What is a botnet?

The world of cybersecurity is often clouded by complex terminology and jargon — at best, that can leave you feeling lost and out-of-the-loop, but at worst it can negatively impact your ability to guard yourself against attacks.

In this post, we're going to be demystifying one example of this jargon, botnets; a class of threat actors that’s been around for a while now but that you may not have heard of.

What is a botnet?

A botnet is a collection of internet-connected devices that are controlled by a threat actor. Devices such as laptops, phones etc… are unknowingly infected by malware which then use that device to send spam emails, be part of DDoS attacks, perform click fraud and more. Each device acts as a "bot" (from the word robot) in the bad actor's scheme, enacting some type or piece of a larger cyber attack.

For instance, a botnet can be used to send spam emails. The bad actor slowly infects more and more devices, then uses each of these devices to send spam emails en masse. By using a network of connected devices, more damage is able to be done. Using lots of devices also increases the odds that spam emails will bypass mail filters.

In general, a botnet consists of devices that the threat actor doesn't own. Instead, they infect the personal and professional devices of others. This is usually done discreetly so that the device owner doesn't even realize that their device is participating in a botnet attack.

The other part of a botnet, which we should mention is C&C or Command and Control. A botnet will have at least one, but usually several C&C servers which are used to control and manage the activity of the botnet.

An important part of “knocking out” a botnet is to take down its C&C servers. One way of detecting botnet activity is to look for communication with the C&C servers. At Samurai, the fact that we have a Tier 1 IP backbone allows us to detect communication between C&C servers and bots, allowing us to more readily detect botnet activity.

What is the danger of a botnet?

Botnets can be used in a variety of malicious ways. As covered, this could be sending spam or malware en masse, or being used to help orchestrate DDoS attacks through the connected devices.

Espionage is another common use of botnets. Here, the devices are being used by or near parties that the bad actor is interested in collecting information on. By using a broad network of devices, the hacker can collect more information from a variety of sources.

Hackers can also use botnets to steal data. Data can be collected directly from the connected devices or from devices/networks that the device is connected to.

As for why botnets are particularly dangerous, there are three key reasons. First, botnets can be difficult to shut down, as the number and variety of devices in play make them difficult to target.

Second, botnets are tricky due to their lateral movement. They gradually breach more and more devices, so they can continue to spread even as they're being taken down.

Third, botnets are also difficult to dismantle because the bots are designed to remain inobtrusive until they are needed. They stay below the radar until they are called upon by the C&C servers to perform their task.

Examples of botnet attacks

Unfortunately, the threat of botnet attacks is not theoretical. Several large-scale botnet attacks have taken place in the last ten or so years. Here are just three examples of major botnet attacks — all of which just happen to be DDoS attacks, too.

The Mirai attack

Let’s start with perhaps the most frightening botnet attack in recent history.

The Mirai DDoS attack occurred in 2016, targeting the domain hosting system Dyn and bringing down high-profile digital sites and platforms like Netflix, Spotify, PayPal, Twitter, Fox News, and more. Amazon’s web services division was also hit at a very similar time in a very similar way, but experts haven’t been able to confirm if the attacks are related.

It shows that even the most prepared, defensive parties can fall victim to a botnet attack.

The GitHub attack

Another of the largest botnet attacks in history was carried out against GitHub, one of the more secure and tech-savvy victims to have been hit by this style of attack.

During the attack, the botnet performed a DDoS, driving more traffic to GitHub than GitHub’s servers or security systems were capable of handling. This effectively shut down the GitHub website and service, making it unavailable for a few minutes.

While the ramifications of the attack were relatively small, it proved that no business or platform is too large to be targeted by this style of attack.

The Hong Kong attack

In 2014’s "Hong Kong" botnet attack, it was less so the city that was under attack and more so specific occupants and resources.

At the time, there were pro-democracy protests happening throughout Hong Kong. Websites and services arose during this period in support of these protests. These were the websites that eventually fell victim to the botnet attack, though it's still unclear who perpetrated the attacks.

Like the GitHub attack, these botnet attacks employed a DDoS strategy. And at the time, it was the largest DDoS attack recorded in history.

The Trickbot botnet

One botnet that is also worth noting is Trickbot, which was one of the world’s biggest botnets. Trickbot is a banking trojan, which emerged in 2016. What made Trickbot incredibly difficult for affected organizations to remove was the fact that infected workstations continued to re-infect other PCs after they were cleaned by using the EternalBlue vulnerability. NTT’s Global Threat Intelligence Center was actively involved in the take-down of the Trickbot C&C infrastructure, together with Microsoft and others.

How to protect against botnets

Have a solid defense system in place

Businesses and organizations aren't defenseless against botnet attacks. There are several steps you can take to protect your business against such an attack, and the first of these steps is having a solid defense system in place.

Botnets rely on C&C (Command and Control) servers. These servers act as the "brains" behind the attack. Having a defense system in place that can detect the activity of C&C servers and determine when endpoints have been infected is crucial. This gives you visibility over the botnet attack, including how widespread it is.

Implement strong user authentication methods

Another important way to prevent a botnet attack is to implement strong user authentication methods. Strong authentication helps prevent lateral movement and makes it more difficult to hack into devices, accounts, services, and more.

The more challenging it is to hack into these endpoints, the slower the spread of a botnet attack will be, and with strong authentication spread throughout your organization, it'll be that much harder for a botnet attack to take hold.

Use secure remote firmware updates

One of the ways that a botnet attack can slip past your defenses is by disguising itself as a firmware update. Devices are "updated", which installs the malware required to power a botnet attack.

The solution? Secure your remote firmware updates so that they can't become infected and so that it's harder (or impossible) for malicious updates to be installed.

Take advantage of secure boot

Lastly, it can help to take advantage of secure booting. Secure boot is when code can only be executed on a device whenever it's produced by a trusted partner/developer.

In other words, even if malicious software tries to install itself on your devices, it won't have high enough permissions to do so.

Keep reading the rest of the Samurai blog for more expert advice on safeguarding your business.