Breaking into someone else’s account, spreading fake websites, spreading nuisance or dangerous spam messages, stealing personal data, infecting millions of devices with malware, locking entire parts of the Internet… hackers can cause a lot of trouble. All of this (and much more) would be nearly impossible without one of the most dangerous yet most used tools in the hacker’s arsenal: the botnet.
In This Article
- 1 What is a botnet?
- 2 How do botnet work? Two models, one goal
- 3 Spreading the Infection: How Bone Nets Are Created
- 4 What can a botnet be used for?
- 5 What Happens When Your PC Is Part Of A Botnet: 5 Reasons You Don’t Want To Become A Zombie
- 6 The greatest hits
- 7 Say goodbye to botnet
- 8 Beat the botnet
- 9 Finally
What is a botnet?
Simply put, a botnet is a network of infected computers that work together under the direction of one main computer to achieve a specific goal. That may seem harmless and straightforward, but it is the driving force behind some of the worst attacks hackers can.
A botnet requires two things: first, an extensive network of infected devices called “zombies” that do the heavy lifting of carrying out the hacker’s plan. Second, someone has to direct the web to do something, the one who main the command center and is called the administrator or “bot shepherd” (but strangely not the “wizard”). Once these conditions are met, the botnet is ready to do its malicious work.
The simplest botnets consist of large-scale networks of “zombie computers” that obey one main computer.
The term “botnet,” composed of “robot ” and ” network, “was coined in 2001 by EarthLink Inc. in a lawsuit against Khan C. Smith, a Tennessee man who raked in $ 3 million with the largest spam network discovered to date. The plan didn’t work out well for Mr. Smith, who lost the lawsuit and had to pay $ 25 million to EarthLink, making a loss of $ 22 million. Not a great business genius, but it did show how dangerous this incredible technology could be.
Botnets are often massive and victimized in two ways: attacking your computer directly or by taking over devices so that they become part of a global hacker network. We will come back to that later.
How do botnet work? Two models, one goal
A detailed description of how botnets work is beyond the scope of this article and, fortunately, not that important. A global understanding of what such a threat poses is enough to give you an idea of the scale and its danger to anyone using the Internet.
Anyone who can make computers work together can earn a decent living with it. That is not surprising. Setting up an efficient network structure is just as important as managing it. A botnet can be set up in two ways: via the client-server model and via the peer-to-peer model.
The client-server model
The client-server model works the old-fashioned way: “zombies” receive their instructions from one location, usually a website or a shared server. That was enough in the early days, but it had one drawback: the botnet was easy to disable. You just had to shut down the website or server, and the whole system collapsed.
The peer-to-peer model.
The peer-to-peer model bypasses the Achilles heel of the client-server model. In this system, each infected machine communicates directly with a few others in the network. These are connected to other devices on the web and those to even more machines, creating a massive system of connected computers. This means it is not a problem if a few devices fail: other devices take over their task.
In both cases, it is essential that only the administrator can control the network. To ensure that only commands from the hacker (or the person to whom he or she sold the botnet) are distributed through the network, a digital “signature” (a unique code) is used.
Spreading the Infection: How Bone Nets Are Created
Setting up a network is one thing, but how do you get a device to “join” the network? A Trojan horse is used for this, something that may seem familiar to you.
A Trojan horse is a piece of malware that tries to enter a computer by pretending to be something much more innocent … (like the Trojan Horse at the time). Trojans often travel with a phishing email, be part of illegal software, and even be delivered through malvertising attacks. How they end up on your PC doesn’t matter right now. It’s what they do once they get there.
Botnets are usually established via Trojans.
Once a Trojan arrives on the computer, it opens a “back door” that allows hackers to access and control certain aspects of the PC or other network-connected device. Typically, Trojans give hackers minor powers, but that’s enough to cause serious problems, such as managing an effective botnet. Fortunately, Trojans usually cannot reproduce or try to spread (although there are exceptions). Unfortunately, a Trojan can go dormant on the computer and go unnoticed until the hacker decides to use it.
When enough computers with such built-in back doors are available, hackers combine them into a network: the botnet.
What can a botnet be used for?
Botnets may be complex, but you can only do two things with them: send something quickly or have all computers do the same thing simultaneously. But those who are creative enough can also cause an astonishing amount of damage with a simple tool.
