What is the term used for a threat actor who controls multiple bots in a botnet?

Last Updated: May 20, 2022

A botnet is a cyberattack that uses multiple networked devices to run one or more bots on each device and then uses this swarm of infected devices to attack a server, company website, other devices, or individuals. This article explains the meaning of botnets, their different types and attack techniques, and best practices to protect against botnet-driven cybercrime.

Table of Contents

• What Is a Botnet?
• Types of Botnets
• Common Botnet Attack Methods
• Preventing Botnet Attacks: Top Best Practices for 2022

What Is a Botnet?

A botnet is defined as a cyberattack that uses multiple networked devices to run one or more bots on each device and then uses this swarm of infected devices to attack a server, company website, or other devices or individuals. 

How Botnet Attack Works

A botnet (the abbreviated form of “robot network”) is a network of malware-infected computers controlled by a single attacking party known as the bot-master. Another threat actor called the bot-herder converts the swarm’s components into bots. 

Typically, the bot herder will hijack a network of computer systems to create a botnet and then use it to execute various types of cyberattacks like scams, brute force attacks, malware invasions, etc. A bot-master then directs a group of hacked computers using remote commands. After compiling the bots, the herder utilizes command programming to control their other behaviors and aid the bot-master in fulfilling the ultimate ulterior motive. 

The operator in command of the botnet may have set up the swarm or could be renting it from another third party with access to the devices. Each malware-infected endpoint device that is taken over is referred to as a zombie computer or bot. These devices function blindly in response to commands programmed by the bot herder but often without the user’s notice.  

The majority of botnets are designed to be simple to manage and control. They allow a single computer to take over many infected systems through a command and control or “C&C” server operated by the herder. These botnets accomplish a variety of malicious tasks, including gaining control of the victim’s computer, stealing data, spying on user activity by recording keystrokes or collecting photos, sending spam messages, and executing distributed denial-of-service (DDoS) assaults. A botnet’s functionalities include: 

• Controlling only one machine based on its IP address: The botnet is managed via Internet Relay Chat (IRC) channels and a specialized software client to target only one victim. The IRC channel has bots, comprising blocks of computer code that may be programmed to do tasks in certain scenarios, triggered by specific events. The botnet is simple to build and run since it does not need any infrastructure.  Cybercriminals may employ single-machine botnets for illicit operations such as opening backdoors on the victim’s PCs.

• Using IRC protocol to command multiple machines: The IRC network has now become the main method for bot-masters and bot-herders to control bots. It enables them to rapidly enroll infected computer systems globally into a single group. Using approaches such as: 

• • Scanning of ports
  • Scanning for vulnerabilities
  • Scanning for exploits

This functionality allows the botnet to participate in large-scale security attacks.

• Controlling more than one computers with remote administration tools (RATs): A remote access tool (RAT) enables the threat actor to remotely manipulate one or more systems. They are rogue applications that may be installed without the victim’s permission or notice on their machine. Fake software update websites, Trojans, spyware, keyloggers, and other malware are routinely utilized alongside RATs. They are placed on each system in the botnet and let the attacker gain control of it from a remote location. 

• Using IP addresses to launch distributed denial-of-service (DDoS) attacks: The botnets are managed via IRC to support unique commands that trigger DDoS assaults against their targets. When one of these bots gets a command from the attacker, it assaults the victim’s web server, network, or any other associated computer network. Hackers may lease the botnet on several internet forums to anybody who wants to commit a DDoS attack without exposing their identity.

See More: What Is Network Security? Definition, Types, and Best Practices

Types of Botnets 

While the purpose of all botnets is the same (i.e., use one or more computers remotely to launch a large-scale and hard-to-trace attack), different types of botnets approach this object in different ways. Some of the most commonly used types of botnets include:

Types of Botnets

1. Botnets using internet relay chat 

An internet relay chatbot (IRC bot) is an application that automates tasks and interactions in an IRC chat room or channel, appearing to be a real user. While IRC chatbots can be legitimate, the technology is often exploited to carry out botnet attacks. 

