Botnet hackers obtain access to computers, servers, and/or IoT devices, then install software to perform command and control (C2) functions.
These infected devices become slave devices, or robots, for the hacker who uses them to form a network (roBOT + NETwork = BOTNET).
Historically, botnets used a client-server model to control the networks, but once defenders detected the command server, they could cut off commands and disable the botnet. However, many newer botnets now avoid a single point of failure, and use distributed Peer-to-Peer (P2P) networks.
Got It, So Why Should I Care About Botnets?
Botnets launch Distributed Denial of Service (DDoS) attacks, mine cryptocurrency (aka: cryptomining), install keyloggers, steal passwords, and spread spam emails… among other things.
While one infected computer in a network is annoying, many infected devices can cause significant problems.
When a botnet unleashes a DDoS attack, the traffic demands will be enormous. Over 13 days in March and April 2020, 400,000 IoT devices bombarded an entertainment industry company with 292,000 requests per minute!
Even with white-hat hackers using pranks to try and cripple botnet delivery systems, Amazon Web Services noted a 23% increase in attacks such as data floods – including a single reflection attack that delivered 2.3 terabits of information per second!
However, since most BotNet DDoS attacks typically focus on high-profile sites and infrastructures, smaller companies need to worry more about becoming an unwitting host for botnet nodes. Employees’ computers may become infected while opening email attachments in SPAM emails that carry a Botnet payload.
When the Emotet botnet infects a victim’s computer, it now pulls subject headers, attachments, and even the content of emails. The newly infected computer then begins to spew SPAM, and the recycled content makes future victims more prone to clicking on infected content.
SPAM campaigning remains as one of the largest uses of botnets … attackers flood the internet with millions of malware-carrying messages daily. Unfortunately, when an organization has a server or multiple users infected with a SPAM-spewing malware, they may soon find their ISP address and domain have been flagged as sources of malware by email filtering software.
This often leads to temporary email failure for the company as a whole, and it takes time to clean the reputation of a compromised domain.
In the last few years, attackers used botnets to mine cryptocurrency and to create massive click-through campaigns to defraud internet advertisers. The newest Botnets now attack docker containers and use Server Message Block (SMB) Protocol vulnerabilities to create cryptomining botnets.
More ominously, botnet software can be the first wave of a more serious attack of the organization. For example, the Emotet botnet also has been known to serve as an enabler of the Ryuk Ransomware and the Trickbot trojan malware.
How Do I Counter the Botnets?
Three key tactics can limit Botnets infections from damaging our organizations:
- Train employees about phishing;
- Encourage employees to immediately notify IT about a suspected infection;
- Monitor systems for unusual traffic patterns.
Although training will not prevent all employees from clicking on any phishing campaign, training can reduce the number of infections. Training should also help employees recognize the signs of a possible infection, which are:
- Frequent computer crashes without explanation
- Advertisement pop-ups outside of a web browser
- Slower than usual internet access
- Contacts are receiving emails from the employee that the employee did not send
- The computer takes a long time to shut down or does not shut down properly
- Programs take longer than usual to load, then seem to work in fits and starts
Training should also create a culture of notification, not punishment.
Employees afraid to speak up may try to hide or ignore signs of infection, hence allowing hackers to gain further access into the organization beforemonitoring tools detect the infection.
In 2017, 59% of the employees hit by a ransomware attack paid the ransoms out of their own pockets. If embarrassment could drive employees to spend $1,400 out of pocket, what are the chances that those employees never tell IT about the malware incidents at all? Uncomfortably high…
Expert-Level Managed Botnet Support
IT service providers — such as Ideal Integrations — and IT security providers — such as Blue Bastion — constantly monitor clients’ machines for infection.
We actively surveil networks for unusual traffic patterns and deploy tools to detect malware infections as early as possible.
However, malware detection is not perfect.
Every employee to be part of the solution. If we are notified about strange emails or a computer acting funny, we’ve got a real shot to limit damage. When we all work together, we can prevent small mistakes from becoming huge problems.