Botnets. How and why botnets are crafted? Protection against botnets.

Bot is an acronym to Robot. Attackers distribute malware to transform your PC to a bot or zombie-computer. In this case, your PC inconspicuously executes particular tasks launched by command sent through Internet.

Usually attackers use bots to infect large number of other computers. These computers are united into the network dubbed as botnet. Botnet or, by other words, zombie-network is a network of computers infected by malware allowing remote control of machine by attacker without the knowledge or consent of owner.

The attackers might use botnets to distribute spam, malware and attack computers and servers as well as perpetrate other crimes and frauds. If the computer becomes the part of botnet, its performance might significantly degrade, and you might become unwitting accomplice to criminal activity. Over the last years zombie networks become steady source of revenue for cyber criminals.

Do bot infect my computer?

It is not easy to answer this question. Really, it is virtually impossible to track the interference of bot in every day PC’s operation, since it has almost no reflection to system’s performance. However, there are exist several factors to define the occurrence of bot within the system:

- unknown programs try to connect to Internet, and periodical firewall or antivirus reporting about such trials;

- large Internet traffic, even in case of moderate use of Internet;

- new processes under the guise of typical Windows ones within the list of active system processes (e.g. the bot might be dubbed as scvhost.exe similar to the Windows’s system process svchost.exe; it’s quite hard to note the difference).

Why botnets are crafted?

Botnets are crafted to earn money. We can distinguish several branches of profitable application of zombie networks: DDoS-attacks, collection of personal information, spam distribution, phishing, spamdexing, click frauds and others. It is worth to mention that any direction chosen by fraudster is profitable, at that the botnet gives the opportunity to perpetrate all abovementioned activities simultaneously.

DDoS-attack realization

DDoS-attack (Distributed Denial-of-Service attack) is attack targeting the computer system, e.g. website, to bring it to «crush», i.e. to the state when it is unable to receive and handle the requests of legitimate users. One of the most popular ways of DDoS-attack is flooding the victim by large number of requests. If the system resources of attacked system is insufficient to execute all incoming requests, it might cause the denial of service. DDoS-attack is a dreadful hackers’ weapon and botnet is ideal tool for its realization.

DDoS-attack might be the mean of unfair competitive practices as well as the actions of cyber terrorism. The botnet owner can make offer to any sticky fingered businessperson, in particular, to execute DDoS-attack to rival’s website. The attacked resource will crush and the customer will get the temporal advantage. From the other side, the cybercriminal will get small or not so small income.

In similar way, the botnet owners might use botnets to extort the money from the large companies. At that, the companies prefer to satisfy the cyber-criminal’s requirements, since the mitigation of the consequences of successful DDoS-attacks is very expensive.

Collection of personal information

Personal information stored on users’ computers is always attract the attackers. The most interesting are credit card numbers, financial information and passwords to different services: email, FTP-server, messengers and others. At that, the up-to date malware give the attacker the possibility to choose exactly the data they are interested in, – in order to do this it is sufficient to download the corresponding unit to computer.

The attackers might whether sell stolen information or use it for own sake. Every day hundreds offers about selling of bank credentials appear within numerous forums in Internet. In order to monetize this they need permanent stream of fresh data and, correspondingly, stable growth of zombie networks. Especially, interesting the financial information to carders – fraudsters who make fake bank cards.

Another type of collected information is email addresses. At that, unlike gathering information on cards and credentials, the single infected PC gives numerous emails obtained from address book. Emails are offered for a sale and even are sold «by weight» – megabytes. The major buyers of such «goods» are spammers.

The criminals also interested in getting credentials of different payment services and e-stores. Obviously, they are cheaper than bank credentials. However, their selling has less risk of legal prosecution.

Spam distribution

Every day, worldwide the millions of spam-messages dive around. Distribution of unsolicited emails is one of the main feature of today botnets. According to Kaspersky Lab, about 80 percent of all spam sent via zombie-networks. Thus, attackers expose to a risk the computers of innocent victims, since antivirus companies blacklist email addresses from which distribution occurs.

