What actually is a botnet?

G DATA Guidebook

They permeate the Internet like a gigantic spider’s web. Botnets link computers to huge networks – without the majority of us knowing anything about it. Criminals manipulate computers, connect them and use them for their own purposes. The result is a network of infected PCs, remotely controlled by “botmasters”. Botnets are among the largest sources of illegal money for cyber criminals. According to estimates, hundreds of millions of computers worldwide are affected. One of the biggest networks discovered comprised over 30 million computers. There is a fair chance that your own PC was part of a botnet at one point in time, too.

How does a botnet work?

The operators of a botnet smuggle malware called a bot (short for “robot”) onto other people’s computers. These bots operate in the background without the owner of the PC noticing anything maintain a low profile. The computer is then exploited for the purposes of the botmasters, none of which the user would voluntarily agree to. As the computers are being controlled remotely and so are acting “involuntarily”, parts of the botnet are also known as “zombie PCs”.

Botnets encompass computers from all over the world.

The bots operate via the Internet. This means that they only work when the computer is switched on and is connected to the Internet. The more bots there are in a network, the greater the number of active computers at any one time. The German Federal Office for Information Security (BSI) recorded up to 60,000 new infections per day in the first quarter of 2015.* In purely technical terms, a botnet is a distributed computing network – a collection of computers working independently of one another. They do indeed communicate with each other occasionally, but they carry out their tasks independent from one another.

Example: Dridex

One of the most recent botnets is Dridex. Dridex is used for stealing bank and credit card data from infected computers. There are numerous charges against the botnet operators: criminal conspiracy, unauthorised access to third-party computers with the intent to defraud, harming computers and credit card fraud. In autumn 2015, FBI agents seized a number of servers belonging to the operators of the botnet. Even so, Dridex still appears to be active. An FBI publication quoted United States Attorney David J. Hickton, who called the Dridex botnet “one of the most pernicious malware threats in the world”. Security experts believe that hackers had seized and co-opted the botnet in spring 2016. As a result, Dridex distributed antivirus software for some time. However, security researchers have not recorded any new activity since June 2016, and it appears that the botnet and its infrastructure have disappeared from our screens.

How do I detect a botnet?

If so many computers form part of a botnet, how can I tell if I am part of one?

  • In some cases, the fact that the Internet connection has become slower or continually threatens to collapse under the strain can give away the presence of a botnet client. If the user has not significantly changed his data usage, this should be treated as a warning signal. However, other malware may also be responsible for a slow connection.
  • One clear indication is if the virus scanner sounds the alarm.
  • A look at the Task Manager can also offer some clues: Can you see new, peculiar or unfamiliar  processes there which never have been present before? The same applies to autostart entries.
  • As botnets are hard for lay people to detect, the emphasis should be on prevention instead of instinct.

What are botnets used for?

Botnets are used for all sorts of different things – and not all of them are illegal. The University of Berkeley in America provides the code for a good kind of botnet client. The voluntary connection of as many private computers as possible is designed to reduce IT costs for various research projects. For example, researchers use such a botnet to look for intelligent life in space.

However, the overwhelming majority of botnets are created against the will of the PC owners and are generally used for criminal purposes. Zombie PCs are used for things such as distributing spam. For example, phishing emails are sent out to the digital world by PC owners without them realising. Other botnets serve criminal organization as storage space or help provide the perpetrators obtain sensitive user data. Either this data is used by the perpetrators themselves or the information is monetized on the Darknet. Furthermore, a botnet enables the perpetrators to establish a connection to a third-party computer via the zombie PC and thus hide its original address. Another type of use for a zombie PC is as an intermediate host that infects other computers and so triggers a chain reaction."

Example: Bredolab

The Bredolab botnet came to the attention of the public in May 2009. Over 30 million computers were part of this network, until it was taken down in autumn 2010. This botnet primarily sent out spam emails with malware in an attachment. At its peak, Bredolab was estimated to be sending out 3.6 billion emails with malicious attachments on a daily basis. The operators earned money by renting out parts of the botnet to third parties. As such they are thought to have earned up to 139,000 dollars a month. The renters used Bredolab for entirely different purposes, ranging from the distribution of dangerous malware to use of the bots as spam distributors and attacks in which third-party computers were deliberately overwhelmed (DDoS attacks).

