants to launch a DDoS, scans as many devices as possible for vulnerabilities. Some devices are behind a firewall, so exploited devices will scan local network resources once it's installed on a single device. If any local devices have outdated firmware, the malware can exploit the vulnerability and add the vulnerable device to the zombie network.
• Launch a DDoS: DDoS is a common attack after an attacker establishes a botnet. The attacker needs several thousands of machines to launch an effective DDoS. Vendors such as Cloudflare can be used to stop DDoS attacks, but an attacker with tens of thousands of zombie bots across the world can still cause extreme performance degradation.
• Send email spam: With access to email accounts on local devices, the attacker can command a botnet to send email to targeted recipients. The email could contain malware to spread it to additional machines, or the attacker could use it in a phishing campaign.

Malware on an infected device remains dormant until an attacker sends commands. The attacker in a DDoS is often referred to as the botmaster, and the central server where an attacker controls all devices and sends them messages is called the command-and-control center or “C&C.” The malware communicates with the C&C using various protocols often enabled on firewalls so that messages will not be blocked. For example, it’s not uncommon for botnet malware to communicate using the HTTP protocol because HTTP transmission is not uncommon on work or home networks and won’t be blocked by corporate firewalls.

Because botnets are so effective, malware writers monetize their efforts by offering DDoS-as-a-service (DDaaS). Several devices infected with botnet malware connect to the same central C&C, and malware writers offer subscription plans where other people can log into the C&C and send their own commands.

Malware authors often code failovers in C&C applications. Should a C&C be taken down, another C&C location is included as a valid failover option. By creating redundancy within the malware, an attacker can avoid losing all infected devices after the hosting service cancels their account.

In other strategies, an attacker uses a peer-to-peer (P2P) model where every infected device also acts as a C&C. If just one computer in the P2P fails, every other device can be used to send commands to the others. P2P botnets are much harder to take down, so they are often a preferred method of communication among infected devices.

After commands are sent to infected devices, they will launch the attack or perform actions based on the controller’s instructions. Unaware users with infected devices might experience immediate performance degradation on their network while browsing the Internet or on their device. A computer might run much slower while under command from a C&C, or other users on the network might experience sudden speed changes on the network. Once the attack is complete, performance returns and the malware returns to being dormant.

Because botnet infection mainly involves outdated firmware, users must always patch their IoT devices, including hardware running on the network. Outdated software vulnerabilities are common in cyber-attacks because users often leave devices unpatched for months. Routers, IoT in home automation, cameras, and other hardware frequently overlooked and thought to be safe are common targets for botnet malware.

Many newer IoT hardware manufacturers implement procedures to automatically update firmware, but older devices should be checked for firmware updates. You can check for updates by going to the IoT device manufacturer and looking for updates based on your model.

If you feel that your local computer might be infected by botnet malware, the best way to detect it is to scan the computer using installed anti-malware software. Good anti-malware software detects the malware before it can be installed on your computer, but certain zero-day malware can be installed undetected as it hasn't been seen in the wild. If the anti-malware software is not updated, it cannot detect new malware. As botnet authors continue to change their code and make variants from others, new malware will avoid detection from computer defenses. To protect your machine, always keep your anti-malware software updated when your vendor deploys new patches.