Botnets have been around since the early days of the internet and remain one of the world’s most threatening cybersecurity issues. A cyber botnet has only one basic requirement: an internet connection. Once connected, the possibilities of what it can do are as endless as they are scary. But what are botnet attacks anyway? And what can you do about them?
What is a botnet in cybersecurity?
Anytime a network of computers or devices is controlled illegally — without the users’ knowledge — it is known as a botnet attack. More specifically, hackers and cybercriminals use botnets to leverage the combined computing power of several devices at once.
That said, not all bots are malicious. In fact, the internet works smoothly thanks to entirely legal bots often used in connection with Internet Relay Chat. These are simply connected computers performing repetitive tasks to keep websites going.
Who invented botnets?
The oldest botnet dates back to 1988, when Internet Relay Chat (IRC) emerged. IRC is a text-based chat system designed for group communication. In those days, games like Hunt the Wumpus used IRC bots.
By the end of the 1990s, the first search engines had begun using bots to index pages. Online search sites like WebCrawler, AOL, Excite, and the now world-famous Googlebot, created in 1996, were the dominating bots of the time, all working legally.
But as the millennium shifted, malicious bots began to rise. In 2001, EarthLink gained a bad reputation for its spamming practices, sending out billions of emails and becoming responsible for 25% of global spam at the time. By 2006, malicious bots were scaling big time.
How a botnet works
So how do we define botnet malware? The word “botnet” is a combination of the words “robot” and “network,” which precisely describes the nature of a botnet: a robotic network that acts as one.
Many wrongly believe that making a botnet is extremely complicated. Unfortunately, it is not. Cybercriminals usually create botnets by infecting computers, with the most popular method being email phishing campaigns. Users will receive an email and are tricked into auto-installing malware on their computers without their knowledge.
The infection is done in bulk. The bigger the botnet, the more power it has when launching attacks. Once a computer or device is infected, hackers can modify the system so it goes unnoticed and is used at their command. The more advanced botnets can even self-propagate through constant seek-and-infect missions.
Known as botmasters of bot herders, the cybercriminals who control botnets can link any internet-connected devices, from computers to smartphones, IoT devices, smart TVs, smartwatches, and others.
To answer this question, we must ask, what is botnet malware? Botnet malware communicates in the same way legitimate computer programs communicate over the internet. But these ones use a small amount of computer power to avoid detection, and their communications are masked using encryption, access the internet over protocols (like HTTP), and can be coded with algorithms that set their next check-in domain or launch seek-and-infect attacks.
Types and examples of botnet attacks
Botnet networks are created with two structures to launch different types of attacks. The first is a centralized structure where the attacker has a central server that controls all the infected devices. In the second type of structure, attackers create a decentralized network. Each infected device functions as a client and a server, known as a peer-to-peer (P2P) structure. These two types of bot networks can be used to launch the following attacks.
1. Spam botnet attacks
The primary vector of attack in the modern environment is email phishing. This means that the vast majority of attacks work by gaining access to a system through malicious emails. A spam bot network can target a specific organization or may send out millions or even billions of these malicious emails.
A recent example of a spambot is Emotet. About 1.6 million devices make up the Emotet network, which was first detected in 2014. The threat actor behind Emotet is Mummy Spider, which takes month-long pauses between attack operations, during which it perfects the malware and its capabilities with new variants.
To date, authorities have taken down Emotet several times, only to have it return. In January 2021, Europol announced the complete shutdown of the network in a joint operation across the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine. However, ten months later, Emotet resumed operations.
2. DDoS attacks
Distributed denial of service attacks (DDoS) are the most common use of botnets. These bot attacks overload a server with web traffic created by zombie devices to crash it or prevent other users from accessing the site.
The Meris bot was responsible for some of the most significant attacks of 2021. Comprised of 250,000 bots, Meris broke the record for most powerful DDoS attack — and then broke the record again, all in a single year. Meris works by sending emails to large companies demanding ransom payments as it launches a DDoS attack.
This malicious network can generate a substantial 17.2 million requests per second (rps). It can also target approximately 50 different websites daily, with an average of 104 unique DDoS attacks. Most of Meris’s attacks target sites in China, Australia, and the United States. It targets banks, financial services, crypto providers, gambling and gaming sites, technology industries, and other sectors.
3. Brute force attacks
Hackers can also force its way into a system by repeating combinations of usernames and passwords using bot networks. These “brute force” attacks can bypass two-factor authentication (2FA) and multi-factor authentication (MFA) security features.
There are several historically famous brute force attacks, some of which affected companies known for having robust security. In 2013, a massive brute force attack breached 25,000 Club Nintendo forum members’ accounts. The attack executed 15.4 million login attempts to gain access.
GitHub was also hit by an attack in 2013. Login attempts were executed from about 40,000 different IP addresses. Although GitHub never disclosed the total number of affected accounts, the event is still considered one of the largest in history. And in 2015, more than 21 million Alibaba Group accounts were compromised. In this attack, criminals used a combination of 99 million usernames and passwords to force their way into accounts.
Signs that your computer may be infected with botnet malware
Botnets are good at hiding. They use a low amount of computer resources and can even modify features to conceal themselves better. Here are four signs that can help with detecting botnets.
1. Suspicious computer performance
You might be part of a malicious network if you notice that your computer is acting strangely. For example, if your computer fans suddenly kick in, or if you notice your hard drive is in use or your computer is unexpectedly slow, these may be red flags. Your computer may also crash suddenly, be slow to restart, or fail to shut down.
2. Slow internet
If there’s anything bots are hungry for, it’s an internet connection. If you notice that your internet is slower than usual, not downloading files, failing to upload files, or failing to send out emails and messages, you might consider checking for malware. Remember that bots can infect all devices, even your wireless router, so check to see if it is excessively active.
3. Spam emails and strange messages
Have you recently received one or several suspicious emails or messages asking you to download or click on a file, add extensions, or update your system or programs? This is a clear sign that you should check for malware.
4. Task Manager activity
Open the Task Manager and check for RAM usage and total computer power available. If you see them running at a total 100% capacity, check to see if any strange process is running. It could be part of botnet malware.
5. Failure to update
Botnets will often prevent you from updating your smartphone or your computer. Malware wants to avoid new security updates and patches because it uses existing vulnerabilities as doorways to prevent detection. If your device ever fails to update, always check it for malware.
How to remove botnet malware
You can prevent and even remove malware from your computer in various ways, and these are not as complicated as the consequences of having your device being used to execute massive attacks.
One option is to locate the app or program that should not be running and uninstall it, or even restore your computer. On the other hand, a botnet checker or anti-bot system can be used to prevent malicious bots. The most advanced apps and programs use machine-learning algorithms to detect malicious bots, continually updating data about how bad bots work, and experimenting with new techniques.
To protect your Mac from malware, it’s generally recommended to use an anti-malware monitoring tool. A good option for Mac is CleanMyMac X, powered by Moonlock Engine. The app keeps an eye out for potential threats and will warn you when it finds anything suspicious.
Prevention is always the best defense. Always have your computer updated with your firewall turned on, only download trusted files and apps, and avoid suspicious messages from unknown sources. Botnets utilize computers, smartphones, and other devices like the ones you use every day, controlled by cybercriminals who use them to drive a global security crisis. Don’t let your device become part of this type of network.