- Thread Author
- #1
Botnet - computer network of devices infected with malware. The term consists of the parts of the English words "robot" and "network".
In this context, a bot is usually called a device (computer, smartphone) controlled by a hidden program that receives commands from its owner via the Internet. Botnets are used for DDoS attacks, brute-force password guessing, mining bitcoins or other cryptocurrencies, and spreading spam. IoT devices can also be bots: for example, the well-known Mirai botnet consists of them.
Due to the fact that an infected device executes any instructions of the attacker, it is often called a zombie machine, and a botnet, accordingly, is called a zombie network. The infiltration of malicious programs can happen if the user is not vigilant: cybercriminals disguise them as useful software. Also, a bot-agent can inject itself through the vulnerability of any software, by brute-force password detection for shared network resources. In rare cases, it is installed during open access to the computer.
Malicious programs for organizing botnets run independently on the device and are protected from deletion. The protection mechanism consists in using unconventional startup methods, replacing system files, rebooting the machine when accessing the automatic boot keys. Agents mimic system processes, they can use two processes that restart each other.
A botnet has huge computing resources and brings tangible profits to cybercriminals. An attacker can anonymously control infected computer devices from anywhere in the world.
Botnet classification
Botnets are classified by architecture and network protocol.
From an architectural point of view, botnets with a control center and decentralized ones can be distinguished. In the first case, all computers are united around one control center (Command & Control Center, C&C). This is the most common variety. The center waits for responses from bots, records them, distributes instructions that are determined by the owner. Sometimes an attacker creates several centers in case they are disabled or blocked. Zombie networks of this type are easy to create and manage, react more quickly to commands, but it is also somewhat easier to fight them than with other types of botnets: it is enough to destroy the command center and the network collapses. However, the task may become more complicated due to the migration of centers or traffic encryption.
Decentralized malicious networks are also called P2P botnets, from the English term "peer-to-peer", which means point-to-point connection. In such systems, bot agents do not connect to the control center, but to a certain number of other infected computers. Having received the command, the malware passes it on to the next machine, and this is how the instructions are propagated throughout the zombie network. Thus, a cybercriminal can control all infected computers through any botnet site. A network of this type is less convenient to operate, but due to the lack of a center, it is also more difficult to deal with it.
The classification of zombie networks by protocols is explained by the interaction between the machine issuing the command and the computers of the victims. It is built on network protocols that determine the order of communication between nodes. On this basis, botnets are divided into four groups.
The first group includes IRC-oriented zombie networks. They are characterized by connecting each infected device to the IRC server, moving to the specified channel and waiting for the owner's command. The second group is made up of networks using IM channels. The need to create a separate account for each node reduces the popularity of such botnets. The third group is web-oriented botnets, where computers are controlled through the World Wide Web. They are easy to develop, there are many web servers on the Internet, and they are very easy to manage for these reasons, such malicious networks are in demand. The fourth group should include other types of systems with their own, non-standard protocols.
Object of influence
The objects of influence of botnets are government agencies and commercial companies, ordinary Internet users. Cybercriminals use bots to achieve goals of different content and size. For example, the simplest and most popular and profitable use of botnets is spamming. The owner of the zombie network does not always do this himself: often spammers rent a botnet.
Botnets are also used to carry out DDoS attacks. The attacked server cannot cope with the streams of requests from infected computers and stops, users cannot access it. In order to restore the operation of the web resource, the attackers demand to pay a ransom. Cyber blackmail of this kind is very common, since today all companies actively use the Internet to conduct business, and some organizations work only through the World Wide Web. Also, owners or tenants of botnets can use DDoS attacks for political actions or provocations. Government, state, military and other organizations become targets of bot attacks.
Botnets are used to mine bitcoins. Penetrating into the user's computer, the bot-agent uses the machine's resources for its own purposes. The more infected devices, the more currency the attacker "mints". GPU power can be used while the computer is idle, so the presence of malicious activity is not immediately noticed.
Botnets are also used for anonymous access to the Internet in order to hack websites, transfer money. They are also actively used to steal classified information. The advantage of a zombie network over other malicious agents is the ability to collect information from a huge number of computers at the same time. This information is often sold or exploited to expand a botnet.
Source of threat
Bot agents are created by cybercriminals, for example, to steal. Typically, hackers steal access data to a particular system in order to obtain monetary gain or some other personal benefit. Zombie networks are used by representatives of illegal businesses to promote their goods and services.
The most dangerous group of developers of such programs are organized cybercriminals who use infected networks for attacks, stealing data and money, sending advertisements, blackmail, provocations, etc. In addition, they form botnets for sale and rent.
Risk analysis
Statistics show that a huge number of various computer devices are part of botnets. The consequences of infecting a computer with a bot agent may vary depending on the botnet owner and the goals he pursues. The most notable activities of the zombie network are DDoS attacks. The danger of infected networks is also growing because their creation becomes easier every year, new ways of introducing malicious programs are found, which means that new botnets appear and the existing ones expand.
In early March 2017, researchers discovered a vulnerability in the security system of DVR and surveillance cameras of the Chinese company Dahua. This meant that devices could easily turn out to be executing commands of attackers. Read more about this in the article "Chinese cameras and DVRs can become part of botnets."
Despite the scary statistics, you can protect your computer. This requires:
It is also helpful to monitor device activity. If it is working hard during idle time or is transferring too much data, then it is possible that there is a malicious agent on it.
