- In this article, we continue our focus on malware with a look at the concept of a “botnet”.
- A botnet is a network of computers which have been compromised and infected with malware, allowing them to combine processing power to carry out cyberattacks.
- Because of the distributed nature of a botnet, they can be difficult to eliminate – but that doesn’t mean your business can’t protect itself from becoming part of a compromised network.
The idea of a computer being assimilated into a network and used for nefarious purposes sounds like something out of a science fiction movie.
And you know what? We wish it were.
In reality, this is essentially how a botnet operates – and it’s one of the most insidious forms of malware in use today.
Similar to spyware, a computer which is jacked into a botnet can be very hard to detect, meaning your company’s computers could be being used for anything without your knowledge.
If that all sounds unnerving, don’t worry – knowledge is power.
And here’s all the knowledge you need on botnets.
What is a botnet?
A combination of the words “robot” and “network”, a botnet is simply a network of connected devices which are capable of connecting to the internet.
Each device is running at least one “bot”, which is a small program which can take automated actions quickly and remotely.
Not all bots are malicious, mind you – such as the Google “spider”, which is responsible for gathering data about all the websites on the search engine (something a human could never do). Bots are so common, in fact, that over half of all internet traffic is generated by them.
In the context of malware and cyberattacks, botnets are usually built by infecting unaware computers, which can then be used by the bot controller to take various actions, including:
- Distributed Denial-of-Service (DDoS) attacks, which occur when every device on the botnet attempts to access a website over and again until the server crashes.
- The installation of spyware to monitor and report on user’s activities or present them with unsolicited advertising messages.
- Email spam, whereby the botnet machines are used to send large volumes of spam emails in a decentralized way.
- Bitcoin mining, which utilises the processing power of the infected machine to make complex calculations which result in the creation of bitcoin currency for the owner of the botnet. (This one is actually more nefarious than it first appears, as the power costs of bitcoin mining can be significant).
Behind the scenes of a botnet (in plain English)
Before we investigate how you can detect (or prevent) a botnet attack, let’s look a little more closely at how they work under the hood.
There are generally two types of botnet:
- The client-server botnet relies on a central location through which the “bot master” controls all devices on the network. This location is usually an Internet Relay Chat (IRC) server, a domain (like example.com), or a dedicated website.
- The peer-to-peer (P2P) botnet is a decentralised version of the same network. Rather than relying on a central server, which can be disrupted or disabled by the authorities, a P2P botnet relies only on the devices within the network. P2P botnets are even harder to deal with, because they can be self-sustaining by updating other bots they find on the network.
The process of creating a botnet generally goes like this:
- The so-called “bot master” will build a piece of malicious software – usually a trojan horse – to deliver the bot to the target computer.
- The unsuspecting victim of the trojan horse attack will unwittingly open an email attachment or similar file which then covertly deploys the bot onto their machine.
- From there, the bot master will use the botnet as a resource from which to deploy various attacks, such as DDoS as discussed above.
- Depending on the delivery method and the coding of the bot, they can attempt to spread to other machines to further increase the size of the botnet.
How to detect – or prevent – a botnet attack
Okay, so, by this point, you’re probably seeing why botnets can be such a nasty form of malware. They aren’t even malware, strictly speaking, but rather a delivery system for other forms of malware. Even worse – the owners of the computers often have no idea that they’ve fallen victim to the attack.
So, what can you do as a business owner to detect a botnet cyberattack?
Here are a few signs to keep an eye out for within your network of local machines:
- Unexpected or unusual computer activity. If it’s the middle of the night and your machines are going ten a penny, there’s a good chance some software – like a bitcoin miner – is covertly using their resources.
- Unexplained network bandwidth usage. One big clue to the presence of a botnet attack is network usage. After all, if someone is using your fleet of machines to relentlessly hammer a server across the globe, your network is going to show it.
- Unusual shutdown or start-up behaviour. Another important factor for a botnet is that the machines are always online for the attacker. For this reason, many bots are coded in a way that they’ll resist or try to prevent the shutdown of the host machine.
As with anything to do with malware, prevention is always better than cure. But is there a better way than trying to sus it all out yourself?
There certainly is.
At Get Support, we strongly recommend the use of an Endpoint Detection and Response platform. Think of an EDR platform like anti-virus on steroids – they can detect existing viruses, of course, but they can also detect an attack before it has chance to do any damage.
Not only that, but EDR platforms can roll back changes and isolate files to prevent bots from spreading, even if they somehow slip the net.
There are a few different EDR platforms out there that can help protect you from botnet attacks (and any other form of malware, for that matter), but we recommend SentinelOne.
Step up your cybersecurity game with Get Support
With more and more businesses moving online every day, the threat of cyberattacks is always increasing. That’s why you need to know what risks are out there – and how to tackle them.
Be sure to check out of our other malware coverage to learn more:
If you’re ready to take the next step and boost your company’s cybersecurity, our team is here to help. Fill in the form below to get started, or just give us a call on 01865 59 4000.