How botnets are created and how they are shut down

Botnets comprise networks of hijacked computers and are commonly the cause behind cyberattacks that affect businesses and organisations of varying sizes.

These hijacked systems are called bots, and they serve as a tool to automate mass attacks, such as data theft, server crashing, and malware distribution, Kaspersky security expert Alexander Eremin told MyBroadband.

Eremin said that there are two main methods that are used to infect computers and make them part of a botnet.

Drive-by download infections require attackers to discover popular websites with exploitable vulnerabilities.

These vulnerabilities are then exploited to load malicious code onto the website and exploit vulnerabilities in visitors’ browsers.

“The code will typically then redirect the user’s browser to another site controlled by the attacker where the bot code will be downloaded and installed on the user’s machine,” Eremin explained.

He said the second method – email infection – is much simpler.

“The attacker sends out a large batch of spam that includes either a file such as a Word document or PDF with malicious code in it, or a link to a site where the malicious code is hosted,” said Eremin.

“In either case, once the attacker’s code is on the user’s machine, that PC is now part of the botnet.”

Eremin said that the process can be simplified into the following steps:

• Prepare and Expose – Hacker exploits a vulnerability to expose users to malware.
• Infect – User devices are infected with malware that can take control of their device.
• Activate – Hackers use a command and control server to mobilise infected devices and carry out attacks.

How botnets carry out attacks

“One person, or even a small team of hackers, can only carry out so many actions on their local devices,” explained Eremin.

“But, at little cost and a bit of time invested, they can acquire tons of additional machines to leverage for more efficient operations.”

Eremin explains that once the hacker is ready to launch an attack, they take control of each computer they have infected.

They then organise these infected machines into a network of bots that they can remotely manage.

He said that cybercriminals often seek to infect and control thousands, tens of thousands, or even millions of computers.

“The cybercriminal can then act as the master of a large ‘zombie network’ — i.e. a fully assembled and active botnet,” said Eremin.

Once infected, a zombie computer allows access to admin-level operations, such as:

• Reading and writing system data.
• Gathering the user’s personal data.
• Sending files and other data.
• Monitoring the user’s activities.
• Searching for vulnerabilities in other devices.
• Installing and running any applications.

How a botnet can be shut down

Eremin said that shutting down a botnet is very difficult and usually cannot be done by a single cybersecurity company. Instead, it requires cooperation between cybersecurity companies and other parties.

This includes cooperation with law enforcement to shut down parts of, or the whole, botnet. Law enforcement is key in attempts to find the criminals behind the botnet.

Additionally, cybersecurity companies must cooperate with hosting services and/or domain registrars to shut down known command and control servers, as this disrupts the work of the cybercriminals.

This also can involve DNS sinkholing – which is a technique used to prevent malware from connecting to command and control servers. This is achieved by resolving known malicious hostnames to false IP addresses.

In some situations, legitimate websites which have been hacked are used as command and control servers. In this scenario, cybersecurity companies can reach out to the owner of the website and work with them to clear the code from their website and protect the website from further infection

How to protect yourself

Eremin said that since it is evidently difficult to shut down a botnet, it is important that businesses guard their employees’ devices against being infected in the first place.

He provided some tips to protect your business against its devices being infected by malicious parties who are building and using botnets.

He said it is important that businesses educate their employees around the basics of cybersecurity including the following:

• The use of strong passwords for smart devices and to use complex and long passwords to help keep devices safe.
• Inform employees to be wary of any email attachments. The best approach is to completely avoid downloading attachments, and when you need to download an attachment, carefully investigate, and verify the sender’s email address.
• Also consider using antivirus software that proactively scans attachments for malware before you download.
• Inform employees to never click links in any text, email, and social media messages. Manually entering the link into the address bar will help avoid DNS cache poisoning and drive-by downloads. It is also recommended that employees take the extra step of searching for an official version of the link.
• It is also important to ensure all devices that connect to the corporate network are secured with an adequate internet security solution.

Now read: Garmin pays multi-million dollar ransom – Report