Botnets – What are botnets, what can they do & how to protect against them

Botnets are automated computer programs that install themselves on many unsuspecting victim machines and launch coordinated attacks against target systems. Spam bot is a type of botnet, but there are other (more vicious) botnets that are deployed for various purposes. In this article, let us look at – What are botnets, how botnets spread, what botnets can do and how to protect against botnets.

What are botnets?

Botnets refer to a group of computer systems that are infected with a malicious software in order to take control of the host systems systems (when required) to send out spam messages, conduct DDoS (Distributed Denial of Service attacks), etc. Usually, there is some sort of centralized command and control server/ system from which all the botnets receive instructions and updates. The victim, on whose system the botnet resides, is usually not aware of botnet activity happening from their computers.

Botnets are technically similar to worms. They can be a combination of computer systems running various operating systems including Windows (largely), Linux, Mac, Unix etc. A single (large) botnet group might comprise of even a million systems or more (but not all of them are active always). The main reason for their deployment is to make money through nefarious means. For example, they can conduct DDoS attacks on a web-server and demand a ransom to stop it. There are people who control a huge group of botnets and lend them out for a small period to clients, and charge money for it.

How do botnets spread?

Botnets spread mainly due to ‘Drive by download’ initiatives and email attachments/ links. Malicious software can be attached with illegal software/ media downloads. Once a user clicks on the links in the sites that host them, botnet software downloads and gets installed in the host system. Botnets are sent as attachments (mostly executable files) in email messages. Botnet programs can become a gateway for installing other malicious software programs.

Botnets  may be disguised as fake anti-virus programs (Conficker, for example). When users click on the fake anti-virus download link, the botnets can get installed in their systems. Some bots are intelligent enough to scan for vulnerabilities in computer applications and spread by taking advantage of them. They can access a desktop email client (for example) and send spam messages to all the email addresses saved in them.

Some botnets can even carry out dictionary attacks to guess passwords in a computer system (to execute malicious programs). Botnets are generally controlled from a centralized C&C (command and control) server but more recent ones spread using P2P programs/ protocols. While IRC protocol was used in centralized C&C based botnets, P2P programs use more commonly used http protocol.

The P2P (Peer to Peer) botnets are difficult to identify and control because each bot have some level of C&C functions embedded in them (and hence doesn’t require a centralized control server), can use SSL (encryption) to mask inter-botnet communications and can pass through corporate firewalls (because http traffic is allowed, especially in encrypted formats). Botnets can even replicate themselves, if they are programed to.

What can botnets do?

• Botnets can send millions of spam messages within a short period of time. These messages might contain some executable attachment which installs the botnet software on victim systems when users open them. Or they can just send (spam) marketing emails.
• Botnets can initiate a DDoS (Distributed Denial of Service) attack where a whole group of botnet systems keep bombarding certain target systems with numerous messages/ requests in the intention of crippling their services and making them unavailable for normal activities. A web server can be subject to DDoS attack to take a website down, for example.
• Botnets can install malicious software in the host systems that can monitor for critical information (for example, they can install key-loggers/ spyware which can find out user-names, passwords, credit card information, financial information and anything else that is typed on the keyboard of the unsuspecting hosts).
• Botnets can initiate web-based attacks like phishing/ pharming which extract financial information like online banking ID and password, etc by misdirecting users to a fraudulent site, mostly using malicious links sent out through an email spam campaign.
• Botnets can even start web-servers on infected machines to aid in phishing attacks.
• Online games and polls can be manipulated to obtain favorable results using botnets.
• Bots can steal and transfer a software license from the host, to another computer.
• The Command and Control centers of certain botnets may use Dynamic DNS to hide themselves as it allows changing IP addresses of host-names at will.
• Botnets can even carryout a DDoS attack to hide themselves from machines scanning for them.
• Some botnets may be updated at a regular frequency to avoid being detected by anti-virus vendors.
• Botnets can even destroy a large amount of data in their host system and can self-destruct themselves if they are identified.
• Botnets can temporarily go offline. They can stop / reduce their activity for a temporary period and come back when the time is ripe/ targets are unsuspecting.

How to protect against botnets?

At the host level (individual computers) –

• Install Anti-virus/ anti-malware/ anti-spam software on the computer and keep them updated regularly
• Install personal firewalls
• Update the OS/ Software applications to the latest version and install patches regularly
• Do not download illegal stuff (like pirated music files, games, videos, etc) from the Internet
• Do not click on links/ open attachments from unsolicited email messages
• Try to reformat your system and re-load the OS/ applications at least once in a year

At the network level –

• Have appropriate network protection technologies in place – Gateway level anti-virus/ anti-spam/ UTM/ Firewalls, IDS/ IPS Systems, Content filtering, etc
• Monitor firewall/ UTM logs (for both allowed and denied connections) to identify botnet Command & Control centers
• Unusual increase in traffic / traffic patterns could be an indicator for DDoS attacks. Have DDoS protection for your network in place
• It is important to remove malware/ botnet software from individual hosts quickly. Otherwise, other systems in the network might get affected as well
• If you can identify the executable file/ code used by botnets, submit it to anti-virus vendors
• Honeypots can be set-up to incite botnets to infect a system in order to study its activities / goals. This can make it easier to prevent them from affecting real systems in actual networks
• Its important to identify and disable botnet Command & Control infrastructure. Often, this is not possible by individual organizations and hence you might want to take help from Federal/ Government IT security authorities/ experts, on the same

excITingIP.com

You could keep yourself updated on the latest Computer Networking/ Enterprise IT technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’