What Is a Botnet?

The widespread adoption of broadband technologies has dramatically increased the ability of botnets to launch denial-of-service attacks, infect millions of computers with spyware and other malicious code.

What Should You Know About Botnets?

Over the past several decades, the world has seen tremendous growth in the Internet and applications based on it. The use of the Internet is becoming an integral part of our life. It certainly provides a high level of convenience, but the growing dependence on the Internet poses a number of major security challenges. Thus, Internet security is becoming an increasingly relevant aspect for those who use the Internet for work, business, education, or entertainment.

Most attacks and fraudulent activities on the Internet are carried out using malicious software, which includes viruses, Trojans, worms, spyware, botnets. Malicious software has become the main source of most malicious activity on the Internet. Traditionally, botnet detection has been done through passive monitoring and analysis of network traffic.

To detect botnets, approaches are distinguished based on the search for signatures or anomalies in traffic. Less popular are the approaches that use DNS traffic analysis or the use of trap hosts. The main disadvantage of existing botnet detection solutions is that they do not take into account the relationship between the multi-agent nature of botnets and the stages of their life cycle. As a result, the detection is partial, and it is not possible to block the botnet’s activity.

Botnets are the main threat to Internet security today. A botnet attack is easy to order, and hackers find and exploit new vulnerabilities at an unprecedented rate. Typically, one botnet consists of tens of thousands of computers. Botnets are difficult to detect because their topology is dynamic in nature, thus bypassing the most common defenses.

Information security teams need to take measures to prevent infection of corporate computers and protect corporate resources from attacks using botnets. So how to get a botnet? This white paper discusses the typical life cycle of a botnet, the types of botnet attacks, and the most effective methods for detecting and fighting botnets.

How Are Botnet Networks Created?

The creation of a botnet begins by:

  1. Downloading a special program – a bot (for example, IRCBot, SGBot, or AgoBot) – with embedded malicious code on the computer of an unsuspecting user who opened an infected email attachment or downloaded malicious files or free software from a file-sharing network or from a malicious website.
  2. After installing a special program and malicious code, the infected computer connects to the server that the attacker has configured as a control system for transmitting commands to the botnet.
  3. A public IRC server is often used as the control system, but compromised servers can also transmit commands using HTTPS, SMTP, TCP, and UDP protocols. Control systems are not tied to a single node and are often moved between nodes to prevent detection; they run on computers (and connections to them are made through proxy servers) that do not belong to the attacker controlling the network.

Using the control system, an attacker can periodically inject new malicious code into the program installed on the botnet computers. The control system can also be used to modify the code of the malware itself to prevent it from being detected by signatures or by implementing new commands and attack vectors. However, the top priority for an attacker running a botnet is to extend the botnet itself. Each botnet node searches for and infects vulnerable computers.