Robot Networks (Botnets) are almost exclusively created with the purpose of financial gain, though some botnet attacks are politically motivated. It is more common for attackers to rent botnets or commission attacks than develop their own. This has to do with the high amount of specialization and workload required for creating and maintaining a botnet.
What Is a Botnet?
A botnet is a large group of computers, routers, or even CCTV cameras that are remotely controlled by a single botmaster. The botmaster is often a criminal organization that uses a botnet for illegal purposes, or rents it out to others, often by the hour.
Botnets can be utilized for distributed denial of service attacks, spamming, click fraud, serving illegal material, search engine optimization, and even Bitcoin mining.
The owners of botnet compromised computers are usually not aware that their system has been breached. This is often because botnets target ‘zombie computers’. A zombie is a machine that the owner is no longer using or maintaining, but it remains powered on and connected to the internet.
It’s important to note that though the term botnet is commonly used with a strong negative connotation, legal botnets do exist in the form of distributed computing. SETI@Home, for example, allows users to contribute their idling home computers to the search for extraterrestrials. Folding@Home simulates protein folding, hoping for results with important implications in the search for cures for diseases such as Alzheimers and many forms of cancer.
This article will focus on illegal uses of botnets.
How a Device Becomes Part of a Botnet
Any device connected to the internet can involuntarily become part of a botnet. Computers are infected through the same channels as other malware like spyware, crypto locker, or viruses. A compromised machine can be infected with multiple malware at once, and even be part of multiple different botnets.
Some botnets constantly scan all public IP addresses and test well-known vulnerabilities against the computers they find to identify new targets. They might spread themselves via email attachments or come bundled with pirated software.
Servers are especially attractive for botnets, as they are always online and have one or even multiple unrestricted connections to the internet. Though many residential Internet Service Providers block certain services or ports, often in an attempt to limit the harm done from customers’ computers being part of a botnet.
Routers can also be attractive targets, as they are also always online and rarely receive updates.
A regularly updated laptop or smartphone rarely becomes part of a botnet. The less a device is maintained and, the more likely it is going to with infected with malware. As more and more of our devices become networked the risk of a rogue element inside of our network increases, especially since many non-computer devices are difficult to maintain.
If your Internet-connected fridge, alarm clock, or CCTV camera does not receive regular automated updates from its manufacturer, it becomes a security risk. Additionally, manufacturers might go out of business shortly after releasing a product.
The Evolution of Botnets
Botnets first appeared in the early 2000s and grew together with the early internet.
Early botnets were run as centralized networks in which one computer would act as a controller while other computers acted as clients, awaiting instructions from the controller. However, this meant that if the controller were detected, it would reveal the existence and locations of the entire botnet.
It also made the botnet vulnerable, as the network would stop functioning after the controller was shut down. Those controlling the botnet often tried to mitigate this by using multiple controllers, but without great success.
Today botnets are organized as peer-to-peer networks, in which commands are passed around between participants. Instead of having a limited number of “authorized” servers controlling the botnet, the operators now identify themselves through cryptographic signatures, allowing them to pass commands to any single participant of the botnet. This makes it impossible to take out a botnet “with a single hit” and greatly increases the difficulty of identifying the operators of a botnet.
Some of the most powerful botnets include one created by the Conficker worm in 2008 and 2009, and the Grum botnet. Conflicker infected over 10 million computers and had the capacity to send over 10 billion spam messages every day.
The Grum botnet was created in 2008 and mostly used to send out spam for online pharmacies. It existed for four years, by which time it had become the world’s third-largest botnet with 560,000-840,000 computers sending out almost 20% of global spam.
Though huge botnets are often cited, it might not always be in the best interest of a botnet to become so big. An effective botnet might be just a few hundred servers large, which is far harder to detect and thwart than a large botnet with hundreds of thousands of computers.
What Are Botnets Used For?
Distributed Denial-of-Service Attacks
In a Distributed Denial-of-Service (DDoS) attack the bot master instructs computers to flood a service or website with requests to make it unavailable to other users, or even crash their servers entirely.
This can generate income for the botnet operator if they blackmail the services that are unable to defend themselves against such an attack. Every hour of downtime can cost a large e-commerce website huge revenue, especially during peak times when the servers are already approaching full capacity. A poorly prepared operator might be inclined to pay the ransom.
DDoS attacks are often politically motivated too. In this case, a criminal group controlling a botnet might be willing to rent our their botnet to groups wishing to attack their opposition.
Sending out millions of spam messages every day quickly gets you blocked by major email providers, taking away your distribution channels. If you have an ever-growing botnet, you can send your spam from ever-changing IP address and domains, without the cost of acquiring them or risk giving up your identity.
You can also use spam botnets for your own criminal business, like selling counterfeit watches or illegal pharmaceuticals online. You might also rent out this capability to other organizations such as, for example, an advertisement network.
Traffic can be monetized online through advertisement networks. If you have a popular website, advertisers will pay you money each time one of your visitors sees their advertisement on your site. A click on the advertisement means they will pay even more money.
A bot master can exploit this system by creating a website and then driving artificial traffic to it through their botnet. Especially if this traffic comes from residential IPs (for example because their botnet targets home routers), this can be difficult to detect and highly lucrative. This money gained from this scam comes from a legitimate source and looks legitimate on paper, removing the need to launder it. Advertisers, however, will be working hard to uncover you.
Search Engine Optimization
Similar to click fraud, but different in its monetization strategy, is the use of botnets for search engine optimization. By artificially driving traffic to a client’s website via search engines, the bot master simulates a real demand, giving the search engines the impression that a particular site is useful for a certain topic. As a result, the search engine will drive real users to the site.
Store and Serve Illegal Material
Selling illicit digital goods online becomes a lot more profitable if you do not need to pay for the server and bandwidth cost. This was true especially in the early days of the internet when these costs were still relatively high. The botnet, on the other hand, can use the electricity, bandwidth, and hard drive storage of the computers it infects for free.
The added benefit of relative anonymity makes this even more attractive although interacting with an infected server might make the customers of the illicit material vulnerable themselves if they do not take extra precautions.
Previously, botnets have also been used to mine Bitcoins. Using essentially stolen computing power and electricity, the botnets would create profit for the bot masters by harvesting Bitcoins, which they could be sold for cash. As the Bitcoin network grew and specialized hardware became necessary to generate significant amounts of Bitcoins, this use of a botnet has become rare, as the small payouts do not justify the risk of detection by the user due to high electricity bills or continuously running fans.
How To Find Out If You Are Part of a Botnet
As there are a large number of botnets operating in the wild with different characteristics, there is no easy way of telling. You should become suspicious if unknown programs take up a large amount of processing power, or you are consuming bandwidth even though all programs that are connected to the internet are closed.
If you are frequently presented with captchas when visiting sites or are blocked from some sites entirely, this might be a sign your IP is on a blocklist for carrying out DDoS or spam attacks. If installing updates to your operating system or Antivirus fails, this might also be a sign your computer is infected with some kind of malware.
In any case, keep your computer’s operating system and browser up to date, and don’t forget your server, router, TV, or any other device that you have connected to the internet.
Featured image: kentoh / Deposit Photos
Botnet ring: Krolja / Deposit Photos
Cyber crime: Boris15 / Deposit Photos
Bleeding heart: Tonpicknick / Deposit Photos