How to protect yourself from a botnet attack

Hari Vignesh Jayapalan

October 23rd, 2017

The word 'botnet' is formed from the words ‘robot’ and ‘network’. Cybercriminals use special Trojan viruses to breach the security of several users’ computers, taking control of each computer and organizing all of the infected machines into a network of ‘bots’ that the criminal can remotely manage.

It’s basically a collection of Internet-connected devices, which may include PCs, servers, mobile devices, and Internet of Things devices that are infected and controlled by a common type of malware. Users are often unaware of a botnet infecting their system.

How can it affect you?

Often, the cybercriminal will seek to infect and control thousands, tens of thousands, or even millions of computers, so that the cybercriminal can act as the master of a large ‘zombie network’ or ‘bot-network’ which is capable of delivering a Distributed Denial of Service (DDoS) attack, a large-scale spam campaign, or other types of cyberattack.

In some cases, cybercriminals will establish a large network of zombie machines and then sell access to the zombie network to other criminals — either on a rental basis or as an outright sale. Spammers may rent or buy a network in order to operate a large-scale spam campaign.

How do botnets work?

The botnet malware typically looks for vulnerable devices across the Internet, rather than targeting specific individuals, companies, or industries. The objective for creating a botnet is to infect as many connected devices as possible, and to use the computing power and resources of those devices for automated tasks that generally remain hidden to the users of the devices.

For example, an ad fraud botnet that infects a user’s PC will take over the system’s web browsers to divert fraudulent traffic to certain online advertisements. However, to stay concealed, the botnet won’t take complete control of the web browsers, which would alert the user. Instead, the botnet may use a small portion of the browser’s processes, often running in the background, to send a barely noticeable amount of traffic from the infected device to the targeted ads.

On its own, that fraction of bandwidth taken from an individual device won’t offer much to the cybercriminals running the ad fraud campaign. However, a botnet that combines millions of devices will be able to generate a massive amount of fake traffic for ad fraud, while also avoiding detection by the individuals using the devices.

Notable botnet attacks

The Zeus malware, first detected in 2007, is one of the best-known and widely used malware types in the history of information security. Zeus uses a Trojan horse program to infect vulnerable devices and systems, and variants of this malware have been used for various purposes over the years, including to spread CryptoLocker ransomware.

The Srizbi botnet, which was first discovered in 2007, was, for a time, the largest botnet in the world. Srizbi, also known as the Ron Paul spam botnet, was responsible for a massive amount of email spam — as much as 60 billion messages a day, accounting for roughly half of all email spam on the Internet at the time. In 2007, the Srizbi botnet was used to send out political spam emails promoting then-U.S. Presidential candidate Ron Paul.

An extensive cybercrime operation and ad fraud botnet known as Methbot was revealed in 2016 by cybersecurity services company White Ops. According to security researchers, Methbot was generating between $3 million and $5 million in fraudulent ad revenue daily last year by producing fraudulent clicks for online ads, as well as fake views of video advertisements.

Several powerful, record-setting distributed denial-of-service (DDoS) attacks were observed in late 2016, and they later traced to a new brand of malware known as Mirai. The DDoS traffic was produced by a variety of connected devices, such as wireless routers and CCTV cameras.

Preventing botnet attacks

In the past, botnet attacks were disrupted by focusing on the command-and-control source. Law enforcement agencies and security vendors would trace the bots’ communications to wherever the C&C servers were hosted, and then force the hosting or service provider to shut them down.

There are several measures that users can take to prevent botnet virus infection. Because bot infections usually spread via malware, many of these measures actually focus on preventing malware infections. Recommended practices for botnet prevention include:

  • Network baselining: Network performance and activity should be monitored so that irregular network behavior is apparent.
  • Software patches: All software should be kept up-to-date with security patches.
  • Vigilance: Users should be trained to refrain from activity that puts them at risk of bot infections or other malware. This includes opening emails or messages, downloading attachments, or clicking links from untrusted or unfamiliar sources.
  • Anti-botnet tools: Anti-botnet tools provide botnet detection to augment preventative efforts by finding and blocking bot viruses before infection occurs. Most programs also offer features such as scanning for bot infections and botnet removal as well. Firewalls and antivirus software typically include basic tools for botnet detection, prevention, and removal. Tools like Network Intrusion Detection Systems (NIDS), rootkit detection packages, network sniffers, and specialized anti-bot programs can be used to provide more sophisticated botnet detection/prevention/removal.

However, as botnet malware has become more sophisticated, and communications have become decentralized, takedown efforts have shifted away from targeting C&C infrastructures to other approaches. These approaches include identifying and removing botnet malware infections at the source devices, identifying and replicating the peer-to-peer communication methods and, in cases of ad fraud, disrupting the monetization schemes, rather than the technical infrastructures.

Preventing botnet attacks has been complicated by the emergence of malware like Mirai, which targets routers and IoT devices that have weak or factory default passwords, and which can be easily compromised. In addition, users may be unable to change the passwords for many IoT devices, which leaves them exposed to attacks. If the manufacturer cannot remotely update the devices’ firmware to patch them or change their hardcoded passwords, then they may have to conduct a factory recall of the affected devices.

About the Author

Hari Vignesh Jayapalan is a Google Certified Android app developer, IDF Certified UI & UX Professional, street magician, fitness freak, technology enthusiast, and wannabe entrepreneur. He can be found on Twitter @HariofSpades.