A botnet is a collection of internet-connected devices, which may include PCs, servers, mobile devices and internet of things devices that are infected and controlled by a common type of malware. Users are often unaware of a botnet infecting their system.
Infected devices are controlled remotely by threat actors, often cybercriminals, and are used for specific functions, so the malicious operations stay hidden to the user. Botnets are commonly used to send email spam, engage in click fraud campaigns and generate malicious traffic for distributed denial-of-service attacks.
How botnets work
The term botnet is derived from the words robot and network. A bot in this case is a device infected by malware, which then becomes part of a network, or net, of infected devices controlled by a single attacker or attack group.
The botnet malware typically looks for vulnerable devices across the internet, rather than targeting specific individuals, companies or industries. The objective for creating a botnet is to infect as many connected devices as possible, and to use the computing power and resources of those devices for automated tasks that generally remain hidden to the users of the devices.
For example, an ad fraud botnet that infects a user's PC will take over the system's web browsers to divert fraudulent traffic to certain online advertisements. However, to stay concealed, the botnet won't take complete control of the web browsers, which would alert the user. Instead, the botnet may use a small portion of the browser's processes, often running in the background, to send a barely noticeable amount of traffic from the infected device to the targeted ads.
On its own, that fraction of bandwidth taken from an individual device won't offer much to the cybercriminals running the ad fraud campaign. However, a botnet that combines millions of devices will be able to generate a massive amount of fake traffic for ad fraud, while also avoiding detection by the individuals using the devices.
Botnet infections are usually spread through malware, such as a Trojan horse. Botnet malware is typically designed to automatically scan systems and devices for common vulnerabilities that haven't been patched, in hopes of infecting as many devices as possible. Botnet malware may also scan for ineffective or outdated security products, such as firewalls or antivirus software.
Once the desired number of devices is infected, attackers can control the bots using two different approaches. The traditional client/server approach involves setting up a command-and-control (C&C) server and sending automated commands to infected botnet clients through a communications protocol, such as internet relay chat (IRC). The bots are often programmed to remain dormant and await commands from the C&C server before initiating any malicious activities.
The other approach to controlling infected bots involves a peer-to-peer network. Instead of using C&C servers, a peer-to-peer botnet relies on a decentralized approach. Infected devices may be programmed to scan for malicious websites, or even for other devices in the same botnet. The bots can then share updated commands or the latest versions of the botnet malware.
The peer-to-peer approach is more common today, as cybercriminals and hacker groups try to avoid detection by cybersecurity vendors and law enforcement agencies, which have often used C&C communications as a way to monitor for, locate and disrupt botnet operations.
Notable botnet attacks
The Zeus malware, first detected in 2007, is one of the best-known and widely used malware types in the history of information security.
Zeus uses a Trojan horse program to infect vulnerable devices and systems, and variants of this malware have been used for various purposes over the years, including to spread CryptoLocker ransomware.
Initially, Zeus, or Zbot, was used to harvest banking credentials and financial information from users of infected devices. Once the data was collected, attackers used the bots to send out spam and phishing emails that spread the Zeus Trojan to more prospective victims.
In 2009, cybersecurity vendor Damballa estimated Zeus had infected 3.6 million hosts. The following year, the FBI identified a group of Eastern European cybercriminals who were suspected to be behind the Zeus malware campaign; the FBI later made more than 100 arrests in the U.S. and Europe.
The Zeus botnet was repeatedly disrupted in 2010, when two internet service providers that were hosting the C&C servers for Zeus were shut down. However, new versions of the Zeus malware were later discovered.
The Srizbi botnet, which was first discovered in 2007, was, for a time, the largest botnet in the world. Srizbi, also known as the Ron Paul spam botnet, was responsible for a massive amount of email spam -- as much as 60 billion messages a day, accounting for roughly half of all email spam on the internet at the time. In 2007, the Srizbi botnet was used to send out political spam emails promoting then-U.S. Presidential candidate Ron Paul.
The botnet used a Trojan to infect users' computers, which were then used to send out spam. Experts estimated that the Srizbi botnet included approximately 450,000 infected systems.
The cybercriminals behind Srizbi used San Jose, Calif.-based hosting provider McColo for the botnet's C&C infrastructure. The botnet's activity ceased when McColo, which was discovered to be hosting other botnet and spam operations, as well, was shut down in 2008.
