What is a botnet and how does it work?
To begin with, let’s dissociate the word botnet. On the one hand, “bot” means robot and, on the other hand, “net” means network. This gives the phrase a meaning, something like “a network of robots”.
A bot, or robot, would be a system infected by malicious software whose target is defined in the malware code. Therefore, a botnet would be a net of systems infected by the same malicious software.
A botnet is a group of systems infected by malicious software (malware) and managed by the same BotMaster.
This network is called a Botnet, what is not implicit in the name is the fact that they are controlled remotely through a common Command and Control (hereafter C&C) server from which the operator of the network, also known as BotMaster, will send instructions to perform malicious actions.
In botnets, the famous parental phrase “if a friend of yours goes off a cliff, will you do it too? Well, yes sir, everyone will do the same as they are controlled by a specific threat actor.
Botnets also on mobile devices
It is not only computers that are affected, mobile devices are also targeted by BotMasters. For example, on a well-known Dark Web forum, a botnet is offered for the Android operating system, which is one of the most widely used operating systems worldwide.:
The full functionality and capabilities are included in the post itself:
In this case it is the Anubis botnet, whose main objective is to collect bank account information. But it can also be used to send SMS messages to the device’s contacts.
How many times have we seen online scams in which we have received a message from a known person asking for data, money or simply sending a link? Obviously, coming from a known person does not usually seem suspicious. However, nothing could be further from the truth.
Additionally, and as a curious fact, botnet names are often associated with the malware that links them. Due to the large amount of malware currently in existence, it is practically impossible to list them all. Among the best known, although not always the most widely used, are Emotet, Mirai, Pink, Arkei, Redline and Racoon.
Uses and purposes of botnets
There are an infinite number of uses for a botnet, it all depends on the imagination of each threat actor, which, it has been demonstrated, is also quite broad.
One of the most common uses of botnets, for example, are the famous distributed denial of service or DDoS attacks, which are orchestrated, in most cases, by networks of infected systems.
Distributed Denial of Service (DDoS) attacks are often launched using botnets.
However, not only can an infected computer be used to attack exposed services, but also to collect the affected user’s credentials, mine cryptocurrencies, carry out phishing attacks, and even download other malware.
What’s more, from the DFIR team’s perspective, many ransomware attacks start with the insertion of botnet malware. These malwares are tasked with downloading more malware to move laterally in the network, downloading updates to the malware itself, or even directly downloading the payload of the ransomware itself.
How do I know if my computer is part of a botnet?
That said, the question often arises “how do I know if my computer is part of a botnet?” It is best to have an EDR, a firewall with defined rules or a powerful signature-based detection software, otherwise it can go completely unnoticed by a user.
In general, infected people will not be handpicked, i.e., they are not targeted attacks, but, on the contrary, mass campaigns that make anyone susceptible to be infected.
Everyone is susceptible to being targeted by a botnet just because they have a computer or a mobile phone.
Many people think that they are “nobody” or not “interesting” enough for a botnet operator to be particularly interested in attacking them. Nothing could be further from the truth.
Who doesn’t access their bank account from their computer, who doesn’t access online shopping platforms, who doesn’t access their company’s internal network via a VPN, any information of this kind is still very valuable, or even if you are a low-ranking worker in a company, you still have access to that private network that is so attractive to cybercriminals!
How to identify botnet operators
Likewise, the question arises “is it easy to identify the threat actors operating botnets”? It is not easy. In fact, investigation is complicated by the fact that threat actors, apart from being groups of several people, often operate through the Tor network.
In addition, the operators use domain generation algorithms (DGA) to generate a large number of domain names. In this way, they manage to evade possible detection by the C&C server, as only some of these domains will resolve to a real C&C server.
For example, if a specific IP address or domain is denied access by a firewall rule, the BotMaster will have so many domains that it can dynamically change the domain name of its C&C.
In this way, it maintains contact with the bot as it will continuously generate the same list of domains per DGA. Another evasion method used is to make use of a Fast Flux network in which, basically, many different IP addresses would be assigned to the same domain name.
These IP addresses will be changeable and, assuming that many different domain names will be used, the possible IP addresses connecting to the C&C would increase exponentially. For these reasons, dismantling a botnet organisation takes years of investigation, dedication and, in some cases, cooperation between law enforcement agencies in several countries.
Dark Web sales of malware and botnets
Of course, as with anything, there is also malware available for sale on the Dark Web, as discussed in the post on these types of markets.
Threat actors also have the possibility to add systems to their botnets by selling or renting specific malware on Dark and Deep Web forums and markets. For example, below, we can see a sale of Redline for life (and at a discount of 300 euros!).
In this other recent post from a well-known Dark Web marketplace, the Arkei malware is offered for sale for $210:
Not only paid malware is found, but, ironically, there are also free “pirated” versions of malware, as we can see below with the Arkei malware.
Although the post was opened in 2018, it can be seen that the thread has been quite active throughout the years up to 2022, apparently accumulating a lot of downloads.
As another curious fact, and following the saying “if you want something well done, do it yourself”, tutorials are offered for sale, and sometimes for free, to learn how to set up your own botnet.
Dark Web sales of credentials and session cookies
One of the capabilities of malware infecting systems is the theft of login credentials or the theft of session cookies from web services.
It is a common occurrence to see credentials being sold on major Deep and Dark Web markets. It is as common as it is worrying as it not only affects access credentials to personal services (Amazon, online banking, supermarkets, streaming platforms, etc.), but also affects access to professional services such as access to work tools, access to VPN networks, access to professional mail, etc.
The sale of credentials on Deep and Dark Web markets is as common as it is disturbing
What started out as the compromise of a single computer, ends up being the compromise of an entire corporate network and can lead to a serious security incident, as discussed above.
In order to provide real data and obtaining data for all countries in the world and from the sales of the main Dark Web markets, it was found that, in the last month alone, at least 311 credentials for access to Citrix services, 2000 accesses to the intranet of different companies, 105 VPN accesses, among many others, have been offered for sale. At the enterprise level, it is, to say the least, worrying.
Conclusion
As we have seen, anyone can be a target of a botnet and the consequences can be dire.
The human factor is one of the main players in botnet infection so, at this point, there is nothing more we can do than recommend being very careful about where we click or where we download software from – beware of freeware or off-platform downloads!
This way, we will already be much less likely to end up “turned” into a bot.