Let them eat spam
As you can see above, the first bots were designed to carry out phishing and spam attacks. It is relatively easy to compose a spam message and send it to everyone on your contact list. However, this will not yield much, at most, a lot of annoyance. What works better: use millions of computers to send as much spam as possible to as many recipients as possible. That way, spam is spread quickly, and you make as many victims as possible. And that is precisely what botnets are good at. Phishing works similarly, but “spear-phishing” does not. In that case, a botnet is of little use.
Millions of targets
Suppose you labored for years to create the perfect virus. Would you settle for one or two recipients? Of course not! You want to share a masterpiece with the whole world! Just as spam aims to reach as many people as possible, malware is “at its best” when it hits its victims quickly and hard.
Malware is not sustainable: one piece of malware usually only lasts an hour or so. After that, the virus definitions of the antivirus software are updated, and the fun is over. Malware is only successful if it infects as many computers, phones, or other network-connected devices as possible as quickly as possible. It must then either hide to evade virus scans or do the intended damage before the antivirus software detects the culprit and sends it to the virus safe.
Botnets allow viruses to reach as many people as possible in that short time, especially when devices are infected via email or an open network.
Denied Access: DDoS attacks
Have you ever tried in vain to access a website? Or if you did get access, was the website so slow that it was practically unusable? Often the culprit is a DDoS attack. This topic deserves its article. In short, in a DDoS attack, so many “zombies” are released on a website that it can no longer be burned, and others barely manage to gain access to the website.
Hackers can target websites with a DDoS attack for a variety of reasons. There is no financial gain (except perhaps through extortion, but that rarely works), so usually, it is a form of protest, or they do it “for fun.” Whatever the motive, it will only work if the attacker has lots of computers trying to contact the site simultaneously. A botnet is highly suitable for this.
Elegant ways to hack a computer are rare. Assuming you have not reused a known password and have not been foolish enough to choose one of the 100 most used passwords, hackers trying to break into your account usually use brute computing power (a “brute force attack”).
In short, in such an attack, the attacker tries all possible combinations of words, phrases, letters, and special symbols, until the correct password accidentally rolls out. When specific terms or word variants are used, we speak of a “dictionary attack.” This type of attack is most commonly used to crack passwords.
The tricky thing for hackers is that most websites only allow a limited number of login attempts per computer or IP address. It’s hard to force access with brute force if you only get to try five times. In that case, a botnet offers a solution: you let every computer on the network register until further attempts are blocked. If you have enough computers and enough time, you can crack almost any password.
If your password has been stolen and is on the dark web, it will only be easier for hackers. While virtually any password stolen from websites or organizations is encrypted, hackers can still use brute force to figure out what it is. Only now do they not have to worry about being left out.
Using a unique program called a password cracker, they try out as many combinations of characters and letters as possible and apply the same encryption process for the hacked database. In this way, they figure out precisely what each encrypted line means. If they divide the task so that each computer tries different words and combinations, even a reasonably good password can be cracked in minutes.
Fortunately, cracking a perfect password (which isn’t as hard to generate as you think) can take millions of years, even for a botnet. Learn how to set up strong passwords in this article.
Mine cryptocurrencies 24×7 days
Botnets are not only used to attack people. More and more hackers use botnets to get the associated “zombies” mining bitcoin or other online currencies. This type of malware is called a cryptocurrency miner, and while nobody is targeted here, there are still victims: the owners of the computers that do the work. Those computers become slow because of that. It also leads to high electricity bills and makes the computer wear out faster.
And there is indeed a growing trend. Last year alone, 1.65 million computers were hijacked to mine cryptocurrencies for hackers. That number is steadily increasing: compared to 2017, the number of “crypto-jacking” cases has grown by a whopping 8,500%! This form of cybercrime owes its popularity to its low barrier to entry, and that PC owners are relatively unaffected by it. Most people don’t care if their computer is a little slower now and then. As a result, the virus can go unnoticed for months.
What Happens When Your PC Is Part Of A Botnet: 5 Reasons You Don’t Want To Become A Zombie
According to voodoo, a zombie is a human being who has returned from the dead but no longer has will or speech of its own. A computer zombie obeys the will of a malicious stranger, and that’s no fun.
