This blog post is meant to be an introductory level to understanding botnets. Thousands of resources are out there explaining what botnets are, but this one is different because i wrote it. And with the aim of keeping it as simple as possible.
What are botnets and why should we care?
Botnets (zombie computers) are a collection of infected machines over the internet which are coordinated by a centralized server, referred to as a command and control (CnC) server. Botnets are fully automated, hence the term BOTnet. They have been in existence for years and have been successfully used by black hat hackers for as long as i can remember. A good example of a worthy malware that was used to raise armies of botnets across the globe was the Zeus malware. With ‘was’ being because most antivirus software detect it and its variants. However, hackers have become more creative and intelligent. They reverse engineer and include polymorphic code that enable antivirus evasion, passing off as ‘clean’.
Some well known bot communication mechanisms
Older bots use the conventional client-server model, where the herds (clients) send a ping to the CnC (server) to make sure it is up and running. Once it affirms server is up, it waits for incoming commands. The clients execute the issued commands/ instructions and report back to the server. The newer models however, use peer-to-peer networks to operate rather than a central server to reduce the risks of having a single point of failure.
Some common botnets include Gameover ZeuS and ZeroAccess .
How are users infected?
Usually, all users are innocent over the web. With little or no knowledge about online safety. This is joy to the heart of every attacker as it increases chances of a successful breach to almost 100%. Bots released by hackers spread across the internet looking to infect victim machines and make them part of the zombie army. An imminent part of an army can be infected in any of two ways:
- Actively – This involves no user intervention. If a machine infected by a bot, then the bot’s binaries may contain pre-coded mechanisms to find other potential victims on the internet by scanning for machines with known vulnerabilities to exploit. Unpatched machines usually fall under this category. If smart coding is done, users will have no idea what just happened. This is basically the beginning of the end of your computer’s freedom.
- Passively – This involves some degree of user intervention. A good example may be drive-by-download mechanisms. A user visiting a site is sees some popups saying his antivirus is outdated or a new malware removal tool is available for download. The user downloads the file and installs it. That’s it. All done. Infected, you are! These kind of attacks are made possible by sites running JavaScript or Active X controls. Email attachments, USB sticks may also be viable vectors of malware delivery to spread bots.
Once the machine is infected, it is not part of the botnet yet. It needs to locate the CnC server and establish a connection first. This may be an IP address or a domain name hard coded into the bot binary. It may also do this by obtaining a seed list of other IP addresses of infected machines that know how to communicate with the CnC server. Once this is established, the machine is now part of the zombie army ready to be commanded.
Why raise an army of botnets?
For an attacker, there lies a level of joy in making sure all tasks are automated. Attackers have to minimize individual work load and reduce the number of clicks from their end, while still increasing efficiency and their chances of success. This is done by infecting hundreds of thousands if not millions of computers over the internet. The major strengths of botnets lies in the fact that there is more than efficient distributed computational power and storage, and the delegation of responsibilities available to a CnC server. Like having more than one computer in different parts of the world. Botnets can be used to perform CPU intensive tasks like bitcoin mining or brute-forcing passwords that would take an attacker months on their own private machines. They can also be used as pivot points while attacking open networks, camouflaging the actual perpetrator.
This however does not come easy. For attackers to keep an increasing number of successful infections, they must showcase exceptional skills in the art of persistence. This means that the access to the victims should remain intact and not be detected. Exhibiting the perfect stealth. If a user becomes aware that their machine has been infected, they might reinstall the operating system or take effective measures to clean it up, and this will not play out well for the attacker. To counter this, attackers author malware that evades antivirus software to avoid detection and stay that way for the longest period of time. Once infected, a machine is completely under the attacker’s control and the extent of damage is limitless.
Attackers can be able to perform the following actions on victim machines:
- Steal personal information from victims. These includes, but not limited to: credentials to social media websites, credit card information fed to online banking portals
- Steal data and documents
- DDoS attacks to servers
- Send spam emails
- Distributed computing for password cracking or solving captures etc.
Are other devices affected as well?
Yes. Other devices as well. Phones are no exceptions. Users are tricked into installing malware into there phones. These malware pose as legitimate software (Trojans) often found in third party application stores. The infected devices are even more promising for the bot master when they are rooted(android) or jail-broken (iOS) which means more and better control. From here, attackers control actions of the devices from their CnC servers. Some of these mobile phone bots include GM bot, DroidJack, and Dendroid that are all available for purchase on the net.
Infected devices can allow attackers to: make calls, send text messages, record video and audio, steal user data, open unwanted web pages etc. Again, this is completely under the control of the web master.
IoT devices are also not safe from attacks. A malware known as Mirai has been the subject of discussion among the infosec community ever since September last year when infected devices launched a massive DDoS against a respected security researcher’s blog, Krebsonsecurity. The anatomy of the malware is quite amazing. The source code was made publicly available. Mirai works by exploiting weak security implementations in IoT devices. They scan for these devices that have default configurations or hardcoded credentials in the firmware, for example. These IoT devices later connect back to the CnC server and await command, like the bots they have become.
How do i know i am infected?
For mobile devices, there may be newly installed or removed applications,calls and text messages being sent without you consent, device becoming slow and extreme data usage beyond normal may be signs that you are infected. If this is the case, the best solution may be to wipe the phone and restore factory settings. Flashing the phone with the stock ROM may be another better option.
For Computers, anti-malware tools are a good start. But they only detect known threats. Bots are custom coded and may be harder to detect. But one thing remains clear, they communicate to an external server and receive commands on a regular basis. This makes it possibly for expert analysis to detect by analyzing traffic. Bot-hunters can also be used and passively listen to internet traffic through an infected machine and store logs. The logs can be analyzed to determine breach. The remediation would be shutting down detected CnC servers or preventing communication to them by blacklisting their IPs. A combination of malware removal tools can then be used to clean the PC.
I hope this gives a general overview of understanding botnets.