What is a botnet?
A botnet is a network of compromised computers under the control of a malicious actor. Each individual device in a botnet is referred to as a bot. A bot is formed when a computer gets infected with malware that enables third-party control. Bots are also known as “zombie computers” due to their ability to operate under remote direction without their owners’ knowledge. The attackers that control botnets are referred to as “bot herders” or “bot masters.”
Attackers use botnets for a variety of purposes, many of them criminal. The most common applications for botnets include email spam campaigns, denial-of-service attacks, spreading adware/spyware, and data theft (particularly of financial information, online identities and user logins). A botnet attack starts with bot recruitment. Bot herders often recruit bots by spreading botnet viruses, worms, or other malware; it is also possible to use web browser hacking to infect computers with bot malware. Once a computer has been infected with a botnet virus it will connect back to the bot herder’s command and control (C&C) server. From here the attacker is capable of communicating with and controlling the bot. When the botnet grows to its desired size, the herder can exploit the botnet to carry out attacks (stealing information, overloading servers, click fraud, sending spam, etc).
Example: Zeus Botnets
Zeus is a Trojan horse for Windows that was created to steal bank information using botnets. First discovered in 2007, Zeus spread through email, downloads, and online messaging to users across the globe. Zeus botnets used millions of zombie computers to execute keystroke logging and form grabbing attacks that targeted bank data, account logins, and private user data. The information gathered by Zeus botnets has been used in thousands of cases of online identity theft, credit card theft, and more.
In October 2010, the FBI disclosed that it had detected an international cyber crime ring that had used Zeus botnets to steal over $70 million dollars from bank accounts in the United States. This spurred an FBI crackdown on the Zeus Trojan and Zeus botnets that led to the arrest of over 100 cyber-criminals.
In March 2012, Microsoft announced that they had taken over and shut down most of the control-and-command servers that were being used by Zeus botnets. According to Microsoft, all but three C&C domains had been taken down in the effort (formally referred to as Operation b71). While Microsoft wasn’t able to eliminate every C&C server, their efforts are expected to slow or stop many of the cyber-criminals that were using Zeus botnets.1
Botnet Detection and Prevention
Botnet detection can be difficult, as bots are designed to operate without users’ knowledge. However, there are some common signs that a computer may be infected with a botnet virus (listed below). While these symptoms are often indicative of bot infections, some can also be symptoms of malware infections or network issues and should not be taken as a sure sign that a computer is infected with a bot.
- IRC traffic (botnets and bot masters use IRC for communications)
- Connection attempts with known C&C servers
- Multiple machines on a network making identical DNS requests
- High outgoing SMTP traffic (as a result of sending spam)
- Unexpected popups (as a result of clickfraud activity)
- Slow computing/high CPU usage
- Spikes in traffic, especially Port 6667 (used for IRC), Port 25 (used in email spamming), and Port 1080 (used by proxy servers)
- Outbound messages (email, social media, instant messages, etc) that weren’t sent by the user
- Problems with Internet access
There are several measures that users can take to prevent botnet virus infection. Since bot infections usually spread via malware, many of these measures actually focus on preventing malware infections. Recommended practices for botnet prevention include:
- Network baselining: Network performance and activity should be monitored so that irregular network behavior is apparent.
- Software patches: All software should be kept up-to-date with security patches.
- Vigilance: Users should be trained to refrain from activity that puts them at risk of bot infections or other malware. This includes opening emails or messages, downloading attachments, or clicking links from untrusted or unfamiliar sources.
- Anti-Botnet tools: Anti-botnet tools provide botnet detection to augment preventative efforts by finding and blocking bot viruses before infection occurs. Most programs also offer features such as scanning for bot infections and botnet removal as well. Firewalls and antivirus software typically include basic tools for botnet detection, prevention, and removal. Tools like Network Intrusion Detection Systems (NIDS), rootkit detection packages, network sniffers, and specialized anti-bot programs can be used to provide more sophisticated botnet detection/prevention/removal.
Botnet detection is useless without having botnet removal capabilities. Once a bot has been detected on a computer it should be removed as quickly as possible using security software with botnet removal functionality. Once the process of botnet removal is complete, it is important to remain proactive in botnet detection and prevention efforts.
Botnet removal can go beyond simply removing a bot virus from an infected machine. On a larger scale, botnet removal often requires shutting down the C&C server that is used to control the botnet. This is typically done when an organization is looking to shut down an entire botnet rather than treat bot infections. Microsoft’s campaign against the Zeus botnet is a good example of large-scale botnet removal.