Botnets

Short bio

Botnets are networks of computers infected by a botnet agent that are under hidden control of a third party. They are used to execute various commands ordered by the attacker. Most common uses of botnets are criminal operations that require distributed resources, such as DDoS attacks on selected targets, spam campaigns, and performing click fraud. Often, the botnet agent is ordered to download and install additional payloads or to steal data from the local computer.

From the moment of infection, botnet agents keep in touch with their remote Command-and-Control server (C&C). The communication can be carried by various means, and cybercriminals keep on inventing in new methods to hide their data transmission channels. There have been some unusual ways via social media like Twitter or reddit to send commands. However, the most common implementation of the C&C is a web-application, contacted by the client via simple HTTP requests.

History

Botnets started appearing around 1999. The first malicious programs that introduced the concept of master-slave relationship between an infected computer and a command server were Sub7 and PettyPark which derived from Remote Administration Tools, like the popular NetBus.

At that time, the popular way of sending commands to botnet agents were IRC channels.

In 2000 a mIRC-based bot appeared called GTbot (Global Threat bot) that was used to perform DDoS attacks.

The evolution of botnets was boosted in 2002 by the release of SDBot source code (writen in C++). In the same year Agobot appeared. Its modular structure was something innovative for the time. It was back-dooring infected systems, blocking popular antivirus software and downloading payloads for next stages of attacks.

The next step was made in 2003 by SpyBot. It was specialized in data stealing, but also performed spam attacks on popular instant messengers. The spamming capabilities of botnets caught interest of cybercriminals and soon new dedicated malware started to appear, like Beagle or Bobax. At that time, IRC-based communication with bots lost its popularity for HTTP based channels.

2006 brought on the scene the infamous ZeuS, from which derivatives are still alive. From then on, botnets started turning into serious criminal tools.

Nowadays, botnet builders are commonly sold on the black market. Bootstrapping own C&C and becoming a botnet owner does not require any advanced technical skills. This explains why there has been a significant increase of this threat all around the world.

Common infection method

The most common way to become a part of the botnet is being secretly infected by a botnet agent. It can happen in various ways common for most of the malware that is distributed nowadays, for example by opening a malicious attachment or by visiting a site serving a malicious payload via exploit kit. If the user browses without protection, and he/she happened to have a vulnerable browser, the payload will be downloaded and deployed without any interaction or notice.

However, in some rare cases, the software that has been intentionally installed by a user may carry a hidden functionality that makes his/her computer part of a botnet (as it happened in the case of Hola VPN)

Associated families

  • Zeus: data stealer, mostly focused on credentials for mobile banking
  • Andromeda: backdoors a system and allows for installation of various malicious payloads
  • Koobface: targets social media users, like Facebook, Twitter, MySpace
  • Conficker: steals data and installs additional payloads
  • Bunitu: uses infected computer as endpoint of proxy service
  • Neutrino (botnet): focuses on performing various types of DDoS attacks and stealing data from infected computers

Remediation

Client side:

Removing a botnet agent may or may not be difficult, depending on the persistence methods chosen by its author. Persistence is commonly achieved by copying a malicious sample into selected locations and creating appropriate registry keys for running it on system startup. In such simple cases, it is enough to remove the samples and associated keys to be free of the malware.

Server side:

The way to fight with botnets on a large scale is by taking over the C&Cs. It is performed by some authorized parties, like national computer emergency response teams.

Atermath

A machine infected by a botnet agent is exposed to many dangers. Due to the fact that a set of commands varies for botnets and depends only on the creativity of its author, it is hard to predict all types of threats. Most common are data theft and using a computer for illegal activities, such as performing DDoS attacks, or as a proxy for attackers (that may lead to framing innocent people for a crime).

Avoidance

Due to wide methods of distribution, avoidance of becoming part of the botnet requires different approaches.

Keeping systems up-to-date and having multi-layer protections is crucial. However, it is also important to learn good browsing habits, being cautious when opening attachments and about the software being installed on computers.

Screenshots