What is a Botnet and How it Works?
In simple terms, a botnet (sometimes known as a zombie army) is a group of computers running a piece of malicious software. It allows a hacker to control all or some of the victim computers at the same time. The following are some of the definitions related to botnets I want you to get familiar with:
- Malicious software used by a botnet is called a Bot Payload.
- The infected computer is called a Bot, Slave or Zombie.
- The machine the Bot connects to is called a Command and Control server, in short CnC.
- Botmaster is the owner of the Botnet CnC. They typically give the bots commands by sending them via the CnC.
- A botnet is the network of infected/compromised computers being given commands from the CnC.
How Bot Payloads Are Installed Into A Victim’s Computer
There are few ways a hacker can install the malicious software and begin the botnet attack. The following are the possible ways for a hacker to install bot payloads:
- Exploit Kits: An exploit kit is designed to run on web servers and to identify software vulnerabilities into a victim’s computer, exploiting discovered vulnerabilities in order to upload or execute the malicious code. The most widely used kits are browser based exploit kits.
- Trojans: They are malicious software programs disguised to appear routine, interesting or useful in order to convince the victim to install it. They are disguising the payload as legitimate software such as a Microsoft Office torrent.
- Virus: It is a piece of code capable of replicating itself while corrupting the system or destroying data. The virus infects other executable and adds the payload to it. Any sharing of an executable from that computer to others will infect the botnet.
- Worm: Unlike a computer virus, the worm doesn’t need to attach itself to an existing program. It was a commonly used technique in the early 2000s but now is nearly impossible to spread worms with latest antivirus software installed on your computer. It is a self-replicating piece of software that infects other computers without human intervention.
Usage of Botnets
Botnets, in general, aren’t built for no reason. They are built for financial or personal gain. The largest and the most infamous botnets were built for financial gains, such as CryptoLocker and GameOver Zeus. Botnets generate revenue in the following ways:
- Click fraud and email spams, which are a subset of electronic spam sent to numerous recipients by email. Clicking on links in spam email can lead a user to a phishing web site or websites that are hosting malware.
- Data theft, such as login data theft, credit card, and banking information theft, or in some cases identity theft. In some cases of data theft, there is ransomware, a software that encrypts all user’s important data and prevents him from accessing his system. This type of malware enforces the victims to pay the ransom through bitcoins or any other online payment method, so they can access their systems and get their data back.
- Botnets are also used for large scale and complex DDoS attacks. They are hard to diminish when the botnet is using advanced DDoS attack tactics.
Botnets can be divided into three types. Centralized, Peer to Peer and Hybrid.
- A Centralized botnet is a botnet that calls to a CnC directly using IRC or HTTP protocols.
- A Peer to Peer system is a botnet whose bots communicate to each other only. They function with no CnC and accept commands from the botmaster, mostly using a way of authentication such as a private key.
- A Hybrid system is a P2P and Centralized botnet, for example, it is a botnet using BitTorrent like tracking to identify their peer bots and contact them.
Prevent Botnet Attacks
There are few things you can do to lessen the probability of getting a botnet. Please read my article on Beginner’s Guide To Computer Security for detailed instructions on how to prevent your computer from becoming part of a botnet attack.