Breaking into people’s accounts, spreading fake websites, sending out annoying or dangerous spam, tricking people into handing out personal information, infecting millions with malware, denying access to entire portions of the internet... all some of the most dangerous things a hacker can do.
And all of them, as well as other attacks, would be almost impossible were it not for one of the most dangerous and common tools in the hacker’s toolkit: the botnet.
What’s a Botnet?
Basically, a botnet is a network of infected computers which, under the command of a single master computer, work together to accomplish a goal. It might seem simple, almost harmless, but as the paragraph above attests, it’s the powerhouse behind some of the worst attacks hackers can attempt.
A botnet relies on two things: for one, it needs a large network of infected devices, known as “zombies”, to do the grunt work and heavy lifting for whatever scheme the hacker has planned. Secondly, you need someone to actually command them to do something, frequently called the Command and Control center, or “bot herder” (but not “the necromancer” for some insane reason). Once those things are in place, a botnet should be ready to go cause some mayhem.
At their most basic, botnets are made up of large networks of "zombie" computers all obeying one master computer
The term “botnet”, a combination of “bot” and “network”, was first coined in 2001 by EarthLink Inc. during a lawsuit against Khan C. Smith, a Tennessee man who wracked up 3 million dollars running what, at the time, was the biggest spam network ever discovered. The scheme didn’t end well for Mr. Smith, who lost the lawsuit and had to pay 25 million bucks to Earthlink, meaning he had a net loss of 22 million dollars: not exactly a genius business operation, but it showed the world just how dangerous this strange technology could be.
Because botnets are so comprehensive, there are two ways you can fall victim to one: you can either find yourself being attacked by a botnet-powered scheme, or your devices could join one of these worldwide hacker networks. We’ll look at that a bit later, but for now...
How do botnets work? Two models, one goal
The nitty-gritty nuts-and-bolts of how botnets function is a bit too much even for an article of this scope, but fortunately it’s not that important. Even understanding the broad strokes of this particular threat should be enough to get an idea of their magnitude and the risk they pose to everyone who enjoys the internet.
There’s a reason you can make a career out of getting computers to interact with each other — figuring out how to efficiently set up a network is every bit as important as actually running it. To that end, there are two primary ways that botnets are set up: the Client Server model and the Peer-to-Peer model.
The Client Server model
The Client Server model is the old-fashioned way, where “zombies” received their instructions from a single location, typically a website or some shared server. While it was sufficient enough in the early days, it also meant shutting down a botnet was really easy: just take down the website or server and the whole system would crumble.
The Peer-to-Peer model
The Peer-to-Peer model fixes the Achilles heel of the Client Server model. In this system, each infected machine communicates directly to a few others on the network, and those few others are connected to a few more, who are connected to even more, until the whole system is strung together. That way, removing one or two devices isn’t a problem, because others will be able to pick up the slack.
In both cases, making sure only the Command and Control owner can… well, command and control the network is of key importance. Which is why they use digital signatures (sort of like a special code) to ensure that only commands issued by the hacker — or whoever the hacker sold the botnet too — are spread through the entire network.
Spreading the infection: how botnets get created
It’s all well and good to have a network set up, but now you need to actually get devices to “join” it. This is done with a lil’ something you might recognize: a Trojan!
A Trojan is any piece of malicious software that tries to slip into a computer by pretending to be something more benign... you know, like the namesake. Trojans are pretty popular to slap onto phishing emails, but they’re also found on pirated software and are sometimes the payload of malvertizing attacks. But for our purposes right now, what matters isn’t how hackers get it onto your PC, but rather, what they do when it’s there.
Botnets are mainly built on top of Trojan attacks
When the Trojan is on the computer, it’ll open up a “backdoor” that will allow the hacker to access and control certain aspects of the PC, or some other connected device. Typically Trojans only allow hackers to do a little bit, but it’s enough to cause some serious problems, such as effectively run a botnet. The good news is that Trojans don’t typically self-propagate or try to spread (although there are botnets that are exceptions to that rule), but the downside is that a Trojan can stay ‘dormant’, and thus unnoticeable, until the hacker chooses to use it.
When enough computers have these built-in backdoors, the hacker combines them into one network to successfully create a botnet.
What can you do with a Botnet?
For all their complexity, a botnet only really allows hackers to do two things: send things out quickly or make every computer do the same thing at the same time. But even a simple tool can be dangerous with enough creativity, and hackers have found ways to use botnets to do some pretty amazing, if awful, things.