Botnet owners (i.e., bot herders and bot-masters) often use IRC to send directives to the swarm’s component machines. This may be carried out in a single channel, a public IRC chain, or an independent IRC server. A “command and control” (C&C or C2) server is the IRC server that contains the channel(s) used to control bots. IRC bots are often deployed as separate hosted and independent software by the chat room or channel administrator. The device with the IRC bot installed can now be controlled via commands relayed through the IRC channel. 

2. Automated botnets 

These botnets operate autonomously, with no human intervention or control. They infect victims and consume their resources, such as the local CPU and network bandwidth, to launch DDoS assaults at the hacker’s command. This specific type or category of botnets is designed in a manner that is difficult to detect, even if one uses antivirus protection.

3. HTTP botnets

Hypertext transfer protocol (HTTP) botnets are web-based botnets. The bot herder delivers instructions via the HTTP protocol, and the bots access the server for new updates and actions. Thanks to the HTTP protocol, the herder can camouflage the activities as regular internet traffic and evade detection by existing detection methods like desktop firewalls. 

4. P2P Botnets 

A P2P network, also known as a peer-to-peer network, is a computer network in which two or more computers are linked and share resources (such as content, storage, and CPU cycles) through direct exchange rather than going through a server or authority that administers centralized resources. 

P2P botnets are more difficult to set up than IRC or HTTP botnets. However, they are more resilient since they are not dependent on a centralized server. Instead, each bot functions as both client and server, generating and sharing information with other botnet devices. The attacker does not have to configure a specific server for this sort of system architecture. However, they retain total control over the nefarious actions performed by compromised devices.

5. Manual botnets

Some bad actors may prefer manual botnets over fully autonomous ones when performing an attack on another party due to the superior control they provide. When directed by the attacker, these tools may be used to start an attack from any compromised machine. Some botnets may even receive updates to their malicious code from a remote repository. On the plus side, owing to the human interaction required, they may be simpler to detect and track.

6. Backdoor botnets

On a computer, network, or software program, a backdoor is any technique by which both authorized and unauthorized users may defeat standard security measures to get high-level user access (also known as root access). Once inside, hackers may pilfer personal and financial information, run other software, and control linked devices. Backdoor botnets use compromised machines to corrupt other devices and add these to a collection of bots that the perpetrator may command.

7. Spam-sending botnets

These types of botnets are programmed to send millions, if not billions, of unwanted spam messages to their intended recipients from infected devices all over the globe. Spambots gather email addresses from online forums, websites, guestbooks, and other locations where the target may have provided their email address. 

These types of botnets are controlled and commanded by a bot-master for remote process execution. Botnets are often installed on compromised devices through several methods of remote code installation. To avoid identification by investigators and law enforcement, the bot-master will frequently conceal their identity using proxies, The Onion Router or Tor network, and shells. To enable control remotely, the bots are set up to authenticate command and control stations using a password and keys. 

In some circumstances, botnets are shared and operated by multiple bot-masters. It is usual to breach the credentials of the botnet or to control the botnets of another bot-master.

See More: What Is Malware Analysis? Definition, Types, Stages, and Best Practices

Common Botnet Attack Methods

While botnets may be deemed an attack unto itself, they are an ideal instrument for conducting large-scale frauds and cybercrimes. The following are examples of popular botnet attacks: 

Common Botnet Attack Methods

1. Distributed denial of service (DDoS)

A DDoS assault occurs when botnets flood a targeted application or server with requests, causing it to crash. Network-level DDoS assaults include techniques like synchronization code or SYN floods in a TCP connection, user datagram protocol (UDP) floods, and domain name system (DNS) amplification. The objective is to deplete the target’s bandwidth, preventing valid requests from being processed.

