The Ultimate Guide to Botnets: Attack Flow, Examples, Detection and Prevention
This is a guest article by Gilad David Maayan from AgileSEO
The word “botnet” is an amalgamation of two terms: robot (bot) and network. A botnet is a network of computers, called “bots”, which are controlled by a single attacker, called “bot herder” or “bot master”.
To control the machines in the network, the bots are infected with malware that places them under the control of the bot herder. The bot herder can then command all bots to do its bidding, which is typically to carry out attacks. Infected bots are often referred to as “zombies”.
The bot herder acts remotely, sending updates to infected machines, manipulating their actions as needed. When created on a large scale, botnets containing millions (or even billions!) of bots can cause massive damage. This enables the owners to rent access to parts of their botnets on the black market.
How Does a Botnet Attack Work?
How Are Botnets Created?
There are numerous ways to create a botnet. For example, bot herders often create simple Command and Control (C2) botnets. In this case, they first set up the backend, which is a server that provides the C2 structure.
For the structure, the herder can use a web application stacked on top of a Linux, Apache, MySQL and PHP (LAMP) environment using PHP and MySQL. Next, they create a bot builder, which packs a malware payload and then embeds it with the address of the C2 and relevant configuration information.
Not all bot herders design their botnets from scratch. In fact, there are many botnet kits, like Neutrino and Ice IX (ICE9), available on the dark web, offered for sale or as Software as a Service (SaaS).
Are Botnets Illegal?
Since a botnet is merely a network of computers, creating one is not considered an illegal activity. Like many other technologies, though, what matters is how you use your botnets.
A researcher, for example, may create and use botnet labs. Their actions are considered legal unless they break the law.
Installing malware on other people’s computers, on the other hand, and commanding the computers to perform unauthorized and illegal activities—these are criminal offences that can earn bot herders more than one charge.
Creating Big Botnets
To build their botnet on a large scale, bot herders need to infect many bots. A bot herder often tries to expand the size of the botnet, because more infected bots means more power under their control.
Once the botnet is created, bot herders often use it for various nefarious reasons, like malware propagation, Internet disruptions, and financial gain. For example, botnets are often used for distributed denial of service (DDoS) attacks, which overload a website until it can no longer work or the access to the site is denied.
Carrying Out Botnet Infections
Botnets are typically created to infect millions of devices. A bot herder often uses a trojan horse virus to deploy botnets. To achieve this, bot herders need users to help activate and spread the virus.
When users open email attachments, click on malicious pop-up ads, or download dangerous software, they essentially infect their own machines. After devices are infected, botnets can access and make changes to personal information, launch attacks, and commit more crimes.
Sophisticated botnets can self-propagate to continuously extend the net. These autonomous bots can perform seek-and-infect missions, constantly searching for vulnerable devices that are connected to the Internet. Typically, these devices’ operating systems are not updated or don’t use antivirus.
It takes time to expand the reach of a botnet. Often, botnets remain dormant in devices, until the bot herders commands them into action.
A botnet can infect most devices that are directly or wirelessly connected to the Internet, and pooling their power into the botnet. Including laptops, PCs, DVR’s, mobile devices, security cameras, smart kitchen appliances, and smartwatches.
Yes, a smart coffee maker or your refrigerator can turn into a zombie and fall under the control of a bot herder. In fact, Internet of Things (IoT) devices have been proven to be highly vulnerable to attacks, due to the lack of standardized security in this field.
Other causes that might make a device vulnerable to infection are insecure passwords, sometimes left at the default configuration from the moment the device left the factory. Autonomous bots can easily hack into these devices and turn them into a zombie.
Indicators for Botnet Activity
There are various signs that may indicate whether your resources are under a botnet attack. Organizations operating Security Operations Centers (SOC) are typically alerted by their security tooling. An Endpoint Detection and Response (EDR) system, for example, monitors endpoints and can compare normal traffic with abnormal traffic, sending alerts and responding to attacks as needed.
Organizations and individuals without a robust security solution in place can still detect a botnet attack, using certain indicators. There are usually four signs that, if identified, might indicate a botnet attack.
Indicator #1: abnormally high web-server CPU load
If your web-server CPU load is abnormally high, there might be a process using too many server resources. In this case, you need to quickly investigate the matter to check if it is a legitimate service or some malware injected into your systems by threat actors.
Indicator #2: excessive network traffic that cause either full or partial network blockage
Typically, during a network blockage, users are not able to access web-based resources. In this case, users will receive error codes like 504, 503, 502, 408, or 404.
To investigate the issue, you need to check incoming and outgoing traffic, and you might discover any of the following:
- Too much incoming traffic—may indicate a DDoS attack. This typically means the bot herder commanded the botnet to overwhelm your systems until they drop.
- Too much outbound traffic—on the other hand, might indicate your system was hijacked. During these attacks, attackers reroute traffic elsewhere, which is why users experience downtime.
Indicator #3: excessive memory usage
A single botnet process typically needs to consume massive amounts of system resources, and may even consume all available system memory.
Indicator #4: non-native traffic profiles
Abnormal network traffic may also indicate a botnet attack, especially if the traffic occurs over interfaces, ports, or protocols without being implemented by your known services.