Let them eat spam
As we mentioned above, the first botnets were designed to help facilitate phishing and spam attacks. It’s easy enough to hand-craft some spam and send it to everyone on your contacts list, but you probably won’t be very successful and the only thing you’ll really accomplish is peeving grandma a bit. It’s far better to have millions of computers sending out as much spam as possible to as many inboxes as they can, so the spam can spread fast and hard, hitting as many people as possible. And as luck would have it, that’s exactly what a botnet can do. The same basic principle applies to phishing, unless you happen to be Spear Phishing. In that case, a botnet isn’t terribly useful.
Millions of malware
If you’ve spent years of sweat and tears crafting the perfect virus, will you be content just sending it to one or two people? No! You’ve got to share your masterwork with the world! Much in the same way as spam wants to reach as many people as possible, malware is at its “best” when it’s hitting people fast and hard.
Malware doesn’t have a long shelf life: typically an individual strand only exists in the wild for about an hour before antiviruses update their virus definitions and makes it obsolete. So to succeed, it has to try to infect as many computers, phones, or other connected devices as fast as possible and either bunker down to avoid antivirus scans, or do whatever mischief it was designed to do before it’s caught and sent to the virus chest.
Botnets allow viruses to reach as many people as possible in that short time frame, particularly if it’s trying to infect devices through email or an open network.
Denied: DDOS attacks
Ever try to access a website only to find you can’t make a connection? Or when you get there, it’s so slow it’s basically unusable? Oftentimes the culprit is a DDoS attack, which is a subject that deserves its own article. But the long story short is that DDoS is the malicious practice of having so many “zombies” crowding up a website that it slows down to a crawl, and anyone else will have a terribly hard time trying to access it.
Hackers can DDoS a site for any number of reasons, although since there’s no financial gain to it (outside perhaps extortion, but that almost never pays), it’s most commonly deployed either as a form of protest or a way to troll. But obviously, no matter why you do it, you need to have lots of computers trying to reach the same site at the same time to pull it off, and that’s where the botnet comes in.
Hacking into someone else's account is very rarely an elegant affair, and assuming you aren’t repeating a known password or using one of the top 100 most common passwords, hackers trying to break into your account will use something called a Brute Force attack.
Without going into too much detail, a Brute Force attack is trying every combination of words, phrases, letters, and special symbols that they can until they manage to get it correct by sheer chance. When using specific words and word variants, it’s more specifically called a Dictionary Attack. These attacks are, without question, the most common form of password hacking.
The problem for hackers is that most websites only allow individual computers or IP addresses to try to log onto an account so many times before locking them out: and it can be hard to brute force something if you’ve only got five chances to do it. That’s where a botnet can come in handy: just have every computer on the system try as often as it can until it’s locked out. With enough computers, and enough time, just about any password can be cracked.
If your password has been stolen and is on the darknet, it only gets easier for hackers. While most every password stolen from websites and organizations will be encrypted, hackers can still use Brute Force methods to figure out what they are: without having to worry about getting locked out.
Using special software called a Password Cracker, they try every combination of characters and letters that they can and run it through the same encryption process that the hacked database used, and then figure out what each encrypted line actually means. And if they break up the task so that each computer is trying different words and combinations, they could break even a decent password in a manner of minutes.
The good news is that if you have a really, really good password (which isn’t as hard or scary as you think) it could take millions of years to brute force, even with a botnet. We've got a whole article on how to you create strong passwords.
Cryptocurrency mining 24/7
Botnets don’t have to be used to attack people. A growing trend among hackers is to harvest botnets for the sole purpose of having their “zombies” mine for bitcoins or other online currencies on their behalf. The malware in question is called a cryptocurrency miner, and while no one is really targeted, there are still victims: namely, the people who own the PC’s doing the mining, which will slow down their computer immensely. It also leads to higher electricity bills, and contributes to general wear-and-tear of a computer.
And when I say “growing”, I mean it. Last year alone 1.65 million computers were hijacked to mine cryptocurrencies for hackers, and it’s getting bigger: in fact, “crypto-jacking” is up a jaw-dropping 8500% compared to 2017. Its popularity can be attributed to the low barrier of entry, and how relatively harmless it is: most people are willing to ignore an occasional bout of slowness, and thus, these viruses can remain undetected for months.