Welcome to the right lane
Computers cannot do magic. (A sentence to frame!) When your computer is busy with one task, it doesn’t have enough processing power left for other things. For example, if you are streaming a movie, the computer may become slow. You can then increase the speed and quality by closing other running programs at the same time. Easy enough.
Botnets misuse your computer’s system resources for their gain and can slow the computer down.
Once your computer becomes a zombie, it will stop listening to you. And that’s a problem because if the person running the botnet decides that your computer should send out as much spam as possible, there’s nothing you can do about it. You probably won’t even notice it, but your computer suddenly becomes a lot slower than usual. That’s problem number one with a botnet infection (and the most glaring symptom): the botnet is eating up all the system resources you need to do something that is hopefully less illegal.
By the way, this is called “scrumping.” This English word was once used for collecting the leftover apples in someone else’s orchard, but now it means this for whatever reason.
A case of stolen identity
Hackers always send their spam messages to as many people as possible, not just strangers, but all your contacts as well. In doing so, they abuse your email account because with a personal statement, they can bypass anti-spam functionality. So if you are part of a botnet, this is an important clue. Although sometimes, the incorrect (but not illogical) conclusion is drawn that your account has been hacked instead of your PC. Fortunately, there are more signs to look out for if you want to know the problem.
Sky-high electricity bills
Everyone has to pay bills, and if you’re a breadwinner, you have at least one good reason to keep your PC from ending up in a botnet: your electricity bill. When the administrator needs his horde of zombies for something, it doesn’t matter if your computer is turned off. As soon as it is required for a campaign, the computer is switched on again. That’s annoying, but at least it’s a strong indication that your PC has been compromised. There is one problem, though …
More disarming than the Treaty of Versailles
If your computer is part of a botnet, the hacker would, of course, not want you to leave the botnet. So most of the time, the software that recruited your computer also prevents you from downloading or running an antivirus program. Not only can this stop you from removing the malware, but it also makes you vulnerable to other equally destructive malware on the Internet.
You will understand why that is undesirable.
Becoming an easy target
Hackers like to work as efficiently as possible, so don’t think you’re immune to their plans because you’re technically working for them. You will get duplicate spam, adware, and pop-up messages from them as they send others, not only because you are a good source of income but also because they know that you are not nearly as protected like everyone else. You can accuse hackers of a lot, but they are not wasteful.
The greatest hits
The short history of the Internet has quite a few notorious botnets. Here are some of them:
GAmeover ZeuS – Worse than its grammar
Hackers and correct language don’t go together.
But to the point. GAmeover ZeuS was a peer-to-peer botnet modeled on older malware called ZeuS Trojan. Not a lousy testator, as ZeuS Trojan infected more than 3.6 million devices and was the subject of an international investigation by the FBI that led to the arrest of some 100 people around the world. Unfortunately, GAmeover ZeuS lived up to its predecessor. It used a particular encrypted network that made it virtually impossible for law enforcement officers to trace. The Windows-based botnet held firm as the primary distribution channel for the Cryptolocker ransomware and a series of banking frauds.
In 2014, Operation Tovar, an international alliance of investigative services worldwide, managed to disrupt the malware and block the hackers’ communication for two weeks. When the hackers wanted to make a copy of their database, Operation Tovar managed to intercept it. In the database, they discovered the decryption code for Cryptolocker. With that, the botnet was effectively rendered harmless. In addition, they found the identity of the gang’s leader, the suspected Russian cybercriminal Yevgeniy Mikhailovich Bogachev.
The following year, the FBI offered a $ 3 million reward to anyone who could help them find and arrest the man. But that aside, it was “game over” for GAmeover. Still, the criminals had gotten their way. About 1.3% of the victims of Cryptolocker paid the ransom, so the criminals ran off with a sum of three million dollars.
And thanks to that success, variants of the original game over ZeuS malware are still lurking on the Internet, patiently waiting for the right time to strike …
Mirai – the future of the botnet
Malware is named after an anime (Japanese animation) about children who use time travel diaries to kill each other and become God. That must be something extraordinary.