If you notice these signs, you should immediately start investigating or contact a security professional for help.
Botnet Attacks Examples
The Storm botnet was first discovered in 2007, when it spread across email accounts. The title of this email—“”230 dead as storm batters Europe,”—gave the botnet its name. The Storm botnet is considered amongst the first peer-to-peer botnets—a type of botnet under the control of multiple different servers, connected by a Trojan horse.
The storm botnet was massive. Criminals with access to the dark web could rent out portions of the botnet. The result was that Storm was involved in many criminal activities, including DDoS attacks, identity theft.
Some say Storm had enough power to deny Internet access from entire countries. In 2008, a number of Storm servers were shut down. Today, the Storm botnet appears to be inactive.
This botnet was also designed as a peer-to-peer net. GAmeover ZeuS was designed based on a previous version of malware, called the ZeuS Trojan.
The trojan horse itself has become the stuff of legends, because it managed to infect more than 3.6 million devices. When the FBI investigated the ZeuS trojan, they arrested more than one hundred people located across the world.
GAmeover ZeuS took its trojan predecessor another step, adding an encrypted network that prevented tracing the Windows-based botnet. GAmeover ZeuS was used to distribute the Cryptolocker ransomware, as well as a few bank fraud scams.
In 2014, an international collaboration of law enforcement officials, called Operation Tovar, managed to disrupt the malware. The hackers got cut off access to the bot herder and could not communicate with it for two weeks.
Operation Tovar intercepted the hackers’ transmission when they tried to create a replica of their database, where the decryption code of the Cryptolocker ransomware was found along with the name of the alleged leader—Evgeniy Mikhailovich Bogachev.
In the end, even though the decryption code was discovered, GAmeover ZeuS made three million dollars of ransom for its controllers.
In 2016, white hat hackers discovered the Mirai botnet. Associated with a group called MalwareMustDie, the white hackers managed to unearth a botnet so aggressive it orchestrated what is now considered one of the biggest DDoS attacks of the decade.
Here’s a brief breakdown of how the Mirai botnet worked:
- The Mirai botnet targeted Linux systems.
- Once installed on a device, the malware continuously scanned for other Internet of Things (IoT) devices connected to the same network.
- The malware then used internal databases containing factory-default usernames and passwords to hack into other devices.
- Once the malware hacked into a new device, it infected it.
- The newly infected device then started scanning for more connected devices to infect.
This process was highly effective because Mirai was, perhaps, not an excessively malicious botnet. Here’s why:
- The Mirai botnet actively avoided infecting certain devices, like those owned by the post office and the military.
- The Mirai malware banished any malware already installed on the device and prevented it from infecting further.
- Mirai used infected devices mainly for DDoS attacks, and (presumably) did not try to harm controlled its zombified devices.
These behaviors are possibly why Mirai has managed to remain undetected for almost two years, despite its highly aggressive ability to spread over so many devices. Before it was discovered, the Mirai botnet orchestrated DDoS attacks targeting Twitter, Airbnb, Rutgers University, Github, as well as the entire Internet infrastructure of Liberia.
After the white hat hackers from MalwareMustDie discovered Mirai, infected devices were patched and updated. When caught and charged, the three alleged creators—Josiah White, Dalton Norman, and Paras Jha—pled guilty.
Botnets Detection and Prevention
Filter Data Leaving the Network
Botnets often remote communicate with one or more servers, from which hackers retrieve private information. It is possible to stop these communications by prohibiting unwanted traffic from leaving the network. This technique is called egress filtering. Other options include forcing Internet traffic through content filters or proxies, or deploying a data loss prevention (DLP) solution.
Use Zero Trust Principles
It is difficult for malware to propagate using drive-by download when attempting to infect a user without admin access. The same principle applies to AutoRun methods. To prevent malware from spreading from an infected computer to others connected to the system, you can apply Zero Trust principles within your network.
Zero Trust is an innovative security model that ensures users and devices connecting to the network receive only the minimal privileges they actually require. Connections are constantly monitored, and investigated on any sign of suspicious activity. Zero Trust techniques can make botnet infections on a corporate network very difficult.
Devices that are connected to the Internet or the corporate network are considered endpoints. Unfortunately, endpoints like employee laptops or mobile devices are susceptible to infection by malware and can easily fall into the control of a botnet.
By deploying endpoint solutions you can prevent attackers from compromising endpoints and also more easily identify a compromise after it happens. In this way, you can prevent botnet infections in your local network. EDR and XDR solutions can quickly detect the communication between botnets and devices and alert you before devices are infected.
Install Host-Based Intrusion Prevention
To prevent botnets from taking over machines, you can add extended protections on specific network layers, placed where vulnerabilities typically hide. For example, add a layer of protection at points of contact between certain hardware and software. While this technique does not fix technical issues or patch holes in OS and app software, it can reduce the chances of successful exploitations.
Monitoring can help gain insight into normal typical end user and network behavior, and then identify anomalies that might indicate a botnet infection. When monitoring is implemented continuously, botnet infection attacks can be detected and blocked in real-time.
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.
Want to write an article for our blog? Read our requirements and guidelines to become a contributor.