In this context, a bot is usually called a device (computer, smartphone) controlled by a hidden program that receives commands from its owner via the Internet. Botnets are used for DDoS attacks, brute-force password guessing, mining bitcoins or other cryptocurrencies, and spreading spam. IoT devices can also be bots: for example, the well-known Mirai botnet consists of them.

Due to the fact that an infected device executes any instructions of the attacker, it is often called a zombie machine, and a botnet, accordingly, is called a zombie network. The infiltration of malicious programs can happen if the user is not vigilant: cybercriminals disguise them as useful software. Also, a bot-agent can inject itself through the vulnerability of any software, by brute-force password detection for shared network resources. In rare cases, it is installed during open access to the computer.
Malicious programs for organizing botnets run independently on the device and are protected from deletion. The protection mechanism consists in using unconventional startup methods, replacing system files, rebooting the machine when accessing the automatic boot keys. Agents mimic system processes, they can use two processes that restart each other.
A botnet has huge computing resources and brings tangible profits to cybercriminals. An attacker can anonymously control infected computer devices from anywhere in the world.
Botnet classification
Botnets are classified by architecture and network protocol.
From an architectural point of view, botnets with a control center and decentralized ones can be distinguished. In the first case, all computers are united around one control center (Command & Control Center, C&C). This is the most common variety. The center waits for responses from bots, records them, distributes instructions that are determined by the owner. Sometimes an attacker creates several centers in case they are disabled or blocked. Zombie networks of this type are easy to create and manage, react more quickly to commands, but it is also somewhat easier to fight them than with other types of botnets: it is enough to destroy the command center and the network collapses. However, the task may become more complicated due to the migration of centers or traffic encryption.
Decentralized malicious networks are also called P2P botnets, from the English term "peer-to-peer", which means point-to-point connection. In such systems, bot agents do not connect to the control center, but to a certain number of other infected computers. Having received the command, the malware passes it on to the next machine, and this is how the instructions are propagated throughout the zombie network. Thus, a cybercriminal can control all infected computers through any botnet site. A network of this type is less convenient to operate, but due to the lack of a center, it is also more difficult to deal with it.
The classification of zombie networks by protocols is explained by the interaction between the machine issuing the command and the computers of the victims. It is built on network protocols that determine the order of communication between nodes. On this basis, botnets are divided into four groups.
The first group includes IRC-oriented zombie networks. They are characterized by connecting each infected device to the IRC server, moving to the specified channel and waiting for the owner's command. The second group is made up of networks using IM channels. The need to create a separate account for each node reduces the popularity of such botnets. The third group is web-oriented botnets, where computers are controlled through the World Wide Web. They are easy to develop, there are many web servers on the Internet, and they are very easy to manage for these reasons, such malicious networks are in demand. The fourth group should include other types of systems with their own, non-standard protocols.
Object of influence
The objects of influence of botnets are government agencies and commercial companies, ordinary Internet users. Cybercriminals use bots to achieve goals of different content and size. For example, the simplest and most popular and profitable use of botnets is spamming. The owner of the zombie network does not always do this himself: often spammers rent a botnet.
Botnets are also used to carry out DDoS attacks. The attacked server cannot cope with the streams of requests from infected computers and stops, users cannot access it. In order to restore the operation of the web resource, the attackers demand to pay a ransom. Cyber blackmail of this kind is very common, since today all companies actively use the Internet to conduct business, and some organizations work only through the World Wide Web. Also, owners or tenants of botnets can use DDoS attacks for political actions or provocations. Government, state, military and other organizations become targets of bot attacks.
Botnets are used to mine bitcoins. Penetrating into the user's computer, the bot-agent uses the machine's resources for its own purposes. The more infected devices, the more currency the attacker "mints". GPU power can be used while the computer is idle, so the presence of malicious activity is not immediately noticed.
Botnets are also used for anonymous access to the Internet in order to hack websites, transfer money. They are also actively used to steal classified information. The advantage of a zombie network over other malicious agents is the ability to collect information from a huge number of computers at the same time. This information is often sold or exploited to expand a botnet.
Source of threat
Bot agents are created by cybercriminals, for example, to steal. Typically, hackers steal access data to a particular system in order to obtain monetary gain or some other personal benefit. Zombie networks are used by representatives of illegal businesses to promote their goods and services.
The most dangerous group of developers of such programs are organized cybercriminals who use infected networks for attacks, stealing data and money, sending advertisements, blackmail, provocations, etc. In addition, they form botnets for sale and rent.
Risk analysis
Statistics show that a huge number of various computer devices are part of botnets. The consequences of infecting a computer with a bot agent may vary depending on the botnet owner and the goals he pursues. The most notable activities of the zombie network are DDoS attacks. The danger of infected networks is also growing because their creation becomes easier every year, new ways of introducing malicious programs are found, which means that new botnets appear and the existing ones expand.
In early March 2017, researchers discovered a vulnerability in the security system of DVR and surveillance cameras of the Chinese company Dahua. This meant that devices could easily turn out to be executing commands of attackers. Read more about this in the article "Chinese cameras and DVRs can become part of botnets."
Despite the scary statistics, you can protect your computer. This requires:
- use effective anti-virus protection,
- timely update the operating system and all applications,
- use an encryption program when transferring personal data,
- observe general reasonable precautions when using the Internet.
It is also helpful to monitor device activity. If it is working hard during idle time or is transferring too much data, then it is possible that there is a malicious agent on it.