What if your computer is being remotely operated by someone else without you knowing? Even worse what if your computer is involved in a criminal act? These kinds of harms can be caused by malware called Botnet which is one of the illegal activities that are rapidly growing.
In this article, we will learn the mechanism of Botnet, its infection method, and what countermeasures can be taken to prevent botnet harm.
First let's understand the definition of Botnet, how the infection works and effects.
The origin of the name "Botnet" is from combining the word robot and network. Botnet is, simply put, a device or network that got infected by a Bot. A Bot is a type of malware designed to manipulate infected devices so that it can be remotely controlled by a malicious third party. Many computers contaminated by Bot virus gets used for criminal acts such as unauthorized access and illegal money transfer.
A hacker who manages the Bot virus can organize attacks using each and all infected computers by coordinating commands over the network. Therefore the malicious network system structured with Bot viruses is given the name Botnet.
Zombie Machines and Zombie Army
A device or terminal that is infected by Bot virus is called "Zombie Machine" or Zombie Computer. Zombie Machine is in a state where computer resources, networks, and operations are under fully controlled by a criminal attacker without the owner not being aware of the situation.
Not only a computer but most devices that have access to the Internet, such as smartphones, tablets, and smart speakers have the potential to become a zombie machine. Once infected, attackers may force you to be involved in a criminal activity without your awareness.
The attacker who manages the Bot virus has the power to send out orders to all the zombie machines at once. The associated zombie machines are called "Zombie Army" and be used for sending thousands of spam emails, creating revenue through advertising campaigns, and perform DDoS attacks to shut down websites.
Command and Control (C&C) Server
C&C server is the central machine that controls and sends attack instructions to the Botnet. The communication between the C&C server and Botnet is often conducted over "IRC (Internet Relay Chat)", which the name IRC Botnet comes from.
Most Botnet activities can be stopped by terminating the C&C server that sends out the command.
History of Botnet
The first publicly recognized Botnet was constructed in 2000 to send 1.25 million spam emails. This phishing activity infected a larger number of computers and sent confidential information to the hacker resulted to earn $3 million, yet got sued by EarthLink costing $25 million.
In 2007, a dark-web market was discovered disclosing about 1 million Bot virus infected computers were being sold. The buyer who paid for the trade gained full remote control over the computer to use for criminal activities such as DDoS attacks and email spams.
Botnet Infection Methods
So how does a Bot virus finds its way to get into our devices in the first place? As similar to most malware, there are three main ways how Bot virus infection.
Malicious Website Browsing - Some websites enhance Bot virus infection by making visitors direct or indirect download. Hackers will often implement Bot virus into popular software as Trojan so that people will download and install the Bot virus on their own.
Email Attachment - Email attachment method works great for Bot virus because it allows attackers to widely spread the infection to random devices. Commonly combined with the Social Engineering method to increase the success rate.
Installation via Malware - Some malware such as Emotet can programmatically install Bot virus using C&C Server.
Common Types of Botnet
Mirai - In 2016, Mirai Botnet conduced a historically large DDoS attack. About 100,000 devices were under control to perform an attack with a volume of 1Tbps traffic against several online security infrastructures.
Bashlite - Bashlite is an IoT botnet infecting the Linux system to lunch DDoS attacks. The original version of Botnet was discovered in 2014 yet multiple variants were developed, known as Gafgyt, Lizkebab, LizardStresser, and Qbot. According to the discovery in 2016, 96 percent of infection were IoT devices such as cameras and DVRs.
What Harm can Botnet Cause?
While most Bot virus activities are close invisible from the device user, there is usually minimal to no effect on the performance of the device itself. This does not mean Botnet is a low-risk attack. Instead, it is known to be one of the most dangerous attacks that force victims to be involved in criminal activities.
The attacker who owns the Botnet is able to send commands to your computer so that your computer becomes the source of further attacks to other computers, websites, and networks. This means, when an investigation is conducted toward a Botnet attack you may be considered as an attacker candidate.
The following are the common attacks that get performed using Botnet.
Massive Email Spam
Bot viruses can be designed to send out spam emails so that the infected computer becomes the sender. The email content and attachment will be set up by the Bot virus to infect more devices to create a larger Botnet army.
The targets of the email spam are collected from the infected device's email application contact list to make the spam receiver believe the email is from a trustful source. This vicious infection cycle helps Botnet size to grow for the attacker to prepare a bigger attack.
Distributed Denial-of-Service (DDoS) Attacks
The Distributed Daniel-of-Service attack is a method to overwhelm the resource of an online website, network and server to the point of causing system failure and shutdown. The most promising way to expand the damage of DDoS attack is by simply increasing the number of computers that will perform the attack.
The nature of Botnet's characteristic makes it a perfect companion for performing DDoS as the attacker can prepare an army to plan a much powerful attack. As an example, let's say a server has tolerant against DDoS which only 1% of resource gets consumed by an attack from a single endpoint. To force system overload to this server, an attacker can command 100 devices located all around the world to attack at the same time which is quite easily possible using Botnet.
Lately Botnet based cryptocurrency mining has become a common method instead of using them for attacking. The idea is to install a mining application to each of the Bot controlled computers and anonymously associate with the hacker.
Each computer infected by cryptocurrency mining bot might be effected in a way that CPU/GPU usage becomes higher and electricity consumption increases. The amount of resource usage and mining schedule can also be controlled by the Bot, which makes the activity hard to be detected.
While businesses and individuals are common targets for mining Botnet, more victims are found in Cloud servers. This is because most Cloud server owners do not pay enough attention to the changes in resource consumption and cost increase which allows Botnet to perform high resource mining for a longer time.
How to Protect Yourself from Botnet Attacks
The device under Botnet's influence can lead to criminal activity and potentially attack other devices. Perform the following methods to prevent your device from being infected by Bot virus in the first place.
- Install antimalware software and regularly update the security patches.
- Frequently check and install the latest OS version.
- Always keep your browser up to date.
- Avoid visiting suspicious websites.
- Do not trust emails with unfamiliar content and attachment.
To be away from Botnet harms, make sure to not get infected by Bot virus. Learn the proper protection standards and keep up with your security mindset.
How to Remove Botnet After Infection
Because the nature of Bot virus is to minimize or show no trace of its activity, you will need an Antimalware software to even be able to detect a Bot virus. If you discovered that your device is infected by Botnet, we recommend you to immediately perform the following steps.
1. Disconnect the Device From the Network
Disconnecting from the Internet and any other network will not only prevent further infection but also stop the Bot virus to be remotely controlled by the C&C server.
2. Remove Bot Virus from the Device
Remove all Bot virus infection using appropriate Antivirus software. There might be other systems over the network that are infected. Make sure all surrounding system is scanned and cleaned, otherwise the infection might spread back when connecting back to the network.
3. Update Password
In case the hacker used the existing password to remote login to your device, using the same password may cause the device to be hacked again. Never use the same password when removing a virus or malware.
4. Update All Application Versions
There is a possibility that the Bot virus was injected through an application vulnerability. Apply security patches to all applications by performing version updates.