Botnets
A botnet is a set or network of computer robots (or bots), which run autonomously and automatically.
The architect of the botnet can control all infected computers and servers remotely.
How botnets spread
In Windows and macOS systems, the most common form of expansion for “bots” is usually in the distribution of illegal software, although it can be spread by any suspicious software.
This type of software usually contains malware which, once the program runs, can scan your local area network, hard drive, try to spread using known Windows vulnerabilities, etc.
In other environments such as UNIX, GNU / Linux or BSD, the most classic way of attacking servers to build and expand a Botnet is by telnet or SSH through the trial-error system: testing common users and passwords at random against all the IPs that This can be done either systematically or through attacks on well-known bugs that administrators may have left unrepaired.
Botnets normally use free DNS services for dynamic IP’s like DynDns.org, No-IP.com, & Afraid.org to point to a subdomain to which the creator can connect in case the IRC server is shut down. In many cases, it is enough to notify these providers to cancel your account and thus dismantle the entire Botnet.
Fortunately, the botnet’s server structure has vulnerabilities inherent in its architecture. For example, if the IRC server and the channel are found, you have access to the entire botnet, so the IRC server just needs to close the channel or put a g-line or k-line to the ips that try enter that channel.
However, there are more refined constructions of these botnets that have a list of alternative servers in case this happens. Other times, instead, the bots are configured with a domain, which can easily change destination (IP) to guide the botnet to the preferred server at that moment, without depending on previous configurations.
Control of the botnet was normally done through IRC, but new versions of these botnets have evolved towards control through HTTP, making the detection of these networks more complex. This makes corporate networks more vulnerable as well, as IRC traffic is blocked.
Additionally, some spammers have their own IRC server where they are the owners and, possibly, it is necessary to be a network operator to see the channels, do whois, or see some useful information.
It should be said that in many cases these servers usually work on the computer of one of the victims, but the attacker has full control.
Common uses of botnets
These networks are generally used to generate money for their controllers.
Among the most common uses are:
- Distributed denial of service (DDoS) attacks: If a DDoS-type attack is received from a Botnet, given the geographic dispersion of the computers that compose it, it is almost impossible to find a pattern of the machines that are attacking and given the high number Of those who will be doing it at the same time, packet filtering cannot be seen as a real solution that works. However, passive packet scanning to reconfigure and adapt the firewall can help mitigate the problem.
- Sending Spam: Most often, a botnet is used to send spam to email addresses. Usually the creators of these Botnets sell their services to spammers. In at least one case an investigation (the Rustock network) managed to find out that a single hacker had gained control of a million computers, using them as a platform for his attacks, with which he was capable of sending 30 billion emails per day.
- Cryptocurrencies mining: With the appearance of cryptocurrencies, back in 2011 there were reports of a new use for botnets: using computer processing oower to generate bitcoins. In this way, criminals can obtain resources without spending on hardware or energy consumption. This use is expected to continue to increase in the future. An example of such networks is the ZeroAccess botnet.
- Cryptocurrencies theft: An additional variant is the theft of cryptos using botnets. This is the case of the Pony network, which stole information from infected computers. It is estimated that with this network, credentials (user / password) of at least 2 million computers were obtained.
- Advertising fraud. Typically, Internet ad services pay administrators of the listed sites based on a number of factors, including ad viewing and clicking on the ad. Cybercriminals order bots to visit their own websites and click on ads to fraudulently monetize.