Discovered in 2016 by MalwareMustDie computer security specialists, Mirai is a botnet designed to attack Linux systems and used in one of the most significant DDoS attacks of the decade. What made Mirai special was the aggressiveness with which it spread. Once it settled on a device, it continuously scanned for other IoT devices to join the network. As soon as it found one, Mirai attempted to hack into the machine using an internal database of default usernames and passwords, and once it did, it started looking for new victims again.
Mirai attacks GitHub, Twitter, Reddit, Netflix, Airbnb, and Liberia’s internet infrastructure.
At its peak, the botnet was used in many DDoS attacks, too many to name. The list of victims includes GitHub, Twitter, Reddit, Netflix, Airbnb, Rutgers University, and the entire internet infrastructure of the African country of Liberia. Once discovered and analyzed by the folks at MalwareMustDie, it didn’t take long for the devices to update and the malware to become useless. Nevertheless, Mirai was active for nearly two years before it was brought to an end. This made it one of the most successful botnets in the world.
Incidentally, Mirai was one of the least harmful botnets ever, no matter how big and aggressive it was. Not only were specific devices spared (such as military and postal equipment), it also removed other malware already on the system and made the device immune to future infections. It only used the acquired devices for the occasional DDoS attack. As far as is known, it did not attempt to cause further damage to the devices it controlled, which is probably why the botnet was able to run undisturbed for so long.
It’s worth noting that the suspected creators, Paras Jha, Josiah White, and Dalton Norman, pleaded guilty when they were accused of manufacturing malware. So, in the end, the bad guys ran into the lamp.
Another fun fact: they worked under the pseudonym Anna-senpai, after Anna Nishikinomiya, a character in a 2015 anime about a teenage girl wearing tights on her head and distributing pornographic pamphlets as terrorist action in a world reminiscent of sex is illegal.
Anime is weird …
ZeroAccess – a lousy name for lousy malware
Despite the name, ZeroAccess did not participate in DDoS attacks, yet another proof that hackers should use a copywriter when coming up with a reputation for their malware.
But while the name is debatable, there is no question about the effectiveness – and threat – of this botnet. The ZeroAccess rootkit, the primary method the malware used to force Windows machines to join the botnet, spread aggressively through social engineering and adware attacks. In the end, about 9 million systems were infected. The botnet was on one to two million machines – a manageable number with nearly 8 million computers on the sidelines if a system left the network.
The creators of the ZeroAccess botnet looted an estimated $ 38 million.
The botnet that the infected machines were part of was one colossal money machine. Bitcoin mining began on every device, and every online ad was replaced with an advertisement for the malware, generating revenue for the hackers rather than the website hosting the malware. These two activities proved hugely profitable for the hackers. No exact figures are available, but the hackers may have earned up to $ 38 million that way, although the actual amount is likely to have been significantly lower.
In December 2013, a coalition led by Microsoft attempted to dismantle the network. For a while, it worked. But because they failed to take control of all command centers, the network could be rebuilt. Still, the discovery was important, as it turned out that antivirus software could protect against a rootkit, and while the network still exists, it is now much smaller and dangerous.
In some ways, the name is still valid … after all, the botnet now has “zero” access to protected computers! It sits! Just good for that piece of dead software! Nice puh!
Backdoor. Flashback – No one is safe.
If you think you’re safe with your Macbook and laugh at those malware-ridden Windows and Linux devices, we’ve got an unpleasant surprise for … The Backdoor Trojan Horse. Flashback infected more than 600,000 Macs in 2011 and 2012. All those Mac owners unprepared because they believed their device was immune to attack were suddenly in deep trouble. (If you’re using a Mac, check out our Ultimate Mac Security Guide ).
This Trojan infected computers via a vulnerability in Java and then redirected them to a fake website. A batch of malware was then downloaded that turned the Mac into an obedient zombie and other nasty malware that stole personal data and slowed down the computer.
Fortunately, the botnet itself has never been able to do anything, as far as we know. While the other downloaded malware did cause damage, the peer-to-peer network established Backdoor. Flashback has never been ordered to do anything other than spread itself. That continued until early 2012 by Dr. Web was discovered and “patched out.”