In contrast to network-level attacks, application-layer DDoS utilizes Slowloris attempts, HTTP floods, zero-day strikes, R-U-Dead-Yet (RUDY) attacks, and other techniques that target vulnerabilities in an operating system, protocol, or application to collapse.

2. Sniffing and keylogging botnet attacks

Keylogger attacks are one of the most traditional types of cyber threats. It reads and logs keystrokes and can recognize patterns to help attackers quickly locate passwords. Malware, USB sticks, and software and hardware vulnerabilities are all ways for keyloggers to infiltrate. Similarly, sniffing helps threat actors illegally extract information – but instead of monitoring keystrokes, it captures network traffic through packet sniffers. Botnets installed on a computer can carry out sniffing and keylogging and obtain vast amounts of user data. 

3. Botnet-driven phishing

Botnets can be used to spread malware through phishing emails. Phishing is a social engineering attack commonly used to obtain user information, such as login credentials and credit card details. It happens when an attacker poses as a secure entity and tricks the victim into opening an email, instant message, or text. The recipient is duped into clicking a malicious link, resulting in malware installation, system freeze, ransomware assault, or the exposure of sensitive information. When botnets carry out phishing campaigns, they become challenging to trace. 

4. Large-scale spam attacks

Botnets are responsible for most internet spam attacks, including email spam, comment section spam, form spam, etc. Spam attacks are frequently used to distribute malware and make phishing attempts, and there are botnets capable of sending out tens of billions of spam messages per day. A typical example of botnet-based spam attacks is fraudulent online reviews, where a fraudster takes over user devices, and posts spam online reviews in bulk without actually using the service or product. 

5. Data breach perpetrated via botnets

Some botnets are specifically designed to steal sensitive and vital information such as financial information, credit card data, etc. 

For example, the ZeuS botnet is primarily intended to steal account information from numerous eCommerce, banking, and social media sites. A ZeuS botnet attack occurred in 2007, is considered one of the most notorious attacks in history. It was first intended to obtain end-user banking information via spam or phishing emails. The attacker used a Trojan horse application distributed via a botnet to infect the devices. 

Botnets can be built to target high-value services and digital assets specifically to carry out this type of attack. 

6. Cryptocurrency mining and clipping 

In recent years, this has become a common sort of cybercrime; the botnet is commandeered to mine cryptocurrencies for the attacker’s monetary gains. In such attacks, botnets use device resources to mine cryptocurrency without notifying the user. The crypto is quickly transferred to the threat actor while the user incurs mining costs. For example, Sysrv is a botnet that has been used to mine cryptocurrency, and some attacks may also hijack cryptocurrency transactions – known as crypto-clipping botnet attacks. 

7. Brute force attacks

Brute force attacks are based on guesswork but require minimal human effort. The cybercriminal uses a botnet to repeatedly attack a group of targeted devices and continue to guess the user credentials. They succeed and achieve unauthorized access to the targeted system. A hit-and-trial approach is used here, a straightforward procedure with a higher success rate. Due to its simplicity, the share of brute force attacks increased from 13% in 2020 to 31.6% in 2021, as per Kaspersky’s 2021 Incident Response Analyst Report. 

See More: Top 10 Vulnerability Management Tools for 2021

Preventing Botnet Attacks: Top Best Practices for 2022

With so many botnets spreading on the internet, security is vital. Botnets are constantly mutating to exploit vulnerabilities and security shortcomings, which means one swarm can be significantly different from the next one. Stopping and avoiding botnet attacks necessitates sophisticated detection tools and proactive measures: 

Best Practices for Preventing Botnet Attacks

1. Keep software systems up to date 

Botnets may target applications or software flaws, many of which should have been addressed with routine security updates or fixes. As a result, making it a habit of updating the software and operating system regularly can be a good practice. One would not want to become infected with malware or other cybersecurity threats just because they failed to update their application landscape. Therefore, IT teams should adopt a proactive patching schedule for the infrastructure. 

