BLOG

Botnets: What They Are and the Risks They Pose

8 minute read

As with most technology, bots, short for robot network, can be used both for beneficial reasons as well as malicious ones. Legitimate ways bots can be used include crawling and indexing websites for search engines, chatroom policing and even weather updates. On the other end of the spectrum, where most botnets lie, malicious activity runs rampant. Botnets allow cybercriminals to replicate and infect a large number of devices, linking them together to form a network ripe for their bidding. This can include logging keystrokes, launching Distributed Denial of Service attacks (DDoS), stealing passwords, mining cryptocurrencies, deploying malware, initiating attacks on websites, stealing personal information, spreading misinformation via social media automated accounts and more. The more bots connected, the more extensive the network, the bigger the footprint, the more significant the impact. In the end, it’s the reach and size of a botnet that matters. Cybercriminals seek to infect as many devices as possible, as quickly as possible, to spread the botnet’s reach as far as possible.

Botnets are also a perfect tool for cybercriminals as they are often very subtle and difficult to detect if protective measures aren’t in place. In that vein, there are several ways to tell if you’ve been infected, as well as to avoid getting infected in the first place. First, you must learn what the botnet is and how they work. Then you can move to put proactive methods in place to ensure you and your devices avoid becoming part of a malicious botnet.

What is a Botnet?

Breaking down the meaning of a botnet is a great way to better understand just how they function. In an overarching view, “robot” and “network” describe precisely what a bot is: a network of robots built to do the creator’s busy work in carrying out an objective or cybercrime. Think of it as a collection of hijacked devices controlled remotely by a cybercriminal. The malicious actors behind botnets are typically referred to as “botmasters” or “bot herders,” as that is precisely what they do. Whether the goal is to spread malware, gain access to sensitive information for financial gain, or wreak havoc on the internet, the tactic itself is the same. Botmasters seek to infect as many online devices as possible, with their bots standing by, ready for the next command. 

Evolution of How They Work

Typically, you see a botnet attack executed within one of two models: centralized or decentralized. Initially, the centralized model took hold, where the entire botnet operation is based out of Command & Control servers (C&Cs). The model is simple, which is why it is still so prevalent today, but the chink in the armor here is the single point of failure. Enter the decentralized Peer-to-Peer (P2P) model. This next generation of botnets share commands and coordinate information with each other without having to rely on a central server, which makes them more robust in the end despite being more time-consuming to execute.

To summarize the botnet’s lifecycle, a threat actor generally begins by deploying malware to infect devices. Techniques might include malicious pop-up ads, website downloads or email attachments. Once infected, these devices are commonly referred to as “zombie devices,” as they have now become something more without most victims even realizing it. The botmaster then moves to link the infected device to either a server (C&C) or other infected devices (P2P). The bot then receives its next order once linked and ready to go. The malicious activity becomes relatively seamless from this point forward.

Type of Attacks on the Rise

If a device is connected to the internet, bots can find them. You name it: computers, laptops, mobile devices, smart home devices, security monitoring devices and almost any other connected device can fall prey to becoming part of a botnet. According to the Spamhaus Botnet Threat Update: Q1-2021, 1,660 new botnet C&Cs were identified “compared to 1,337 in Q4, 2020. This is a 24% increase, with an average of 553 botnet C&Cs per month.”

Number of new botnet C&Cs detected by Spamhaus since late 2020
Source: Spamhaus Botnet Threat Update: Q1-2021
Number of new botnet C&Cs detected by Spamhaus since late 2020
Source: Spamhaus Botnet Threat Update: Q1-2021

Spamhaus also reports that the United States still takes the lead with “the number of newly observed botnet C&Cs.” However, Europe has also seen its fair share of increases. “The Netherlands has overtaken Russia and finds itself in second position, with a total of 207 botnets, a 27% increase on Q4, 2020. Additional European countries have experienced increases in new botnet infrastructures, including Germany (+77%), France (+82%), Switzerland (+23%), and United Kingdom (+9%).”

Top 20 locations of botnet C&Cs
Source: Spamhaus Botnet Threat Update: Q1-2021
Top 20 locations of botnet C&Cs
Source: Spamhaus Botnet Threat Update: Q1-2021

A botnet is just the beginning; once a device is infected, it can carry out a wide range of attacks. Schemes might include, but aren’t limited to:

