Botnets: A cheat sheet for business users and security admins

Almost anything with an internet connection can be hijacked and used in a malicious botnet attack--IoT devices are especially popular targets. Learn how to spot and prevent this malware threat.

Botnet concept

Image: BeeBright, Getty Images/iStockPhoto

When a computer or any other device is connected to the internet, it runs a lot of risks from malware and hackers. We often assume that our personal devices are potential victims, and not that they could be components in cyberattacks, but they can be if they become a node in a botnet.

Botnets are used to do all sorts of malicious things, like launch distributed denial of service (DDoS) attacks, spread malware, and mine cryptocurrency--all without the device's owner being aware that it's been hijacked.

That doesn't mean there aren't signs that an internet-connected device has been hijacked, and botnet victims aren't beyond saving. It's essential to act fast, though: Beyond giving an attacker access to personal info on the device, botnet nodes can be worked to the point of physical damage due to overheating, leaving their owners stuck with the bill for repair or replacement. 

SEE: Identity theft protection policy (TechRepublic Premium)

What is a botnet?

The definition of botnet is simple: A bunch of computers acting together to accomplish a shared task. If that definition seems ambiguous, it's because it is: Botnets aren't malicious by definition.

One of the first uses of a botnet was to operate internet relay chat (IRC), a completely legitimate use of connected computers. IRC used servers and other computers to relay chat from sender to recipient, with each computer in the network acting to relay data. 

Modern malicious botnets, on the other hand, are typically operated for nefarious purposes, and computers become nodes not by installing a program, but by being hijacked directly by hackers or through the installation of malware. 

SEE: Cheat sheet: Botnets (TechRepublic)

Botnets use a lot of different protocols to communicate: IRC, HTTP, Telnet, ToR, and even social media sites can be used to issue commands and evade detection. 

At their most basic, botnets aren't that different from any other malware that takes orders from a command and control (C&C) server, except in this case botnet malware is less concerned with the info it can harvest from a particular computer, and more with the computing resources it can extract from an infected machine. 

Note that this doesn't mean botnet malware won't be used to harvest personal identifying information (PII) about the owners of hijacked machines: It's entirely capable of stealing credentials, banking information, and other personal details. 

Traditional botnets that use the C&C method have a critical weakness: If their C&C server is knocked offline the botnet ceases to function. It's for that reason that more sophisticated botnets have become peer-to-peer (P2P), making them effectively headless and much harder to take down. Distributed P2P botnets still serve an operator who introduces commands into the network, but those commands can come from anywhere.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Botnets like ZeroAccess utilize the P2P model, and anyone with the network's private key can deploy a command to its nodes. In order to communicate, infected machines probe the internet for other nodes which transfer their lists of known infected machines, causing the botnet to grow incredibly fast. 

Regardless of how they're controlled, botnets typically steal PII of node owners as a secondary goal. The focus on an infected machine's computing resource means that botnets don't just target computers: They target anything with an internet connection. Smartphones, routers, printers, and now Internet of Things (IoT) devices are all popular targets for botnet malware. 

IoT devices in particular are becoming a preferred product for botnet managers. The Internet of Things has grown by leaps and bounds in the past several years, and not all hardware is secured as well as it should be.

The Internet of Things is by its very nature designed to be invisible; the devices that power it are often placed in out-of-the-way areas or go unnoticed for long periods of time. The massively successful Mirai botnet is well known for its 2016 takedown of DNS provider Dyn, which resulted in outages for sites like Twitter, Amazon, Reddit, and other high-traffic sites. 

Mirai was successful in attacking IoT devices because many ship with default usernames and passwords that are well known, and many people fail to change them when devices are deployed. All an attacker has to do, as was the case with Mirai, is scan for IoT devices, log in with those default credentials, and install malicious firmware updates that turn the device into a botnet zombie. 

Botnets typically spread through similar methods: Looking for unsecured devices that can be logged into without having to directly attack the device. They also spread traditionally to computers through malware, malicious email attachments, smartphone apps that contain malicious code, and other common methods. 

Additional resources

What are malicious botnets used for?