The effects of being in a botnet: 5 reasons you don’t want to be a zombie
In case it wasn’t obvious from the colloquial name, it’s not really an ideal situation to have your computer shackled to the will of a malicious stranger.
Welcome to the slow lane
Computers aren’t magic. There’s a headline for ya. And if your computer is busy doing one thing, it’s not going to have the processing power to do other things. So normally, if you’re trying to stream a movie and you realize it’s running slowly, you can improve the speed and quality by quitting out of some other program that’s also running at the same time. Simple and easy.
A botnet will steal your computer's resources for its own ends, and could slow you down
The problem is, when your computer is a zombie, you aren’t its master anymore: and if the person running the show decides they want your computer sending out as much Spam as possible, you won’t be able to stop them. Heck, it’s entirely possible you won’t even notice, save the fact your computer is much, much slower now. Which is the #1 problem (and the most obvious sign) of a botnet infection: it drains computer resources when you’re trying to do something else that’s hopefully less illegal.
This is called, by the way, scrumping. Originally that word meant picking leftover apples from someone else’s trees after harvest, but… now it means this. For some reason.
A case of a stolen identity
When it’s time to send out spam, hackers will always target as many people as they can: and on top of reaching out to strangers, they’ll also take the opportunity to use your email account to send all your contacts their damaging and annoying spam, usually taking advantage of the fact that a personal account will circumvent anti-spams. This can be a pretty big tell if you’re part of a network, but sometimes it’s misread (not unfairly) as your account being hacked rather than your PC itself. Fortunately, there are other clues you can look for to see what the real problem is.
Sky-high electric bills
We’ve all got bills to pay, and if you’re the breadwinner in your household, you’ve got another reason to keep your PC out of a botnet: your electric bill. When the Bot Herder needs their zombie horde for anything, it doesn’t matter if the machine is turned off: they’ll turn it back on in order to use it in their campaign. That’s annoying, but at least it’s a very telling sign when you’ve got a compromised PC. There’s only one problem…
More disarming than the Treaty of Versailles
When your computer is part of a botnet, the hacker doesn’t really want you to leave the botnet. So typically the same malware that got you into it will also prevent you from either downloading or running an antivirus. Not only does this keep you from getting rid of that malware, it makes you vulnerable to other, equally bad malware on the internet.
I think you can get why that might be undesirable.
Becoming an easy target
Hackers are all about efficiency, so don’t go thinking that just because you’re technically working for them you’re immune to their schemes. They’ll send you the same spam, adware, and pop-ups they send everyone else, not only because you’re a good source of revenue, but also because they know that you’re not nearly as protected as everyone else. You can fault hackers for many things, but not for being wasteful.
The greatest hits
There have been quite a few famous examples of these bothersome bots through the internet’s short history. Let’s take a look:
GAmeover ZeuS — Worse than its own grammar
Something about hackers and proper English just doesn’t mesh.
Anyway. GAmeover ZeuS was a peer-to-peer botnet designed after an earlier piece of malware called the ZeuS Trojan. Quite the legacy, as its progenitor was able to infect well over 3.6 million devices and was the subject of an international investigation by the FBI which lead to the arrest of over 100 people around the world. Unfortunately, it’s lived up to it, as it used a special encrypted network that made it almost impossible for law enforcement to trace the Windows-based botnet, and wreaked havoc as the main distribution channel for the Cryptolocker ransomware and a series of bank fraud scams.
In 2014 Operation Tovar, an international collaboration of law enforcement officials from around the world, was able to disrupt the malware, cutting the hackers ability to communicate with the Bot Herder for two weeks. When the hackers tried to create a copy of their database, it was intercepted by the same operation, and discovered within the database was the decryption code for the Cryptolocker ransomware, effectively defanging it. They also discovered the ringleader of the operation: alleged Russian cybercriminal Evgeniy Mikhailovich Bogachev.
The next year, the FBI was offering a three million dollar prize to anyone who could help them find and arrest that man, but otherwise, it was game over for GAmeover. Still, the criminals had gotten what they wanted: about 1.3% of those infected with Cryptolocker paid the ransom, which meant the criminals walked away with a cool three million dollars themselves.
And because of that success, variants of the original GAmeover ZeuS malware still exist in the wild… waiting to strike…
Mirai — the future of botnets
You know you’re in for something special when your malware is named after a 2011 anime about children using time-traveling diaries to try to murder each other and become God.
