A botnet is a group of computers infected with malware to carry out cyber attacks. The term “botnet” is a portmanteau of “robot” and “network,” and describes the relationship of devices that become part of the botnet, also referred to individually as “bots.”
A botnet can consist of any number of different devices, such as computers, that have been infected with a particular malware. Once infected, a hacker can use these devices to orchestrate attacks. Some attacks make use of individual devices, while others coordinate attacks using several or all of the infected bots.
Attacks occur behind the scenes, making use of botnet malware on infected devices, but not necessarily its software or interface. Because of this, a user is often unaware their device has been compromised with a botnet. It also means a device can perform actions it was never meant to be capable of performing.
How does a botnet work?
Botnets predominantly make use of specific malware that allows a hacker or bot herder to command all the infected devices in the network. By only using required resources on each device—such as memory, CPU utilization and disk I/O—these attacks can be made difficult for infected users to notice. However, many of these attacks require more computing resources than a hacker can gain from just one infected device, which is why they aim to infect many devices to accomplish the intended outcome of the attack.
Devices infected by a botnet attack are sometimes referred to as computer zombies since they are now under the control of a bot herder and will follow their commands. The bot herder often has access to low-level system functions, and can use devices to perform several botnet attacks. These can include spreading malware that increases a botnet’s reach, overloading a system’s resources to affect performance and availability, and stealing secure data.
What types of devices can be affected?
Any internet-connected device has the potential to become part of a botnet. Traditionally, botnets were associated with computers and cell phones, but the reach of bot herders continues to grow. Each year, more smart devices gain network functionality and essentially become part of the Internet of Things (IoT) network, which puts them at potential risk of malware infection.
According to Microsoft’s Digital Defense Report 2022, IoT devices may be more vulnerable to cyber attacks since their security is generally less likely to be up to date or offer as robust protection, as more tightly scrutinized devices.
Still, any internet-connected device has the potential to become part of a botnet, so understanding how infections occur, how to recognize an attack, and what to do if one is discovered are important things to keep in mind.
How does an attacker control a botnet?
A hacker usually uses a command and control server to issue instructions to the bots in a botnet. This is how infected computers can know how to perform an attack. Commands can then be issued using a network protocol such as IRC or HTTP. These established methods of communication can allow hackers to easily orchestrate multiple devices and issue commands.
- Centralized botnet attacks: In this model, the command and control server is used by the bot herder to communicate with each computer zombie. However, this approach bears risk for the attacker in terms of ease to trace attacks back to the initial bot herder.
- Decentralized botnet attacks: In a decentralized, or peer-to-peer (P2P), approach, all of the computer zombies are in communication with each other. This means that the bot herder can issue instructions to any one of the bots, and the instructions will spread among the entire botnet. This approach then can make it harder to trace the device that initially issued the commands.
Both approaches still require an initial command from a bot herder, and they both can result in the same types of attacks. However, the approach can have an impact on the efficiency and scalability of a botnet.
The larger a botnet, the harder it will be to connect to each bot to issue new instructions. For that reason, a decentralized approach is generally harder to shut down, since it takes more than just reaching the command and control server.
How are zombies in a botnet used?
How a zombie is used depends on the bot herder and their goals. However, each botnet attack usually begins with the hacker creating an army of zombies. The way each device becomes infected varies as well, but the initial infection typically stems from the use of malware.
Once infected and able to receive instructions, a zombie lies in wait. In many cases, users can still access these devices with little issue. However, once a bot herder issues a command, that device becomes an unwitting participant in a botnet attack, which can take on several forms.
What is a botnet attack?
A botnet attack is a cyberattack made through the use of a botnet. Because the actual attack is carried out remotely by bots rather than the hacker, these attacks generally afford the criminal relative anonymity. Depending on the sophistication and nature of the attack, it can be difficult to trace a botnet attack’s origins.
Botnet attacks can also expand the potential power of a hacker. Making use of the combined efforts of multiple devices, the bot herder can have increased access to resources that go beyond what could be done on a single machine. This includes coordinated attacks, mass emailing strategies, and the collection of information from a multitude of sources.
Botnet attacks can have a variety of ultimate goals and approaches. Some target the information contained on the bot device, and some use the bots to create further damage. However, each type of botnet attack is similar in its use of an innocent user’s device without that user’s consent.
