A quick guide to botnets - what they are, how they work and the harm they can cause.
What is a botnet?
A ‘bot' is a type of malware that an attacker can use to control an infected computer or mobile device. A group or network of machines that have been co-opted this way and are under the control of the same attacker is known a 'botnet'.
How a botnet is created
Bot programs can be planted on a machine or device in many ways. Machines or devices that have been infected by a bot are sometimes called 'bots' themselves, or 'zombies'.
One common method for a bot program to get on a machine is when a harmful website the user is visiting silently looks for and exploits a vulnerability in the user's system to install the bot on it. Other popular ways include sending the bot as a file attached to spam emails sent to the user, or as a program dropped from the payload of another malware.
Once the bot program is installed on the device, it will try to contact the website or server where it can retrieve instructions from the botherder. This site or server is known as the command-and-control (C&C) server.
An attacker with access to the C&C servers uses a client program to silently send instructions over the Internet (or another network) to the bot to perform various tasks, such as collecting data, monitoring the user's actions and so on.
Commands can be issued to a single bot, or to all the bots in botnet. The attacker controlling the botnet is sometimes referred to as the 'botherder', 'operator' or 'controller'.
What attackers can do
Botnets can cause significant damage to the security of both individuals and businesses. Most directly, the data and connected resources of any systems forced into a botnet are no longer under the legitimate user's control. Most people today store highly sensitive content on their personal machines, such as financial accounts, login credentials, etc.; on an infected system, this data can be easily harvested by the attackers.
If the enslaved machines belong to a major corporation or government organization, this puts critical business functions or social services at risk. For example, back when the Conficker botnet was active, there were reports that among all the personal home computers roped in, military resources in the United States, the United Kingdom and France were also infected and were forced to take significant remedial actions because of security concerns.
Conficker also had a disproportionately large effect on the Internet infrastructure of entire developing countries, in many cases severely disrupting businesses and home users in the affected nations.
Attackers can also use the collective resources of all the machines in a botnet for their own activities. These include: launching Denial of Service (DoS) attacks on websites or services; sending out spam emails or malware; or mining digital currency, such as Bitcoin.
Botherders can also sell the use of 'their' botnets to others who want to perform these activities, or sell the botnets outright. In recent years, botnets have become more 'commercialized' and are increasingly used by crime syndicates to perform data theft, fraud and other harmful activities.
Increasing in size
A botnet's potential for causing mayhem increases with size, as having more machines in the botnet gives the attackers more resources for their activities.
Botnets have grown from containing hundreds, to hundreds of thousands of infected machines, with the largest botnets containing millions of bots (Conficker was thought to have between 9 to 15 million).
This trend looks set to continue, especially as more and more users from rapidly developing countries start accessing the Internet.
Unsurprisingly, given the harm they can cause, law enforcement authorities and national Computer Emergency Response Teams (CERTs) in many countries take the threat seriously and actively work to take down botnets, as well as hunting down and prosecuting their operators.
One of the most effective ways to take down a botnet is to find and take down the C&C server, to deny botherders control of the enslaved machines. This then gives users or network administrators the time and opportunity needed to identify and clean bot-infected machines or devices, to finally remove them entirely from the clutches of the botnet.
For the latest news on botnet takedowns, check our Labs Weblog.