How is a botnet created?

The majority begin with an infected website. Users with no active web protection who end up on such a site usually have malware foisted upon them without noticing. However, an attack can also take place via an email in which, for example, the bot’s installation program is hidden in an attachment, or there is a link to a manipulated website. Sometimes users also unintentionally install Trojans along with harmless programs, which open the door, as it were, to the installation of the bot.

In this way, PCs are turned into remote-controlled bots, where a cyber criminal is pulling the strings. These strings are networked in such a way that we should actually think of a botnet as a highly ramified spider’s web. This is how ordinary PCs become part of a botnet. According to the Anti-Botnet Advisory Centre operated by Internet association Eco, one in three PCs in Germany is thought to have been infected and be part of a botnet.

The malware in the attachment to this email was detected by G DATA and deleted.
G DATA has deleted the malware in this e-mail attachment. By addressing the recipient personally, criminals attempt to establish trust.

Example: Mariposa

Between May 2009 to December 2009, 13 million computers in 190 countries – including 500 large enterprises in the USA – were part of the Spanish “Butterfly” network. Mariposa is one of the biggest botnets discovered to date. The infection, which lured users to manipulated websites, usually took place via Instant Messenger. In addition, the bot smuggled its way into Internet Explorer via holes or was distributed via primed USB sticks. Unlike Bredolab, Mariposa was not used for distributing spam but essentially for data theft. Over 800,000 users are thought to have been victims of data theft, according to estimates. The prize was access data to online bank accounts, email accounts and access to corporate networks. It took numerous agencies and highly specialised analysts to find and arrest the head of the network.

How can I protect myself against botnets?

  • A good way to protect yourself against malware and the installation of bots is reliable virus protection and a properly configured firewall.
  • Keep your browser up to date. According to the Anti-Botnet Advisory Centre operated by Internet association Eco, 80 percent of browsers on PCs in Germany are out of date. An update closes security holes that otherwise can be exploited by criminals. G DATA security solutions offer an additional layer of protection against the exploitation of security holes, even when there is no patch available for closing the hole – G DATA Exploit Protection.
  • Set up your security software and programs in such a way that they update automatically. This will close security holes as quickly as possible.
  • Install browser protection as well – this will protect you against unintentionally downloading malware without noticing, and against phishing sites.
  • Many security solutions include email protection. This prevents you from being taken in by manipulated websites and potentially downloading a bot without realising.
  • Do not click on attachments that make you sceptical. This especially applies to invoices that you cannot place. Have you actually ordered anything from the sender?
  • You should also be suspicious of emails containing dubious spelling or messages that contain a link to your bank or a shopping platform. Your bank will never ask you to click directly on a link.
  • During everyday use of your computer, use an account that does not have administrator rights, and only work with the administrator account in exceptional circumstances. This will reduce the risk of malware penetrating into deeper layers of your system and being able to carry out changes and execute files without restriction.

What happens when a botnet was taken down? Example: Avalanche

At the end of 2016 it was over: authorities took down a globally operating botnet. Just like an actual avalanche, the mesh consisting of 39 servers and several hundred thousands of domains rolled across the internet.

More than 20 botnets are estimated to have been part of the Avalanche infrastructure. Together, they unleased a torrent of ransomware, viruses and phishing emails. The damage caused by this is estimated to be at least six million Euros.

But after authorities seized servers and domains, a network like Avalanche does not simply vanish without a trace: the servers that were contacted by each individual bot may have become unreachable, but the software that turns a regular PC into a bot remained on the infected PCs. If you do not have a malware scanner on your computer, then this is a good time to get one. The scanner can tell you if your computer has been infected and remove the malware if need be. This also works with a free trial version. This prevents botnet operators from adding your computer to a new botnet.

More information and sources

The State of IT Security in Germany 2018, Federal Office for Information Security (BSI) (PDF 5,06MB)