Botnet

A botnet is a collection of compromised IoT devices, workstations, servers, and other computer equipment capable of having malware installed. The installed malware is a remote control software that sends commands to the compromised devices and tells them to perform actions. Botnet actions send traffic to a targeted victim, usually an organization’s online services. The result is overwhelming traffic, overloading services and the organization’s bandwidth, rendering them inoperable and taking them offline.

Attackers use botnets to perform distributed denial-of-service (DDoS) attacks. Some botnets are small and can’t shut down extensive services, but sophisticated DDoS attacks work with thousands of compromised devices. With enough compromised devices—also called zombie machines—attackers can flood an online service with enough requests to take it offline.

Phishing is common with botnet creation. Attackers send phishing messages to targeted victims and install malware using malicious attachments or websites hosting downloadable executables. The malware runs silently on the targeted device but continually contacts the command-and-control (C2) server to inform the attacker that the device is ready. Users are unaware of the communication and traffic sent to a targeted victim. The only sign of a compromise is a slow performance from bandwidth use during the DDoS activity.

Routers and IoT (Internet of Things) devices are also commonly used for botnet activity. Both routers and IoT devices have access to the Internet, so they are perfect targets for malware. The Mirai malware family is commonly used to hijack IoT devices, routers, IP security cameras, and webcams. Linux is required for Mira to run on the device, but most of them already run a form of Linux, making them targets as attackers scan the Internet for vulnerabilities.

Another common way attackers compromise routers and IoT devices is by using default passwords to authenticate them. It’s common for router administrators to leave the default password active. The router manufacturer publicly publishes default passwords for use in scripts where the attacker scans the internet for vulnerabilities. When the attacker finds an open router with the default password configured, the device is open to reconfiguration and malware injection.

IoT devices also require an administrator password to connect to the cloud. Any “smart” device is an IoT device and could be vulnerable to malware injection and made a part of a botnet. Users might think devices are safe since they are inside their homes but leaving them vulnerable can open smart devices to be a part of a botnet. Smart devices also run versions of Linux, which makes them susceptible to malware injection if they are not properly patched and secured.

A single botnet might span multiple geographic locations, making them difficult to detect or control. Organizations targeted by botnets will get no warning signs before the DDoS begins, making DDoS from a botnet costly from damages. Large organizations could suffer millions in revenue loss when a DDoS persists for days.

Learn More

Related Terms

• Denial-of-Service
• Phishing
• Malware

Further Reading

• Breaking Down Modern Botnets
• How Cybercriminals Steal Money!
• How to Reduce the Risk of Phishing and Ransomware

How Can TitanHQ Help?

TitanHQ offers various solutions to protect against botnets and the attacks they support. For instance:

• Email Security Solution: Blocks phishing attempts and malicious attachments that are common methods for delivering botnet malware.
• Web Security Solution: Filters web traffic at the DNS level, preventing communication between compromised devices and botnet command-and-control servers, stopping botnets from growing or launching attacks.
• Security Awareness Training Solution: Teaches employees how to recognize phishing attempts and avoid malware infections, reducing the chances of a network becoming part of a botnet.