Spamming and phishing
A botnet can be used as a source for a spamming or phishing campaign. Computers in a botnet could be forced by a hacker to send mass amounts of emails, making it difficult to trace the initial source of the operation. Hackers can pose as a figure of authority, such as a boss, or a member of the IT department, to seem legitimate when they ask recipients for private information. This use of social engineering to gain access can also make it harder to trace, since data is essentially volunteered, rather than stolen through an external malicious attack.
These emails are often sent in attempts to victimize more people, either to gain account access or install malware. A spam campaign from a botnet can even be used to propagate the malware that turns a device into a bot.
Sniffing and keylogging
A keylogger is a type of cyberattack that monitors a user’s keystrokes and records a log through the use of artificial intelligence (AI). Since AI can identify patterns in the logged information, it can help an attacker easily gain access to passwords and other personal information.
A packet sniffer similarly monitors and logs data. However, rather than recording a user’s local inputs, it monitors packets or pieces of data sent over a network. These packets contain the information sent and received by a computer, so illegally intercepting them can give hackers access to all kinds of information.
Performing these attacks through a botnet gives hackers a wide range of logged data from devices in their botnet. This can give them deeper access to things like email addresses, bank accounts and more.
Taking over an account is generally a common end goal for many types of botnet attacks. Once a hacker gains access to an account, they usually can use the information stored within that account in several ways. The hacker could use that information to obtain private information, steal funds or sell it to a third party.
They could even use the information to lock users out and hold accounts for ransom. Hackers make use of several techniques to achieve an account takeover, including social engineering, phishing, ransomware, sniffing and keylogging—all of which can be made easier through botnet attacks.
A distributed denial of service (DDoS) attack is when an attacker overwhelms a computer network, server or system with repeated traffic. Through the use of a botnet, a cybercriminal can use the combined efforts of many individual computers to inundate a service, server or network, using up available network and processing bandwidth, with the ultimate goal of “denying service.”
These attacks can have a range of effects from slowing down a site’s performance, to crashing a server indefinitely. DDoS attacks are often used to apply pressure on a specific target, such as a company, website, or organization.
Brute force attacks
A brute force attack is a repeated attempt to submit passwords until the correct one is discovered. Using a botnet, a hacker can systematically try hundreds or thousands of different passwords until they guess the right one. Once inside, they usually are able to gain access to whatever was locked within the account.
Through brute force botnet attacks, a cybercriminal can access personal information, bank accounts, and other private data. The hacker can then use this information themselves, leverage the information to hold an account ransom or sell it to a third party.
Credential stuffing involves using stolen credentials—oftentimes obtained through a previous breach or purchased through the dark web—to gain access to users’ other online accounts. Because many people use the same credentials for a multitude of sites, cybercriminals will hope that the usernames and passwords they obtained pertaining to one website or portal will work somewhere else. As such, they can automate botnets for the purpose of trying out stolen credentials on a smattering of websites across the internet.
Botnets can make it difficult for the targeted website to detect and block the attack. Attackers can do this by getting the botnet to simulate human behavior, such as by clicking links or filling out forms.
Cryptocurrency is mined via the solution of complex math equations that require a significant amount of computing power. Attackers may use malware to take over others’ devices, so they can harness the power of those devices to mine cryptocurrency.
If an attacker can attach a piece of malicious code that runs in the background and uses your computing resources to engage in crypto mining, they essentially will be able to use your computer to make money for themselves. The problem with this scheme is the enormous amount of computing power previously mentioned; one infected machine would be far too inefficient at crypto mining and would likely drain many system resources, alerting the computer’s user to the malware’s presence.
Instead, cybercriminals can use small amounts of computing power across a large botnet—so small, in fact, that a single individual may not notice their device is being used. Nevertheless, performance can still be affected negatively, and there’s no telling what else the malware could be programmed to seek out or destroy.
How to tell if your computer is part of a botnet
Determining whether your device is part of a botnet can be difficult. By design, botnet malware takes efforts to stay hidden, both from the user and from system processes that check for malicious software.
Sometimes, it is possible to monitor system usage and find your computer is under more stress than it should be. This could be an indication of botnet malware infection. By the time you realize you have been infected, some of your private data may have already been stolen. Because of this, it is best to try and take efforts to avoid infection in the first place.