Probably 600,000 computers were not enough to use the botnet effectively, and the hackers waited for the number to increase enough to use it and expose themselves. But that’s guesswork: unlike most of the malware on this list, Backdoor. Flashback is dead as a rock, and we’ll most likely never see it again …
Say goodbye to botnet
The bigger something is, the more flaws it has. This applies not only to the “boss” in a video game but also botnets. But while it is a hugely time-consuming and challenging job for organizations or governments to defuse and eliminate an entire botnet, the steps you need to take care to protect yourself from a botnet (so that you are not part of it). is going to make and not become a victim of it) quite simple.
Botnets and You – How to Avoid Becoming a Zombie
No matter how large and complex botnets are, you protect yourself against them in the same way you protect yourself against other malware.
- Do not download anything you do not fully trust
- Do not click on online advertisements
- Don’t fall for a phishing email
- And equip your computer with powerful antivirus software,
By taking all these obvious measures, you will never become part of a botnet or fall victim to a botnet-organized attack.
Your PC is part of a botnet What now?
It gets trickier when your PC is part of a botnet because the ordinary Trojan horse or rootkit can hide from antivirus software in a damn good way. If your PC is showing all the symptoms of a “zombie,” but your antivirus doesn’t see anything out of the ordinary (or doesn’t work at all), you have two choices:
- Factory reset your computer (which not only gets you rid of the botnet but also everything else on your computer).
- Run a boot scan. Boot-time scans catch deep-rooted malware by scanning the system before the operating system starts. That way, the malware has nowhere to hide and cannot stop the scan operation.
The latter is preferable, of course, and with the AVG Startup Scan, you shouldn’t need to restore anything.
Anyway, I wouldn’t dwell on it too long. The average botnet infection has a lifespan that even a housefly would pity: 58% of infections last less than one day and only 0.9% longer than a week. So don’t make it a drama …
Read More : What is B2B Marketing?
Another device is part of a botnet. What now?
It is different if one of your IoT devices is infected: after all, there is not much antivirus software available for refrigerators yet. But there is a simple solution in that case, too: once you determine that the device is infected (slowness is often the only clue), restart it and quickly change the password. Whenever a device is turned off, the malware has to reinfect it. So if you change the access credentials quickly enough, the malware has no chance.
Unfortunately, this doesn’t help with the latest malware threat, Hide n ‘Seek. We will come back to this later.
Your small business is being DDoSed by a botnet. What now?
If you own a small or medium-sized business, you are rightly concerned about DDoS attacks. While you are not very likely to be targeted personally (although that could happen if you anger the mob on the Internet), the server on which your website is running could be attacked. In that case, you may be offline for as long as the attack lasts. If you don’t have your server, there is … nothing you can do about it.
If you have your server, you should be aware of a sudden, unusual increase in inactivity. Then if you are quick, you can block the infected computers to prevent them from taking over your bandwidth. Should that fail, you can always temporarily rent bandwidth elsewhere or host your site elsewhere, although these are pretty costly options.
If you work at one of the major international IT companies and come across this by chance, don’t worry. Large companies have nothing to fear from DDoS attacks: if you are as big as you think, you can handle the millions of computers that “ping” your servers simultaneously.
Beat the botnet
The average consumer usually has nothing to do with rolling up botnets. But for the law enforcement officers in charge of that task, there is only one reasonable way to defeat the dragon: chop off its head. Or, aside from this imagery, shut down the command center, either by detecting the computer that performs that function and making it harmless or preventing hackers from accessing it.
With the client-server model, this is quite simple: there is only one computer connected to each infected device, so it is easy to detect and cut off from the other instruments. Hence, hackers have moved to the peer-to-peer model, where each device on the network can theoretically act as an administrator. So it is not enough to chop off one head: you have to find and remove every administrator from the system. Otherwise, the network can be repaired.
Zombies are fun in video games and horror movies, but a slow, struggling computer that no longer listens to you is anything but. But whatever hackers can do with a botnet, it’s a great comfort to know that their most important tool can be thwarted so easily. With a good antivirus program and a little common sense, anyone can black-hat hackers over the make the whole world harmless.
And that brings us to the latest good news in this article: so do we! At the time of draft this, the count of active botnets and infected devices worldwide is declining. So, if we keep on going, with good online habits and powerful antivirus software, we may be able to eliminate botnets once and for all.