  • DDoS attacks seek to overwhelm a server or system with requests and cause them to crash. Infected devices tasked by botnets go after online sites incessantly until they are taken down or crash for a period of time. There are a few ways to carry this out. Regardless, the hacker is focused on either exhaust the victim’s bandwidth, inhibiting legitimate requests from getting through, or going after vulnerabilities in an operating system or application to cause a crash. 
  • Phishing comes into play as bots attempt to distribute malware. Threat actors pose as a trusted resource to trick targets in carrying out a request or providing sensitive information. This usually involves spambots that harvest emails from websites used to create fraudulent accounts and send spam emails. Because botnets usually cast a wide net, typically comprised of a large number of bots, taking down campaigns like this can be very challenging as each needs to be tracked while new ones continuously pop up.
  • Social Botnets serve malicious actors as they build legions of interconnected bots to spread malware, collect intelligence on high-profile accounts or spread misinformation. Not only do cybercriminals leverage the social networks for their own malicious ends, but they can do so from a single computer. Usually, cyber criminals infect each computer independently to build out a botnet, but social media bots only need to infect the account, which is much simpler to create and control. Bot herders also do not have to rely on maintaining a foothold on the target account, considering they “own” the social account. Given that social networks acquire thousands of new users daily, it can be challenging to differentiate benign bots from malicious ones.

Anatomy of a Social Botnet

Social networks do a great job limiting mass registrations of accounts by IP address, frequency and authentication. Creating fake accounts also violates many platform’s terms of service, so some effort must go into evading these policies. One workaround is to buy large numbers of packaged accounts from various websites or automate the creation of these bots through web scraping software. Bot herders can subsequently set up an infrastructure to control these bots.

Cybercriminals buying and selling accounts online
Cybercriminals buying and selling accounts online

Social botnets are split into two categories. The first is an ad hoc, web scraping-type approach. Herders register massive numbers of accounts with just username and passwords to a “warez” application that can parse HTML content from the social networks to submit requests as if they were logged onto the websites with real browsers. Benefits to this approach include non-attribution because all posts are made from the default browser client. The downfall to this approach is that social networks change their CSS layouts and source code frequently. If the source changes a core part of the warez scraper, users of the software are out of luck and need to wait for a new release.

Bot herder interphase
Bot herder interphase

The second approach is a social network application-based infrastructure. Well-known social networks only allow programmatic access to social accounts via registered applications–similar to how an app requires authorization to be installed on a smartphone. Basic application creation and access only require an app name, email and a domain name for most large social networks. A bot herder registers their app with a simulated purpose and begins their recruitment process. Each bot authorizes the app to perform actions on its behalf, and these credentials are stored. When a herder wants to initiate a request, it uses these credentials to essentially say, “I am authorized to post for this user with this content,” and the network subsequently processes the request. The benefit of this approach is that APIs rarely change. There is a lengthy adoption process when they do change, and the old versions depreciate very slowly. The downfall to the app approach is that the networks have more control over how these herders are using their API and have robust mechanisms in place to measure abuse to ban these accounts and applications.

Each application can be thought of as a bot “head,” which can control hundreds to thousands of bots underneath it. Herders command the bot head, and the bot head can choose a targeted or random profile to perform that action. Bot herders scale these by creating many applications and many bot heads to build their empire to hundreds of thousands of automated profiles. These can be controlled via traditional command and control infrastructures, ranging from chatrooms to websites to the social networks themselves. Commands include using hashtags, following users, shortening attack URLs and spamming a hashtag.

Graphical user interface, text, application

Description automatically generated
Bot herders automate commands for their botnets

ZeroFox has observed a myriad of attacks related to social botnets. One common tactic we monitor, hashtag hijacking, abuses trending hashtags by posting malicious, phishing or spam links to the hashtag due to its popularity. Another attack, known as a retweet storm, abuses the ability of a tweet to rise in popularity due to the number of retweets. These are especially useful if you want to “pin” a malicious message to a trend because of its popularity. 

Protecting Against the Bots

Consequences of a botnet to an unsuspecting user might include massive internet bills, slow and unstable device performance, stolen personal information and more. When you stop to consider the risks posed to both yourself and others, it’s clear that protection from becoming part of a botnet is critical. Here are a few steps to help you get started:

  • Update settings and passwords. Use varied, complex and lengthy passwords. Check privacy and security options on any connected device. Carry out both of these measures on a routine basis. 
  • Think through links and attachments. Be sure to verify the sender or source before downloading an attachment or clicking a link. You can also manually enter a link as well as do a quick search to grab the official version of the link hosted on the legitimate source’s website or social. Most anti-virus software can help scan senders, attachments and links for you as well. 
  • Don’t go it alone. Simply installing anti-virus software on your devices isn’t enough. While it can offer a degree of preliminary protection, you want to ensure your approach is more well-rounded. In today’s threat landscape, a robust security stack requires adept security partners to fill the gaps and skillsets not readily available to most teams.

Learn more on implementing threat intelligence that works for you and request a demo to see precisely how ZeroFox can step in to help you along the way.

Get
Started

Stay Informed

Best practices, the latest research, and breaking news, delivered right to your inbox.