2. Monitor the network for anomalous activity

One should keep a constant eye on their network for any unexpected activity. This will be substantially more successful if they have a deeper understanding of regular traffic dynamics and how everything normally operates. If feasible, network monitoring must be undertaken 24/7/365, deploying analytics and data-collection tools capable of identifying aberrant activity such as botnet assaults. Network traffic analysis tools can help achieve this by maintaining up-to-date logs on network performance and user behavior. 

3. Investigate failed login attempts

ATO (account takeover) attacks are one of the most severe risks to online businesses. Botnets are often used to test a significant number of stolen usernames and passwords to obtain illegal access to user accounts. Tracking the overall average of failed login attempts may assist in creating a baseline, enabling IT teams to set up warnings for any surges in failed logins, signaling a botnet assault. However, keep in mind that these botnet attack notifications may not be triggered by “low and slow” attacks coming from a large number of distinct IP addresses.

4. Deploy a purpose-built botnet detection solution

Investing in comprehensive anti-botnet or botnet mitigation services, which identify botnets in real time, is the best approach to safeguard websites and servers from attacks. DataDome’s AI-powered solution can perform real-time behavioral analysis to identify traffic anomalies and halt any botnet activities before they reach web servers.  This best practice can potentially boost your server’s initial response time.

The best botnet detection solutions gather information from hundreds of websites, evaluate billions of requests every day, and use powerful machine learning to constantly improve the algorithm. As a result, it can detect both known and unknown botnets before they can infect a system. 

5. Leverage network intrusion detection systems (NIDS)

Network intrusion detection systems (NIDS) seek to discover cyberattacks, viruses, denial of service (DoS) assaults, and port scans on a computer network or the machine itself. NIDS platforms monitor network traffic and detect malicious activities by identifying unusual patterns in incoming packets. 

Any malicious activity or violation is often reported to an administrator or collected centrally using a security information and event management (SIEM) system. NIDS are used throughout the network to monitor incoming and outgoing network traffic to and from networked devices. They provide advanced, real-time intrusion detection capabilities and are made up of interconnected parts such as a standalone appliance, hardware sensors, and software components.

6. Download from reputable sources only and avoid P2P downloading 

The most commonly used method of launching a botnet attack is to lure the target. To prevent the risk of botnet attacks, one should avoid downloading attachments from untrusted or unknown sources. It is preferable to password-protect PDFs for professional correspondence so that they do not serve as a means to a botnet attack.

Further, peer-to-peer (P2P) downloading is often prone to security risks and can be hijacked by bot herders. P2P downloading must be blocked on corporate networks and should be ideally avoided on personal networks. 

7. Implement two-factor authentication and stronger credentials 

Using a strong password is a wise method for reducing the likelihood of a botnet attack. Two-factor authentication (2FA) can keep botnet malware away from the devices, making them safer. It ensures that users verify downloads and email communications through multiple channels, and the botnet cannot perform surreptitious activities without access to both sets of authentication information. 

Changing login credentials when adding new devices is also a critical best practice. When connecting a new device to the network, such as a webcam, router, or IoT device, change the login details. Using default passwords facilitates botnet attacks and makes brute-force attacks much more effortless.

Takeaways 

Botnets pose a significant security risk to endpoint devices and your cybersecurity landscape. Since the attacker uses a herd of multiple systems, it is difficult to trace these attacks to their origin. Further, the attacker always has extra resources to initiate another attempt if the first one fails. The best way to protect against botnets is by paying attention to software and system vulnerabilities, which is how bot-herders take over a device in the first place. Through constant vigilance, it is possible to protect endpoints against botnet attacks and take corrective measures early on in the attack lifecycle before severe damage occurs. 

Did this article help you understand the meaning of botnets? Tell us on LinkedIn, Twitter, or Facebook. We’d love to hear from you! 

Who controls a botnet?

What is a botnet controller?

What are the threats of botnets?

What are the two models of controlling a botnet?