What is
a Botnet?

For a computer to become a bot in a bot network, it needs to have the bot software installed. Obviously, no one would knowingly install this software on their computer, so attackers resort to social engineering, phishing schemes, and other techniques to trick people into installing the software.

A common technique is using a phishing scheme. This involves sending someone an email with an attachment that installs itself on the user's system. Once the attachment installs, it infects the system.

Sometimes, bot software masquerades as legitimate software and may even function, but in the background, it is just another bot in a botnet.

The bots on a botnet need to receive commands to execute malicious actions. The source of these commands is the command-and-control server or C&C server. From this server, the bot wrangler sends commands out to the bots on the network. There are two main types of architectures for a botnet.

Centralized Botnets

Centralized botnets use one server to send commands to all the bots on the botnet. This is an older model for botnets and is not used as often anymore because it has a single point of failure.

IRC botnets are one of the earliest types of centralized botnets. The bot herder sends commands via an IRC channel and the bots on the network connect to the channel and wait for commands.

HTTP botnets use an HTTP server to send commands. Bots on these botnets periodically connect to the server to check for commands. These bots can mask their activity as regular Internet traffic.

Decentralized Botnets

Decentralized botnets use a peer-to-peer model. There is still only one command-and-control server in this type of botnet, but the server has to only connect to one bot on the botnet to send a command to all of them. Each bot acts as both a client and a server and will propagate any commands sent by the command server to every device in the botnet.

It takes time to build a botnet, but it can pack a lot of processing power. Bot herders use this processing power and anonymity that a bot network gives them for malicious acts that couldn’t be accomplished from a single device. Sometimes they sell or rent their network out to other people on the black market who don't have the technical skillset to build their own.

DDoS Attacks

Distributed denial of service, or DDoS, attacks are one of the most common uses of a botnet. DDoS attacks leverage the large scale of a botnet to overload a network or server with a flood of requests. This can crash servers and block legitimate traffic. DDoS attacks are usually motivated by personal reasons, political reasons, and financial reasons when they are accompanied by a ransom.

Email Spam

It is hard to be an email spammer these days. But it is easier if you have hundreds or thousands of IP addresses that a botnet provides to send emails from. There are much fewer chances of getting blacklisted sending out spam.

Financial Breaches

Botnets have also stolen funds and credit card details. By infecting a network of computers with software to steal information, a bot herder can harvest the financial details of thousands of unsuspecting people in minutes.

Cryptocurrency Mining

The "mining" process that generates cryptocurrency like Bitcoin takes a lot of processing power. Sometimes it costs more in electricity to mine than the value of the resulting cryptocurrency. A bot herder can use a botnet to mine cryptocurrency for free.

There are two sides to protecting a system or network from botnets. On one hand, you want to prevent devices on your network from becoming bots in a botnet. On the other, you also don't want to be a target of a botnet. Here are a few ways to protect your systems:

• Anti-virus and anti-malware software should be a requirement of devices that connect to your network. Chances are that up-to-date anti-virus software can detect and remove a threat from an infected device before it can infect other devices on the network.
• Servers and operating systems should be kept up to date. A common way an attacker can take control of a device is by exploiting known flaws in operating systems. Patching systems regularly will remove these security holes.
• Educate users so they know not to download files from untrustworthy sites or click on links in emails they aren't expecting. Phishing schemes are one of the most common attack vectors for botnets.
• Use a firewall. A firewall can help prevent both botnet infections and DDoS attacks if it is set up correctly. A firewall can block malicious sites from being browsed and detect when traffic spikes fit a botnet attack scenario and throttle network calls.
• Micro-segmentation can be a highly effective way to prevent botnet infections and botnet attacks. Micro-segmentation can segregate each part of your network down to the workload level, preventing the lateral movement of malware and the movement of unauthorized traffic.
• Cloud-based DDoS protection applied at the network edge can prevent attacks before they even have a chance to affect your network.

Botnets are one of the most serious threats facing enterprises today. A botnet is a network of malware-infected computers that can be controlled from a central location by a bot herder and directed at a specific target for malicious reasons. The processing power and anonymity of botnets make them dangerous.

You can protect your networks and devices from botnets with anti-virus software, regular updates, security education, firewalls, micro-segmentation, and cloud-based DDoS protection.

Discover how Illumio products prevent the spread of breaches by stopping lateral movement.