When an attacker has control over hundreds of thousands, or potentially millions, of devices there's a lot they can do to enrich themselves and make life difficult for others. 

The most common use of malicious botnets is to launch DDoS attacks that knock down websites, DNS providers, and other internet services. DDoS attacks rely on massive amounts of traffic that paralyze a provider, making it impossible for legitimate traffic to reach it before eventually knocking it offline. 

SEE: All of TechRepublic's cheat sheets and smart person's guides

DDoS attacks are hardly the only application that botnets have. They're also commonly used to:

  • Spread themselves into sensitive networks, like those owned by businesses and governments, in order to steal valuable information,
  • Covertly mine cryptocurrencies like Bitcoin, which can burn out a device and destroy it,
  • Send spam email, often with botnet-installing malware attached, links to malicious sites that harvest PII or install additional malware, or with intent to commit fraud, 
  • Commit click fraud, in which advertisements are repeatedly clicked to generate revenue,
  • Commit ad fraud, which is similar to click fraud but occurs on websites with hidden ads or sites designed only to host fraudulent ads.

In addition to these uses, many botnets are also available for rent to cybercriminals looking to use them for their own purposes. With that in mind, a botnet known for launching one kind of attack could be used for any of the above purposes, or anything else an enterprising attacker can dream up. 

Additional resources

What are the signs a device is infected by a botnet?

Like other varieties of malware, the kind that turns an internet-connected device into a botnet node is designed to be as unnoticeable as possible. Users that notice something odd with their computer, smartphone, or IoT device may become suspicious, and that means the botnet could lose a valuable node. 

SEE: 5 Internet of Things (IoT) innovations (free Pdf) (TechRepublic)

That doesn't mean traces aren't left behind. Botnets use other people's computing resources to accomplish their tasks, which means telltale signs are visible if you know what to look for.

A blog post from antivirus software maker ESET has a list of 10 signs to be on the lookout for if you're concerned you may have botnet malware on your computer. This list only applies to PCs and macOS devices--malware symptoms on smartphones and IoT devices can differ and will be discussed below. 

Is your computer's fan kicking in while your computer is idle?

This could be a sign your computer is working hard without your knowledge, but then again it could be a sign that updates are being downloaded. Check your computer to see what's running, and if you can't find updates being downloaded and your fan is clean, it's time to scan for malware.

Are you having trouble shutting your computer down?

Shutdown failures or a computer taking a long time to power down can be a sign that malware is running in the background and interrupting the normal shutdown cycle. Again, this can also be caused by bugs in legitimate software so don't automatically assume botnet malware is the case. 

Are you noticing mysterious social media posts from your accounts?

Malicious software attempting to propagate itself can use some ingenious methods of spreading without being detected. One way is via social media. If you've noticed some posts you didn't make yourself, or if people have warned you that you've sent direct messages you know you didn't send it's possible you're infected.

As with the above, malware on your computer may not be the cause of this--your account may have been hacked, your password stolen in a data breach, or another device may be compromised.

Is your machine running slowly?

A noticeable and sudden slowdown in your computer's speed is a sign that a lot of resources are being used, which can indicate software running in the background that you aren't aware of. Again, this can be caused by other problems as well.

Are you unable to download system updates?

Some malware, especially the kind that relies on known vulnerabilities, will prevent a computer from downloading updates in order to keep its essential vulnerabilities available for exploitation. If you can't download updates this is a serious issue that needs to be rectified immediately.

Are you unable to download new antivirus definitions? 

If you try to update your antivirus software in order to scan because you noticed these other symptoms, but can't download the update, there's a pretty good chance you've been infected by malware that blocks antivirus updates. This is also indicated by being unable to visit antivirus vendors' websites, which malware frequently blocks as well. 

Is your internet access super slow?

If your machine is being used to send spam or as part of a DDoS attack it's probably eating up a lot of bandwidth, which can cause your internet connecting to slow to a crawl. Turn the machine off, or disconnect it from the internet, and see if the problems persist by using another machine. If the internet is fast when the suspect is disconnected, but slow when it's online, there's a good chance it's up to something.

