The source of powerful attacks that are difficult to bring down, botnets threaten both users whose machines they infect and unaffected Internet users.
Although the numbers and size are unreliable, networks dismantled over the past ten years report fleets of tens or even hundreds of thousands of infected devices. Some have even passed the million mark, like Gameover ZeuS and Necurs. But what exactly are they? And how are they dangerous?
What is a botnet?
Contraction of “robot network”, a botnet is a network of computer robots. More specifically, it is a set of machines compromised by hackers and manageable remotely. These infected devices are all connected to each other within the same network, which allows hackers to deploy large-scale cyber attacks through the pooling of resources (DDoS attacks, spam campaigns, bruteforce, etc.). Today, a botnet can consist of PCs, smartphones, or any other connected object such as a smart TV, a watch, a weather station, a fridge.
However, you should know that botnets have not always had a bad reputation. Initially, they referred to networks of IRC robots to which were assigned various tasks such as the automated management of chat channels.
Although there are still useful and legitimate botnets (web indexing, for example), the term is today associated with malicious practices, difficult to neutralize, which it is better to guard against.
How does a botnet work?
It all starts with the viral infection. It could be malware hidden in an email attachment, a Trojan horse, a security vulnerability exploited in software or a browser, or a file downloaded via peer-to-peer. In any case, the infection phase usually goes unnoticed by the user.
Once installed on the machine, the piece of malicious code proceeds to the activation phase and creates a backdoor. The device joins the network and can now be controlled remotely. There are two possible configuration cases: the infected terminal only responds to commands from the one managing the botnet, or it can take its orders from other infected machines integrated into the botnet (like a decentralized network).
In the first case, it suffices to neutralize the easily identifiable control center to bring down the botnet. Too easy to stop, this type of pattern hardly exists today.
In the second, the orders can both come from the hacker’s system and be relayed by one of the infected devices in the network. Identifying the master source within a fleet made up of thousands of machines is then much more complicated, giving the botnet a longer lifespan.
Finally, the botnet is only viable as long as it has a sufficient number of machines. And the bigger it gets, the more powerful, efficient and difficult it is to neutralize. The spread is most often via already infected machines which in turn spread the virus or scan their home network for a flaw or a backdoor.
What are the risks of botnets?
Botnets are dangerous on two levels: for those whose machines have been infected, and for everyone else.
When a device is part of a botnet, its computing power is constantly put to the service of actions ordered by the owner of the botnet (in the case of cryptojacking, for example). As a result, there are many slowdowns. However, this does not mean that they are important enough to arouse the user’s suspicion. This is also one of the strengths of the botnet which, despite a continual demand on resources, knows how to remain discreet.
However, the real targets of a botnet are not so much the zombie machines as the rest of the connected users. By concentrating the resources of several devices, botmasters generally seek to carry out DDoS attacks (most often by flooding the network and servers), to manage bruteforce operations (find a password by trying all possible combinations) and organize major spam campaigns.
How to protect yourself from this?
You cannot protect yourself from attacks orchestrated by a botnet, but you can always mitigate the consequences by regularly changing your passwords. Businesses susceptible to DDoS attacks can also review their architecture, distribute access points to their services across multiple servers and configure a buffer server.
However, it is perfectly possible to protect yourself against the infection that turns a connected device into a botnet’s zombie soldier. The first thing to do is to always make sure to install the latest software and system updates available from the publisher’s official website. Second, it is imperative that you never download and open an attachment or click on a link from a fraudulent email. In general, we strongly recommend that you scan all files you download to check their integrity (via VirusTotal, for example), whether they come from unknown or known sources.
The most well-known antiviruses such as Avast or Kaspersky are generally effective in detecting malicious software and scripts. However, as we have seen previously, bits of malicious code inoculated as part of the propagation of a botnet can modify their viral signature and fall under the radar of the most powerful antimalware. It is therefore necessary to always update your antivirus as quickly as possible so that the new antivirus has a chance to detect the script before it updates itself.
Finally, using a VPN guarantee the security of those who would be collateral victims of a bruteforce attack, or any other attack aimed at siphoning personal data. In fact, by locally encrypting connection and request information, then passing them through an encrypted tunnel to its servers, the VPN prevents the identification of the source and the clear display of the data transmitted. A simple and often inexpensive way in view of the consequences that the resale of banking data and login details on the dark web could have.