Botnet malware: What it is and how to fight it

Malware or malicious computer code has been around in some form or other for over 40 years, but the use of malware to take control of a group of computers that are then organized into something called a botnet is more a twenty-first century phenomenon.

Malware or malicious computer code has been around in some form or other for over 40 years, but the use of malware to take control of a group of computers that are then organized into something called a botnet is more a twenty-first century phenomenon.

Malware or malicious computer code has been around in some form or other for over 40 years, but the use of malware to take control of a group of computers that are then organized into something called a botnet is more a twenty-first century phenomenon. Botnets have been responsible for some of the most costly security incidents experienced during the last 10 years, so a lot of effort goes into defeating botnet malware and, when possible, shutting botnets down.

Recently, I had a chance to interview someone who spends a lot of time battling botnets: ESET Security Intelligence Program Manager, Pierre-Marc Bureau. I asked him to explain what botnets are, the threats they pose, and how to defend against botnet malware.

pbureauWhat is a botnet, how does it work and how does it spread?

The word botnet is made up of two words: bot and net. Bot is short for robot, a name we sometimes give to a computer that is infected by malicious software. Net comes from network, a group of systems that are linked together. People who write and operate malware cannot manually log onto every computer they have infected, instead they use botnets to manage a large number of infected systems, and do it automatically. A botnet is a network of infected computers, where the network is used by the malware to spread.

How can you find out that your computer is part of a botnet? Does it have any impact on system performance?

When a computer becomes part of a botnet, it can be instructed, among other things, to send spam or make queries to overload a website(s). These behaviors might be visible to the user who has less limited bandwidth available to use for the Internet.

A user can find out if his/her computer is infected through various tools. The most typical would be to use a good anti-malware product. For more tech-savvy users, using a diagnostic tool like ESET SysInspector or simply looking at which processes are running on a computer and which programs are installed might reveal the presence of a botnet malware infection. However, sometimes it’s not that easy to determine botnet’s presence.

Who is behind botnets and what are botnets used for?

Botnets are used by malicious actors for various purposes, ranging from information theft to sending spam. As with everything else, the more resources you have, the faster you get results. Various types of people operate botnets. Criminal gangs use them to steal banking credentials and commit fraud, pranksters use them to spy on webcams and extort their victims.

What is the role of a Command-and-Control server in the botnet? Does bringing it down result in bringing down the whole botnet?

What we call a command and control server (sometimes called C&C or C2) is the central server that is used to connect infected computers together. With most botnets, shutting down the command and control server means bringing down the whole botnet.

There are exceptions, however, the first one is botnets that use peer-to-peer networks to communicate, meaning there is no command and control server to bring down. The second exception is a case we are seeing more and more often: botnets that use many command and control servers. These servers are located in different countries and jurisdictions, making it very hard to bring them all down at the same time.

What are the biggest risks for home users and businesses with regards to botnets?

The risks associated with botnets are exactly the same as the risks associated with malicious software in general. The risks are varied; one can have sensitive information stolen from the electronic device, such as intellectual property, blueprints, or passwords giving access to sensitive resources (for example online games). Infected computers can also be used to overload servers or send spam.

It is important to understand that once a computer is infected, it really doesn’t belong to its owner anymore; it is operated and used by someone who can be on the other end side of the globe, potentially conducting all kinds of illegal activities.

Who is more endangered by botnets – businesses or home users?

The line between corporate and personal devices and networks is very blurry. We all bring personal devices to work and vice-versa. I would say that botnets are a threat to both types of users. Usually, corporate networks have stricter security and monitoring; identifying and stopping botnet attacks should be easier in these types of networks. On the other hand, there is more sensitive data to be stolen from corporate networks.

Is there any specific type or group of users that is more vulnerable than the rest?

Not really, there are various types of malware, each of which may be used to target a different group of users.

Historically, what are the best known botnets, the biggest and the worst?

Conficker is probably the botnet that has received the most attention and it is certainly one of the biggest in history, with millions of hosts infected very quickly. This attracted attention from the research community which quickly organized a task force to fight it. As a result, the botnet was never used by its operators. Other significant botnets include Storm which was mainly used to send spam and TDSS (also called Alureon) which had a rootkit component that proved to be hard to clean.

Has ESET discovered anything big in botnets this year?

Yes, our investigation into Operation Windigo resulted in one of ESET’s biggest botnet research projects ever. Our research team uncovered a network of infected servers employed to redirect users to malicious web content, steal credentials, and send spam. We discovered that over the last few years more than 25,000 servers had been infected. At the time of writing our report, more than 10,000 servers were still infected. (Editor: You can download the award winning research paper on Windigo here.)

What operating system does a bot usually run? Have you seen any botnets on Mac, Linux, or Android?

We have seen malicious software being created for all major operating systems. Regrouping infected devices into networks, or botnets, is feasible for every platform. An example is the Flashback malware, which infected hundreds of thousands of Mac devices.

What is the most effective approach to fighting botnets?

From a technological perspective, there are various ways to fight botnets, starting with anti-malware. We can spot infections in network traffic, in the memory of infected computers or on their hard drive. On the other hand, I think the most effective approach to fighting botnets is education, by raising the awareness around this threat. We need to help everyone realize that if their computer is infected, it might be used to harm others. Thus, whenever an infected computer is found, it needs to be taken offline and cleaned as quickly as possible. Finally, collaboration between users, research groups, internet service providers and law enforcement agencies greatly helps in fighting botnets and bringing the people who operate them to justice.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center