Have friends, family, or coworkers told you they received a suspicious email from you?

Botnets often send spam, and if one has infected your computer it can use your accounts to send malicious messages to your contacts.

Are pop-ups appearing at random times, even when you're not online?

This is often a sign of other types of malware, but botnet malware on your computer can install other malware as well. At the very least, if you're seeing this you probably have some sort of infection.

Are there unrecognizable program names running in Task Manager?

Legitimate programs and services can have hard-to-recognize names, but bizarre ones and total gibberish can indicate malware, especially if they're eating up a lot of resources. 

Signs a smartphone is infected with botnet malware

This is a much greater problem for Android users. iPhones can still be infected by malware, but it's incredibly rare unless a device has been jailbroken and a third-party app store is being used. Android, on the other hand, is much more open, and Google has far more lenient screening on the Google Play app store. 

Regardless of what platform you're using, signs of smartphone malware include:

  • Constant ads, regardless of the app you're using
  • A newly-installed app's icon disappearing
  • Greatly decreased battery life
  • Apps on your device you don't recognize
  • Rapid slowdowns and serious overheating

Signs an IoT device has been infected with botnet malware

It can be nearly impossible to detect a compromised IoT device, but the US Department of Justice said there are some signs, like the sluggish performance and slow response that was seen during the Mirai botnet outbreak. 

Compromised IoT devices may also refuse updates, and unusual internet activity may be noticed at a firewall or router that indicates an IoT device is sending traffic that it shouldn't be.

Additional resources

How can I prevent my devices from becoming botnet nodes?

There's quite a bit that goes into protecting internet-connected devices from becoming slaves to the latest botnets, and not all of it is as simple as good cybersecurity hygiene. As security provider Norton points out, good security habits are generally enough to protect computers, but when it comes to smartphones and IoT devices precautions vary, and all of them are equally important if you own the latter two types of devices.

To protect computers, be sure to:

  • Have a reliable security suite installed, keep it updated, and run regular scans
  • Always update your operating system whenever new updates are released
  • Never download attachments from suspicious sources, or suspicious emails from people you know
  • Don't click login links in an email—navigate to the website manually and log in from there
  • Make sure your operating system's firewall is active. Both Windows 10 and macOS have them built in
  • Practice good password hygiene: Don't duplicate passwords, make them complicated, and change them regularly
  • Use multifactor authentication for any services that offer it

Computer protection tips apply to other devices as well: Keep them updated, don't click on bad links, and don't download suspicious attachments. There are some different security considerations to keep in mind when using a smartphone, though:

  • Don't manually install apps using their .apk or .ipa files: Apps redistributed by third-party websites can be modified to include malware
  • Don't root or jailbreak your device in order to install a third-party app store, which are often riddled with malware-laden apps
  • Look at user reviews and the rating of an app before installing it: If users mention potential scams or malware don't install the app and report it to Google or Apple.

For IoT device security recommendations, the DOJ suggests: 

  • Researching IoT device manufacturers before purchasing. Be sure the company has a reputation for making secure devices, and find out if it comes with a default password that is well known or hard-coded in.
  • Take the time to secure IoT devices before connecting them to the internet. Download updates, change default passwords, and enable security features first thing.
  • Use secure passwords for IoT devices, even potentially more secure ones than you would for regular accounts. Long, random passwords consisting of numbers, letters, capital letters, and special characters should be used to ensure the devices are as secure as possible. It can also help to change the administrator account name to something different if that's possible.
  • Always install firmware updates as soon as they're available. 
  • Disconnect devices that can't be secured, or that manufacturers have released a security bulletin for but have yet to be updated against the vulnerability.
  • Power cycle IoT devices periodically. Botnet malware often lives in an IoT device's memory and can be eliminated just by powering it off and leaving it shut down for a few minutes.
  • Make sure Wi-Fi networks and routers are secure by closing unused ports, enabling MAC address filtering, and disabling universal plug-and-play.
  • Make sure IoT devices at the edge of networks are physically secured from tampering.
  • Segment IoT networks to prevent them having access to an entire network or to other IoT devices they don't need to be connected to.

Additional resources