Approximately a year after the original Zeus botnet was disrupted, a new version of the Zeus malware emerged, known as Gameover Zeus.
Instead of relying on a traditional, centralized C&C operation to control bots, Gameover Zeus used a peer-to-peer network approach, which initially made the botnet harder for law enforcement and security vendors to pinpoint and disrupt. Infected bots used the domain generation algorithm (DGA) to communicate.
The Gameover Zeus botnet would generate domain names to serve as communication points for infected bots. An infected device would randomly select domains until it reached an active domain that was able to issue new commands. Security firm Bitdefender reported two versions of Gameover Zeus, one of which generated 1,000 new domains, and the other which generated 10,000 new domains each day.
In 2014, international law enforcement agencies took part in Operation Tovar to temporarily disrupt Gameover Zeus by identifying the domains used by the cybercriminals, and then redirecting bot traffic to government-controlled servers.
The FBI also offered a $3 million reward for Russian hacker Evgeniy Bogachev, who is accused of being the mastermind behind the Gameover Zeus botnet. Bogachev is still at large, and new variants of Gameover Zeus have since emerged.
An extensive cybercrime operation and ad fraud botnet known as Methbot was revealed in 2016 by cybersecurity services company White Ops. According to security researchers, Methbot was generating between $3 million and $5 million in fraudulent ad revenue daily last year by producing fraudulent clicks for online ads, as well as fake views of video advertisements.
Instead of infecting random devices, the Methbot campaign is run on approximately 800-1,200 dedicated servers in data centers located in both the U.S. and the Netherlands. The campaign's operational infrastructure includes 6,000 spoofed domains, and more than 850,000 dedicated IP addresses, many of which are falsely registered as belonging to legitimate U.S.-based internet service providers.
The infected servers can produce fake clicks and mouse movements, as well as forge social media account logins to appear as legitimate users to fool conventional ad fraud detection techniques. In an effort to disrupt the monetization scheme for Methbot, White Ops published a list of the spoofed domains and fraudulent IP addresses to alert advertisers and enable them to block the addresses.
Several powerful, record-setting distributed denial-of-service (DDoS) attacks were observed in late 2016, and they later traced to a new brand of malware known as Mirai. The DDoS traffic was produced by a variety of connected devices, such as wireless routers and CCTV cameras.
Mirai malware is designed to scan the internet for insecure connected devices, while also avoiding IP addresses belonging to major corporations, like Hewlett-Packard and government agencies, such as the U.S. Department of Defense.
Once it identifies an insecure device, the malware tries to log in with a series of common default passwords used by manufacturers. If those passwords don't work, then Mirai uses brute force attacks to guess the password. Once a device is compromised, it connects to C&C infrastructure and can divert varying amounts of traffic toward a DDoS target.
Devices that have been infected are often still able to continue functioning normally, making it difficult to detect Mirai botnet activity from a specific device. For some internet of things (IoT) devices, such as digital video recorders, the factory password is hard coded in the device's firmware, and many devices cannot update their firmware over the internet.
The Mirai source code was later released to the public, allowing anyone to use the malware to compose botnets leveraging poorly protected IoT devices.
Preventing botnet attacks
In the past, botnet attacks were disrupted by focusing on the command-and-control source. Law enforcement agencies and security vendors would trace the bots' communications to wherever the C&C servers were hosted, and then force the hosting or service provider to shut them down.
However, as botnet malware has become more sophisticated, and communications have become decentralized, takedown efforts have shifted away from targeting C&C infrastructures to other approaches. These approaches include identifying and removing botnet malware infections at the source devices, identifying and replicating the peer-to-peer communication methods and, in cases of ad fraud, disrupting the monetization schemes, rather than the technical infrastructures.
Preventing botnet attacks has been complicated by the emergence of malware like Mirai, which targets routers and internet of things devices that have weak or factory default passwords, and which can be easily compromised.
In addition, users may be unable to change the passwords for many IoT devices, which leaves them exposed to attacks. If the manufacturer cannot remotely update the devices' firmware to patch them or change their hardcoded passwords, then they may have to conduct a factory recall of the affected devices.