What is a botnet?


We first learned about botnets in 2000, when a Canadian teenager introducing himself as Mafiaboy attacked several well-known websites using the distributed denial of service method. His victims included: Yahoo, ETrade, Dell, eBay, Amazon; the servers of these portals were flooded with enormous amounts of fake traffic, and as a result they stopped working. Although Mafiaboy, whose real name is Michael Calce, did not use a botnet for his attacks, security experts began to warn after the incident that botnets – large networks of computers infected with the malware – and the DDoS attacks they are used for pose a serious threat to stability and the integrity of the internet. It turned out that they were right.

Definition of a botnet

A botnet is a group of compromised computers that are controlled remotely. One or several people may be the author of the botnet; they infect victims' computers with a malicious program. The individual computers that make up a botnet are often referred to as „bots” or „zombie computers”. A botnet does not have to have a specific number of computers: smaller ones may be hundreds or thousands of infected machines, and larger ones – even millions. Known botnets include, for example: Mirai, Conficker, Zeus, Waledac, Mariposa and Kelihos. The botnet is often treated as a whole. Sometimes, however, malware authors sell their products – this was the case with the Zeus threat, for example. Therefore, it may happen that the same malicious program can be used by dozens of separate botnets simultaneously.

The method of infection

To join computers to a botnet, attackers usually use one of two methods: drive-by download or email attack. In order to carry out an infection using the drive-by download method, the attacker has to find a popular website with a exploitable vulnerability. Then he has to put his own code on the website which uses the given vulnerability in the browser, eg Google Chrome or Internet Explorer. Typically, the code is designed to redirect the browser user to a site controlled by the attacker, from which the bot code will be downloaded and installed. The e-mail infection vector is much simpler. The attacker sends a large batch of spam and the messages contain a specific file, e.g. a Word or PDF document with malicious code or a link to a page where the malicious code is located. In both cases, once the prepared code is on the victim’s computer, it becomes part of the botnet. From now on, the attacker can command the computer remotely, transfer data from it, download new components on it, and generally do whatever he wants with it.

What botnets are used for

Botnets are most often used in DDoS attacks. They use the computing power and bandwidth of hundreds or thousands of computers to send enormous amounts of traffic to a specific site in order to block it. Even though there are many varieties of DDoS attacks, their purpose remains the same: to block the site from functioning. In this way, for example, competition can be harmed, although there are also known cases of paralyzing Internet portals such as Yahoo or MSN, online stores or online banking sites, as well as government sites. Groups such as Anonymous and LulzSec use DDoS attacks against security companies, banks, and other organizations, while cybercriminals use them against banking websites, which is usually a cover for a larger attack. Botnets are also used for many other activities: they allow spammers to send millions of fake e-mails from infected computers, and cybercriminals use them in fraudulent credit card transactions.

How to protect yourself from them

There are many ways to protect yourself from DDoS attacks that botnets use. Almost all of them involve the internet provider or server. For users, preventing a device from integrating into a botnet is by regularly updating software, applying patches, and avoiding clicking on suspicious links. Attackers often take advantage of the naivety of users by opening suspicious attachments or clicking all links, thus infecting their computer with malware. When users treat unknown links and attachments more carefully, it will make it much more difficult for attackers to build and use botnets.