Over the last years, the spam industry under the rise: ICQ-spam appeared, spam within social media, forums and blogs. This fact is «achievement» of botnet owners: after all, it is very easy to add the complementary unit to bot-client to expand horizons of new business.

Spamdexing (a portmanteau of spamming and indexing)

Another way of botnet exploration is promotion of websites within search engines optimizers. In order to improve the search optimization of the web resources administrators eager to increase the website position within the search results, since it provides more website visitors via search engines and correspondingly gives more revenue to the website owner, e.g. from selling the advertising space on web pages. Many companies pay big money to web-developers to place the website into the first positions within search engines. Botnets’ owners snooped some of their methods and automated the process of search optimization.

The specially crafted software downloaded via zombie PC and in the name of owner leave the comments on popular resources with the links to promoted website.

How botnets are created?

First step: create new zombie network. In order to do this infect the users’ computers by special software – bot. Infection perpetrated via spam distribution, posting of messages within forums and social media as well as other methods; often bot is granted by special feature of self-replication like viruses or worms.

In order to force the potential victim to install the bot the social engineering methods are used. In particular, the victim is suggested to watch interesting video and install corresponding video codec. After download and execution of such file, the user of cause will be unable to watch anything and likely do not notice any changes, but his PC become infected. In future, it will execute any command of botnet owner.

The second most extended method of infection is drive-by-download. Once the user visits the infected website, his computer becomes infected via various «holes» within applications – e.g. popular web browsers – and the malware dropped into the system. In order to exploit vulnerabilities the special software – exploits are used. They allow not only unnoticeably downloading but also even executing virus or bot. Such way of malware distribution is most dangerous, since in case of deface of popular web-resource, dozens of thousands users will be infected!

Bot might has feature of self-replication within networks. In particular, it might propagate via infection of all executable files or search of infection of vulnerable computers within the network.

The infected computers of suspecting nothing users are controlled via command and control botnet server through IRC-channel, web-connection or other available means. It is sufficient to unite several dozens of machines to bring the profit to owner. At that, this profit directly depends from the reliability and size of botnet.

The advertising companies working according to PPC (Pay-per-Click) scheme, pay money for unique clicks to links redirecting to advertisements in Internet. The botnet owners make profit by deceive of such companies.

The means of protection from botnets

1. First, use antiviruses and complex packages with regularly updated databases to protect from Internet threats. They can help not only to detect the danger in time but even eliminate it before your transformed to zombie «iron friend» starts to distribute spam or «crush» websites. The complex packages contain the full set of protective functions controlled through general command center.

- Antivirus unit in background mode executes the scan of critical system domains and control all possible ways of virus’s intrusion: attachments of emails and potentially dangerous websites.

- Firewall tracks the exchange of data between PC and Internet. It checks all incoming or outcoming data packets and if necessary blocks the network attacks and prevent the secrete transmission of personal data to Internet.

- Spam filter defend email box from ads interception. Its objectives also include detection of phishing letters via which the attackers try to force the victim to disclose personal information when he try to enter to online payment systems or bank systems.

2. Regular update of operating system, web browser or other applications, which developers detect and eliminate many holes in their protection as well as vulnerabilities used by fraudsters.

3. The special program encryptors defend your personal data even in case of bot is already penetrated into your system, since to access the files it should hack the password.

4. Common sense and carefulness. If you to protect your data from various types of threats, do not download and install the programs from unknown sources, open archive with files in spite of antivirus alarms, visit website tagged by browser as dangerous etc.

Do not yield the appeal to download malware

The cybercriminals might add your computer into the botnet by the following way:

- Transmit the malware within download, which are allegedly the photos or movies or via the links in emails, instant messages or websites of social media.

- Scare you and force to press the button or click the link containing in fake notification about computer virus.

In preparation of this article, KZ-CERT used open source information.