What is a Botnet & How to Prevent Your PC From Being Enslaved
Is your computer used to attack others? Everything you need to know about botnets and zombies
Has your computer been acting weird lately?
Running slower than usual, to the point of crawling like a boa constrictor after lunch?
Any inexplicable error messages, popping out randomly?
Or your fan going into overdrive out of nowhere, even though your PC is supposed to be idle?
Not that we want to alarm you, but there’s a slight possibility that your computer was turned into a zombie.
Don’t take it literally, this doesn’t mean that it will wake up at night and kill you in your sleep, while streaming Michael Jackson’s “Thriller”. “Zombie computers” is the term used when an attacker takes control of your computer, without your knowledge, and it either steals your data, or makes your computer do things that it normally shouldn’t, like send out spam. Or, most likely, do both: steal your sensitive information AND attack other computers.
A zombie computer is similar to traditional Trojan horse. The difference between the two is that, instead of only installing a keylogger and stealing your personal data (which it might do anyway), zombies will work with other zombies, forming what is called a “botnet” (or “zombie army”).
The term “botnet” comes from combining the words “robot” and “network”. Botnets are entire networks of computers controlled and instructed to do a bunch of things, such as:
And all this can happen without you having even the slightest idea about it.
As you are aware, a single piece of malware can cause enormous damage. Now imagine what an army of millions of computers can do through coordinated attacks.
And the worst part is that your computer can be recruited into a botnet as easy as 1-2-3. All it takes is a browser plugin update you just keep postponing. Or clicking on a link that you don’t know where it leads you to. And with our busyness and attention span that’s shorter than goldfish’s, the odds are forever in the cybercriminals’ favor.
Now we wouldn’t want to cause an unnecessary paranoia outbreak, so please keep on reading in order to find out about:
1. The abilities that botnets have;
2. How cybercriminals create and grow botnets;
3. How your computer can be recruited into one;
4. How to prevent that from happening;
5. How and what to check if it’s too late and you’re part of a botnet.
1. The abilities that botnets have
Fun fact: if you have been using the internet since the late ‘90s / beginning of the 2000s, you most likely remember mIRC, the popular chat program. mIRC was actually using harmless botnets – like all other Internet Relay Chat text messaging programs, for that matter.
However, most of the botnets are created for malicious purposes.
Botnets can be used to:
1. Send out spam emails – if a spammer has access to a botnet, it’s very cost effective and it will cost them close to nothing to do this.
From a research dating back to 2012 (imagine how low these prices are now, after 4 years):
“If you want to buy a botnet, it’ll cost you somewhere in the region of $700 (£433). If you just want to hire someone else’s for an hour, though, it can cost as little as $2 (£1.20)”
2. Launch a Distributed Denial of Service Attack (DDoS) on a website, company, government etc. – this happens by sending so many requests for content that the server cannot cope and it drowns (aka goes offline). Even very large websites struggle to remain online when botnets target their servers.
Because malware and infrastructure dedicated to cyber crime have become commercially available, costs have decreased and allowed more attackers to have access to these type of services.
“The average cost to rent-a-botnet for an hour each month through a DDoS subscription package is around $38, with fees as low as $19.99.”
3. Commit advertising fraud: Computers all around the world can generate fake clicks on ads – this helps scammers raise serious amounts of money. According to a recent report by Association of National Advertisers, marketers all over the world could lose this year up to $7.2 billion because of it.
4. Keep phishing websites active and frequently change their domains to remain anonymous and undetected by law enforcement.
5. Distribute malware, ransomware or spyware. Besides the direct financial damage incurred, this can also expand the botnet further.
Short (moral) story: Zeus was one of the most powerful financial malware on the internet. A botnet ready-to-deploy for cyber attackers. Its primary function was to steal online credentials, especially banking related ones.
“Zeus is very difficult to detect even with up-to-date antivirus and other security software as it hides itself using stealth techniques. It is considered that this is the primary reason why the Zeus malware has become the largest botnet on the Internet: some 3.6 million PCs are said to be infected in the U.S. alone.”
Another recent ransomware that has been causing damage, called Locky, also enrolls the affected PC into a botnet.
Botnets became so large and distributed across the world, that they can be very challenging to take down. It takes a lot of effort from many cooperating parties in order to bring down a large botnet.
Here’s another recent example: the Simda botnet infected more than 770.000 computers in over 190 countries (among them: US, UK, Canada, Russia, Turkey). It was active for years and used to distribute pirated software and different types of malware, including stealing financial credentials. Creators of the specific malware types simply rented it from Simda creators and paid them a fee for every attack. Last year, Kaspersky researchers published an interesting blog article explaining the efforts needed to take Simda down:
“A simultaneous take-down of 14 command and control servers of the Simda botnet located in the Netherlands, US, Luxembourg, Russia and Poland was carried out on Thursday, April 9th.
