Botnets - Everything Explained about Botnets and What all you can do!
4 min read
What are Botnets❓
A botnet (short for “robot network”) is a network of computers infected by malware that are under the control of a single attacking party, known as the “bot-herder.” Each individual machine under the control of the bot-herder is known as a bot.Botnets can be used to perform Distributed Denial-of-Service attacks, steal data, send spam, and allow the attacker to access the device and its connection.
The owner can control the botnet using command and control software. From one central point, the attacking party can command every computer on its botnet to simultaneously carry out a coordinated criminal action.
The scale of a botnet (many comprised of millions of bots) enable the attacker to perform large-scale actions that were previously impossible with malware.
Since botnets remain under control of a remote attacker, infected machines can receive updates and change their behavior on the fly.
As a result, bot-herders are often able to rent access to segments of their botnet on the black market for significant financial gain.
What Are Different Types of Attacks❓
1. Distributed Denial-of-Service Attacks
Often botnets are used for Distributed Denial-of-Service (DDoS) attacks. A DDoS attack is an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services by consuming the bandwidth of the victim network or overloading the computational resources of the victim system.
In addition, the resources on the path are exhausted if the DDoS-attack causes many packets per second (pps). Most commonly implemented and also very often used are TCP SYN and UDP flood attacks.
Some bots offer the possibility to open a SOCKS v4/v5 proxy - a generic proxy protocol for TCP/IP-based networking applications (RFC 1928) - on a compromised machine.
After having enabled the SOCKS proxy, this machine can then be used for nefarious tasks such as spamming. With the help of a botnet and thousands of bots, an attacker is able to send massive amounts of bulk email (spam).
Some bots also implement a special function to harvest email-addresses. Often that spam you are receiving was sent from, or proxied through, old Windows computers sitting at home. In addition, this can, of course, also be used to send phishing-mails since phishing is a special case of spam
3. Sniffing Traffic
Bots can also use a packet sniffer to watch for interesting clear-text data passing by a compromised machine.
The sniffers are mostly used to retrieve sensitive information like usernames and passwords.
But the sniffed data can also contain other interesting information. If a machine is compromised more than once and also a member of more than one botnet, the packet sniffing allows to gather the key information of the other botnet.
Thus it is possible to “steal” another botnet.
If the compromised machine uses encrypted communication channels (e.g. HTTPS or POP3S), then just sniffing the network packets on the victim’s computer is useless since the appropriate key to decrypt the packets is missing. But most bots also offer features to help in this situation.
With the help of a keylogger it is very easy for an attacker to retrieve sensitive information. An implemented filtering mechanism (e.g. “I am only interested in key sequences near the keyword ‘paypal.com’”) further helps in stealing secret data.
And if you imagine that this keylogger runs on thousands of compromised machines in parallel you can imagine how quickly PayPal accounts are harvested.
5. Spreading new malware
In most cases, botnets are used to spread new bots. This is very easy since all bots implement mechanisms to download and execute a file via HTTP or FTP.
But spreading an email virus using a botnet is a very nice idea too. A botnet with 10.000 hosts which acts as the start base for the mail virus allows very fast spreading and thus causes more harm.
The Witty worm, which attacked the ICQ protocol parsing implementation in Internet Security Systems (ISS) products is suspected to have been initially launched by a botnet due to the fact that the attacking hosts were not running any ISS services.
Thank you for reading.
Did you find this article valuable?
Support Yash Bhuva by becoming a sponsor. Any amount is appreciated!