What is a Botnet and how to fight it

We hear the name Botnet quite a lot in the cyber world, but what is a Botnet? How can you detect and remove it?

What is Botnet?

A botnet is a network of computers that are compromised and are under the control of an attacker. Every individual device in a botnet is called as a bot. A bot is usually formed when a computer is infected with malware. This malware allows the crooks to control the computer remotely without the knowledge of the owner of the computer. The attackers who control these botnets are referred to as “bot masters”.

The term “botnet” comes from combining the words “robot” and “network”. Botnets are entire networks of computers controlled and instructed to do a bunch of things, such as:

·  attack other computers

·  send spam or phishing emails

·  deliver ransomware

·  spyware, or many other similar malicious acts.

Attackers generally use botnets for a lot of purposes, most of them being criminal. The most common applications for botnets include denial-of-service attacks (DDOS), email spam campaigns, data theft and spreading adware/spyware. A botnet attack starts with a bot recruitment. Bot masters usually recruit these bots by spreading worms, botnet viruses, or other malware. It is also possible to use web browser hacking and infect computers which contain a bot malware. Once a computer is infected with a botnet virus, it will connect to the bot master’s command and control (C&C) server. From there the attacker is capable of communicating and controlling the bot. When the botnet reaches the desired size, the herder can exploit the botnet and carry out attacks (overloading servers, stealing information, sending spam, click fraud, etc.)

And all this can happen without you having even the slightest idea about it.

How cyber criminals create and grow botnets:

 We can sum it up in one word that covers it all: malware. Cyber criminals will do anything to trick you into downloading and executing the malicious code that recruits your computer to their botnet.

They will lure you into a drive-by download. They will exploit vulnerabilities in websites and software, such as your browser’s outdated plugins. They will trick you into clicking on links or opening malicious email attachments. We’ll come back to these later on.

In the meantime, the one pulling the strings will focus on recruiting more computers to the initial botnet. As they don’t appear to be doing anything, the botnet could contain even hundreds of thousands of zombie computers without raising suspicions.

The cyber criminals who operate the botnet will most likely sell it or rent time on it – kind of like subcontracting. Sooner or later, they will issue a command through the Command & Control server(C&C), and the botnet will wake up and launch an attack.

Botnet Detection and Prevention

Detection of a botnet can be difficult, because these bots are designed to operate without any knowledge of user. But, there are some common signs using which you can find if a computer is infected with a botnet virus. Some of them are:

§  IRC traffic ( bot masters and botnets use IRC for communications)

§  High outgoing SMTP traffic.

§  Unexpected popups.

§  Slow computing with a high CPU usage.

§  Spikes in traffic, especially Port 6667 ( which is used for IRC), Port 25 (which is used for email spamming), and Port 1080 (which is used by proxy servers)

§  Outbound messages that weren’t sent by the user

§  Issues with Internet access

Some methods to prevent Botnets are:

• Network base lining: The Network performance and activity should be monitored hence irregular network behavior is clear.
• Software patches: All software in your computer should be kept up-to-date especially the security patches.
• Vigilance: Users should be trained to protect from activity that puts them at high risk of bot infections or any other malware.
• Anti-Botnet tools: Anti-botnet tools can be used to get best results.
•  Don’t click on any suspicious links that you’re not sure / don’t know where they lead: not even the ones you received from friends or family or social network buddies. Their accounts might have been compromised, so it’s safer to be patient and ask them what it’s all about, before rushing into clicking on the links.
• Do not download any attachments that you never requested.
• You need a good antivirus and anti-spyware software, installed from a reputable source. Avoid online ads that are telling you that your computer was infected – these are malware in disguise. If you already have antivirus and anti-spyware software, check to see if they are activated, patched and up-to-date. Do a full, in-depth scan with the antivirus. Sometimes, a bot code will deactivate your antivirus. ( i recommend the one from Heimdal security)
• Also make sure that your firewall is on. Set it to the maximum security level – this will require all applications seeking internet access to notify you, enabling you to track incoming and outgoing traffic.

How to check if you’re part of a botnet:

•   Is your computer or internet connection running slower than normal?
•  Did your computer start behaving erratically? Does it crash frequently? Do you receive unexplained error messages?
•  Did the fan kick into overdrive when your computer is idle?
•  Did you notice unusual internet activity (like high network usage)?
•  Does your browser close frequently and unexpectedly?
•  Did your computer take a long time to start or shut down or didn’t shut down properly?

Botnet Removal

Botnet detection is pretty useless without having botnet removal skills. Once a bot was detected in a computer, it should be removed as soon as possibly using security software with botnet removal functionality

Found on http://www.thewindowsclub.com/botnet-removal-tools-windows)

Hope this article provides basic information like what is botnet and how does it work.