The list of organization involved in this shut down operation perfectly illustrates its complexity. INTERPOL, Microsoft, Kaspersky Lab, Trend Micro, Cyber Defense Institute, FBI, Dutch National High-Tech Crime Unit (NHTCU), Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and Russian Ministry of the Interior’s Department ‘K’ were working together to counteract the cybercriminals.“
2. How cybercriminals create and grow botnets
We can sum it up in one word that covers it all: malware. Cybercriminals will do anything to trick you into downloading and executing the malicious code that recruits your computer to their botnet.
They will lure you into a drive-by download. They will exploit vulnerabilities in websites and software, such as your browser’s outdated plugins. They will trick you into clicking on links or opening malicious email attachments. We’ll come back to these later on.
Once executed, the malicious code will use the internet to make contact with the control computer, the one that operates the botnet (it’s also called a Command & Control server). Your computer will remain idle, except for periodically checking for instructions from the control computer.
In the meantime, the one pulling the strings will focus on recruiting more computers to the initial botnet. As they don’t appear to be doing anything, the botnet could contain even hundreds of thousands of zombie computers without raising suspicions.
The cybercriminals who operate the botnet will most likely sell it or rent time on it – kind of like subcontracting. Sooner or later, they will issue a command through the Command & Control server, and the botnet will wake up and launch an attack.
3. How your computer can get recruited into a botnet
We were saying earlier that the most common method for recruiting computers into a botnet is through malware. The owners of the botnet will do anything to get the malicious bot code on your computer. There are a few ways they can achieve this:
1. Email: Attackers will send you emails that contain malicious attachments or links to websites they control, where malicious code is hosted. Locky, the recent ransomware that also recruits your PC into a botnet, was distributed via a massive email spam campaign.
2. Social networks / Messaging apps: Similar to emails – they’ll trick you into clicking on links that you received on a social network.
3. Drive-by downloads: These work by exploiting vulnerabilities from your web browser, browser plug-ins or add-ons. Other times, the attackers will trick you into downloading the malicious software, without fully understanding its impact. For example, while visiting a legit website, you’ll see a pop-up that says your computer was infected and prompts you to download antivirus protection that’s actually malware.
4. How to prevent your computer from becoming part of a botnet
It’s easier to prevent your computer from being infected and becoming part of a botnet in the first place than it is to detect it when it’s too late and try to save it.
So here are the basic rules that you should follow to avoid becoming part of a botnet:
1. Don’t click on any suspicious links that you’re not sure / don’t know where they lead – not even the ones you received from friends or family or social network buddies. Their accounts might have been compromised, so it’s safer to be patient and ask them what it’s all about, before rushing into clicking on the links.
2. Do not download any attachments that you never requested.
3. You need a good antivirus and antispyware software, installed from a reputable source. Avoid online ads that are telling you that your computer was infected – these are malware in disguise.
4. If you already have antivirus and antispyware software, check to see if they are activated, patched and up-to-date. Do a full, in-depth scan with the antivirus. Sometimes, a bot code will deactivate your antivirus.
5. Also make sure that your firewall is on. Set it to the maximum security level – this will require all applications seeking internet access to notify you, enabling you to track incoming and outgoing traffic.
6. Keep all your software up to date, especially your browser, Adobe Flash, Adobe Reader and Java. These are the most vulnerable ones – and also the most exploited by cyber criminals to recruit computers into botnet. Updating apps can lock out 65% of attack vectors that target your apps, so don’t disregard this very important proactive security measure (that is also completely FREE).
5. How to check if you’re part of a botnet
Is your computer or internet connection running slower than normal?
Did your computer start behaving erratically? Does it crash frequently? Do you receive unexplained error messages?
Did the fan kick into overdrive when your computer is idle?
Did you notice unusual internet activity (like high network usage)?
Does your browser close frequently and unexpectedly?
Did your computer take a long time to start or shut down or didn’t shut down properly?
These can indicate that a program is running without your knowledge and using a fair amount of resources.
The next step would be to check the Task Manager – see what’s going on in there. You can also disconnect from the Internet and see if there are any differences.
Of course, all these could also indicate that your fan is full of dust and it just needs to be cleaned. Or that your computer is obsolete and needs an upgrade.
However, if this is not the case and you discover that you’re computer is part of a botnet, the standard advice would be to wipe it all out. Format it and reinstall the operating system.
In order to minimize any potential damage, make sure that you always backup all your important files and folders. This is a piece of advice most people ignore, but I know you know better than that.
Botnets are a much bigger problem than we can imagine. Both in terms of size and impact, because the sheer numbers and possibilities will make you gasp for air.
This infrastructure gives cyber criminals the possibility to expand their reach, launch powerful attacks and cause irreparable damage. And that’s something that every Internet and computer user can prevent, by taking the necessary security measures.
And remember this: if malicious code to recruit your computer into a botnet can get in, so can ransomware, financial malware and other threats.