Discovered in 2016 by white hat hackers from MalwareMustDie, Mirai is a botnet designed to target Linux systems specifically, and was used to orchestrate some of the biggest DDoS attacks of the decade. What made Mirai so special was how aggressively it spread: once it was on a device, it would constantly scan for other IoT devices to connect to the same network. Once it found one, it used an internal database of factory-default usernames and passwords to try to break into each device — and if it did, it would infect it, and start scanning for even more victims.
Mirai attacked GitHub, Twitter, Reddit, Netflix, Airbnb and Liberia's internet infrastructure
At its peak, it was used in a lot of DDoS attacks, too many to go into detail here. But its list of victims include GitHub, Twitter, Reddit, Netflix, Airbnb, Rutgers University, and Liberia's entire internet infrastructure. However, once it was discovered and dissected by the folks at MalwareMustDie, it was a short while before devices were updated and the malware became obsolete. Still, it was in operation for nearly two years before being shut down, making it one of the most wildly successful botnets in the world.
Despite its scope and aggression, one could argue that Mirai was one of the less malicious botnets we’ve seen. Not only did it specifically avoid infecting certain devices (such as any owned by the military or the post office), it would also kick out any malware already on the system and lock it down from future infection. It also only used the devices it controlled for the occasional DDoS attack: as far as we can tell it never tried to cause any more harm to devices it controlled, which is likely why it was able to go undetected for so long.
It’s worth noting that all three alleged creators, Paras Jha, Josiah White, and Dalton Norman, pled guilty when charged with creating the malware. So the bad guys were caught in the end.
...but fun fact: they worked under the pseudonym Anna-senpai, named after Anna Nishikinomiya, a character in a 2015 anime about a teenage girl who wears panties on her head and distributes pornographic pamphlets as acts of terrorism in a world where sexual thoughts are illegal.
Anime is weird.
ZeroAccess — A bad name for a bad malware
Despite its name, the ZeroAccess botnet didn’t participate in any DDoS attacks, once again proving that hackers really need a copywriter or something when coming up with their names.
But while the validity of the name could be debated, the effectiveness — and threat — of the botnet was indisputable. The ZeroAccess rootkit, which was the primary method used to force Windows machines to join the botnet, aggressively spread using social engineering and adware attacks: managing to infect around 9 million devices. The botnet itself, however, was sitting on somewhere between one to two million machines: a manageable number with about 8 million computers in the wings if one should ever leave.
The makers of the ZeroAccess botnet could have earned up to an estimated $38 million
Once part of the botnet, the infected machines joined a massive money-generating scheme: each device would start mining bitcoins, and every online ad was “replaced” with one from the malware that would generate money for the hackers instead of the website hosting it. These two activities proved enormously profitable for the hackers, and while an exact number is hard to know, it’s estimated they could have earned up to 38 million dollars every year, although the real number is likely considerably smaller.
In December 2013 a coalition led by Microsoft tried to destroy the network, and succeeded for a time. But failing to seize all the Command and Control centers meant that the network could be rebuilt, and it was… but its discovery meant that antiviruses could start offering protection from the rootkit, and while it still exists, its scope and threat is significantly reduced.
So I guess, in some respects, the name actually does work… now that it has zero access to protected computers! Oho! Sick burn on the inanimate software! Woo!
Backdoor.Flashback —Nobody is safe
If you were feeling mighty smug on your Macbook laughing at all the malware infecting Windows and Linux devices, go ahead and dismount your high horse: the Backdoor.Flashback Trojan affected well over 600,000 macs back in 2011 and 2012, and caused a whole lot of trouble for people who were unprepared to cope with the reality that their device wasn’t, in fact, completely immune from attack. (Don't be unprepared: check out our ultimate guide to Mac security).
The Trojan, using a Java vulnerability, infected the machine and then redirected them to a bogus site, which then downloaded a bunch of malware that would turn the Mac in an obedient zombie, on top of other problematic malware that would steal personal data and slow the machine down.
...that said, to the best of our knowledge the Botnet didn’t actually do anything. The other malware it would download certainly did, but while Backdoor.Flashback created a Peer-to-Peer network, the creators never once ordered it to do anything beyond try to spread itself, as best we understand. And it was able to run with impunity for about a year before it was caught by Dr. Web and patched out of existence in early 2012.
It’s likely that 600,000 computers wasn’t enough to effectively utilize a botnet, and the hackers were waiting until it get higher before using it and revealing their existence. But that’s all speculation: unlike most malware on this list, Backdoor.Flashback is well and truly dead, and we won’t be seeing it ever again… most likely.
