Danger from "zombie computers" - how to protect yourself from botnets
by Tina Siering
What is a bot and how does a botnet work?
A bot is a computer program that can perform largely repetitive tasks without the need for (human) control and interaction. Bots are ubiquitous on the Internet and do not necessarily have to be malicious. A well-known application for bots is, for example, the crawlers of search engines, which automatically search the web and analyze web content. Guided by hyperlinks, these bots reach further content and thus support the search engines in indexing web pages.
Unfortunately, bots can also be used for countless malicious activities. Among other things, the programs can read and collect e-mail addresses (which are subsequently used for spam or phishing), they can crack passwords, act as keyloggers to read private information, or abuse the computing power of an infected computer for mining cryptocurrencies. When bots communicate with each other, they are referred to as a botnet. A sufficiently large botnet controls a large number of bots and can attack existing networks or servers with so many requests that they become overloaded or even go offline (distributed DoS attack, DDoS for short).
How a botnet is set up?
In a botnet, individual bots are combined to form a complex, centrally controlled network. IT security experts estimate that several hundred experts are needed to set up a professional botnet - from exploit developers and vulnerability analysts to testers and project managers. The "professionals" are recruited on special platforms, mainly on the darknet, where they are offered and paid anonymously. Once the recruitment phase is over, the set-up phase begins. Depending on the scope, this can take up to two years.
The botnet controllers must be able to control the malware and issue commands. Most bots provide a means of communication with the botnet operator, with command-and-control (C&C) servers also being used. This includes retrieving bot data, as well as distributing new instructions. Bots are useless without servers
Various methods have evolved for bot computers to receive their commands:
This "basic" model is the oldest: bot machines periodically check in with a central server, such as the now-obsolete IRC chat room (or other protocols). It was relatively easy for defenders to find the central C&C server by analyzing either bot or sent traffic. Other control options now exist, such as P2P or HTTP botnets.
2. Proxy server
Proxy servers are installed to disguise the location of the C&C server. The individual bot computers thus do not contact the C&C server directly, but via intermediate computers. These proxies can either be servers operated by the botnet controller or infected computers themselves.
3. Peer-to-peer communication
Another step in botnet architecture is the further development of peer-to-peer (P2P). Bot machines in this case contact other bot machines with information and control commands - rather than the C&C server. Successful disruption of the entire botnet is very difficult here.
Regardless of the command and control structure, once the infrastructure of C&C server, malware and infection capabilities has been established, the bots must be successfully distributed. In this case, the infection can take place either via a virus or worm or via a visit to a malicious website that exploits security holes in the browser and thus installs the bot on the system without the user's knowledge.
Infection of victim systems primarily occurs via:
- Trojans: a seemingly harmless program installs a bot in the background, this is the most common case.
- Exploits: a security hole (e.g., in operating systems) is used by the attackers to install the bot.
- Email: The user is animated in an email via a link to install (infected) software. Alternatively, the malware loader is sent as an attachment, as in the case of the recently uncovered malware loader "Bumblebee".
- Automatic spreading via bots: Bots independently search for further, infectable systems and place new bots via exploits.
- IoT: Even smart devices are not safe from bots. Here, the infection occurs via apps or as a drive-by download.
After successful infection, the bot makes contact (e.g., with the C&C server) and reports that it is ready for operation. Commands are then used to tell the bot what steps it should take next. If one or more of the C&C servers are uncovered in the course of an attack, the bot controller can react promptly using special command sets and redirect "its" bots to other servers accordingly. This is what makes botnets so powerful and difficult to fight. If a server is exposed, the bot controller switches to another server and the attacks continue undisturbed.
Alarmingly persistent - well-known botnet Emotet is back again
Emotet was uncovered as a banking Trojan by security services back in 2014 and has since evolved into a frighteningly powerful and persistent platform. As of June 2022, it is the most widespread malware in the world. In the spirit of "crime-as-a-service," the Emotet platform sells compromised access to cybercriminals. Once Emotet is running on a victim machine, any malware can be reloaded and executed. The main modular Emotet program thus becomes a trafficker for malware such as Nymaim, Qbot, TrickBot, Ursnif or Dridex. "The infamous Emotet botnet is on the rise again after a hiatus of about a year," reports Andreas Klopsch, security researcher at SophosLabs. "Emotet was one of the most professional and long-lived ransomwares in recent IT history, causing numerous severe hacks and extortions." Emotet is just one example among many that powerfully demonstrates the persistence of botnets once they have been established. Can companies, organizations and private users protect themselves from the threat of botnets at all?
How organizations and businesses protect themselves from botnets
Botnets are efficient, threatening, and scary - but there is good news. For as powerful as current botnets are, there are definitely effective measures for businesses and organizations to take to protect themselves from bots! Among the most important measures:
- Be mindful: Every user should always be suspicious and cautious of links or attachments in general. Ideally, e-mails from unknown senders should not be opened at all, but sent to the trash without being read. Attachments to e-mails should always be downloaded only when you are sure that the attachment comes from a reliable source.
- Antivirus scans: A reputable antivirus program is still the best weapon against bots. Regular scans uncover installed malware or already prevent its installation.
- Update and patch operating systems and software: Cybercriminals are busy every day finding and exploiting existing vulnerabilities in operating systems and applications. Be faster - and plug security leaks regularly with the latest updates and patches from the manufacturers.
- Resist the lure of the Internet: A common way to get bots onto a computer is through malicious websites or fake downloads. Therefore, never click on pop-up ads, do not download software from unknown sources, and avoid visiting shady websites.
- Prevention and early attack detection: Rely on a "Managed Detection and Response solution" (MDR) - even when successfully fighting botnets! Allgeier secion's Active Cyber Defense (ACD) service provides a threat hunting solution that proactively and continuously analyzes your network for anomalies, controlling attackers' communications to their command & control servers (by monitoring beacons and identifying malicious traffic patterns).
One wrong click is enough to turn your own computer, completely unnoticed, into a will-less "zombie". Botnets are among the most persistent cyber threats of all - and unfortunately, they are not only persistent, but also extremely efficient. To stay safe and "bot-free" on the net, active antivirus software is mandatory - as is regular updating and patching of the operating system and installed applications. Additional protection is provided to organizations and companies by a "Managed Detection and Response solution (MDR)", such as the Active Cyber Defense Service (ACD) from Allgeier secion. The IT security experts of the Active Cyber Defense team provide information as soon as action is required: With the help of Active Cyber Defense, it is possible to minimize the critical time span between the failure of protection tools and the deployment of the response. This is because the warning is issued immediately as soon as anomalies are registered in the network - and not after the risky average period of 6 months. Please do not hesitate to contact us!