Giving the boot to Botnets
Like every good video game boss, the bigger something is, the more weak spots it has, and the same is true for botnets. But while the personal steps you need to take to keep yourself safe from a botnet — either joining one of falling victim to one — are fairly simple, the larger steps organizations and governments have to take to shut down the whole Goliath is a much bigger issue.
Botnets and you — How to keep from joining a botnet
While far more complex and larger in scope, you protect yourself from botnets the same way you protect yourself from any other malware:
- Don’t download things you don’t trust,
- Don’t click online ads,
- Don’t fall for phishing emails,
- Keep a powerful antivirus on your computer, like AVG free.
Following these common-sense tactics will ensure you never join a botnet, or fall for an attack orchestrated by one.
So your PC is in a botnet
Things get a bit more complicated, though, if you make the mistake of joining a botnet, because the typical Trojan or rootkit is extremely good at staying hidden from antivirus software. If your PC starts displaying all the symptoms of being part of a botnet, yet an antivirus isn’t seeing anything (or simply isn’t running at all), you have two choices:
- Do a factory reset: a factory reset of your machine (which will get rid of the problem plus everything else on your computer)
- Run a boot-time scan: boot-time scans catch deeply rooted malware by scanning the system before the OS starts up, leaving malware with nowhere to hide and no way to stop it.
Obviously the latter is preferred to the former, and with AVG’s boot-time scan you shouldn’t have to be resetting anything.
That said, don’t worry too much about it. The average botnet infection has a lifespan that a housefly would pity, with 58% of infections lasting less than a day, and only 0.9% of them lasting longer than a week. So don’t rip out your hair out over it.
So your (anything else) is in a botnet
There’s another problem, though, if one of your IoT devices are infected, as there aren’t many antiviruses out for your refrigerator just yet. That said, once you’ve determined if one is infected — and sluggishness is often your only clue — there’s a fairly easy solution. Simply reboot the machine, then quickly change the password. Every time the machine is turned off, the malware has to “re-infect” it, so if you change the access credentials quickly enough it will effectively be locked out of the system.
Sadly, this won’t help with the latest malware threat, Hide n’ Seek. We’ll have to get back to you on that one.
So your small business is being DDoS’d by a botnet
If you’re a small to medium business owner, then you have good reason to be anxious about DDoS attacks. While it’s not likely you’ll personally be targeted by one (although that might happen if you raise the ire of internet folk), the server your website is hosted on might, and in that case, you could find yourself effectively offline for however long that takes. If you don’t run your own server, that’s… kind of impossible to stop.
But if you do run a server, then it’s possible to notice a sudden and unusual uptick in activity and, if you act quickly, you can start blocking the infected machines to prevent them from taking over your bandwidth. If that fails, you can always rent more bandwidth temporarily, or host your site somewhere else, although those are both fairly expensive.
And if you happen to be a Google executive and you happen to be reading this for whatever reason, don’t worry: Big companies don’t have to fear DDOS attacks: after all, if you couldn’t handle millions of computers pinging them at the same time you wouldn’t be the giants you are today.
Slaying the Botnet
Fortunately, if you’re the average consumer, breaking up a botnet operation isn’t really your business. But for the law enforcement individuals who have to take that task on themselves, there’s only one reasonable way to slay this dragon: cut off its head. Or, disregarding metaphors, get rid of the Command and Control Center, either by finding the machine that acts as it and shutting it down, or keeping hackers from being able to access it themselves.
For the Client-Server model, that’s really easy: there can only be one source that links back to every infected device, so it’s simple to find and ‘cut off’. That’s why hackers adopted the Peer-to-Peer model, where any device on the system could, in theory, act as the Bot Herder. So you can’t just cut one and be done: you have to find every single Bot Hearder and remove it from the system, otherwise the network can be repaired.
Zombies might make good fodder in video games and horror movies, but a slow and shambling computer beyond your control is the opposite of a fun time. But with everything hackers can do with a botnet, it’s refreshing to know that their greatest tool is so easily thwarted: with a strong antivirus like AVG Free and some good ol’ common sense, the whole world could de-fang black-hat hackers around the globe.
And that brings us to our final bit of good news: we’re actually doing it. At time of writing, the number of active botnets and infected devices have been on a worldwide decline. So if we stay the course with excellent online habits and a strong anti-virus, we can possibly eliminate botnets once and for all.
Stay safe out there!