Almost anything with an internet connection can be hijacked and used in a malicious botnet attack–IoT devices are especially popular targets. Learn how to spot and prevent this malware threat.
When a computer or any other device is connected to the internet, it runs a lot of risks from malware and hackers. We often assume that our personal devices are potential victims, and not that they could be components in cyberattacks, but they can be if they become a node in a botnet.
Botnets are used to do all sorts of malicious things, like launch distributed denial of service (DDoS) attacks, spread malware, and mine cryptocurrency–all without the device’s owner being aware that it’s been hijacked.
That doesn’t mean there aren’t signs that an internet-connected device has been hijacked, and botnet victims aren’t beyond saving. It’s essential to act fast, though: Beyond giving an attacker access to personal info on the device, botnet nodes can be worked to the point of physical damage due to overheating, leaving their owners stuck with the bill for repair or replacement. (Download the free PDF version of this article: Cheat sheet: Botnets.)
SEE: Identity theft protection policy (TechRepublic Premium)
The definition of botnet is simple: A bunch of computers acting together to accomplish a shared task. If that definition seems ambiguous, it’s because it is: Botnets aren’t malicious by definition.
One of the first uses of a botnet was to operate internet relay chat (IRC), a completely legitimate use of connected computers. IRC used servers and other computers to relay chat from sender to recipient, with each computer in the network acting to relay data.
Modern malicious botnets, on the other hand, are typically operated for nefarious purposes, and computers become nodes not by installing a program, but by being hijacked directly by hackers or through the installation of malware.
Botnets use a lot of different protocols to communicate: IRC, HTTP, Telnet, ToR, and even social media sites can be used to issue commands and evade detection.
At their most basic, botnets aren’t that different from any other malware that takes orders from a command and control (C&C) server, except in this case botnet malware is less concerned with the info it can harvest from a particular computer, and more with the computing resources it can extract from an infected machine.
Note that this doesn’t mean botnet malware won’t be used to harvest personal identifying information (PII) about the owners of hijacked machines: It’s entirely capable of stealing credentials, banking information, and other personal details.
Traditional botnets that use the C&C method have a critical weakness: If their C&C server is knocked offline the botnet ceases to function. It’s for that reason that more sophisticated botnets have become peer-to-peer (P2P), making them effectively headless and much harder to take down. Distributed P2P botnets still serve an operator who introduces commands into the network, but those commands can come from anywhere.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Botnets like ZeroAccess utilize the P2P model, and anyone with the network’s private key can deploy a command to its nodes. In order to communicate, infected machines probe the internet for other nodes which transfer their lists of known infected machines, causing the botnet to grow incredibly fast.
Regardless of how they’re controlled, botnets typically steal PII of node owners as a secondary goal. The focus on an infected machine’s computing resource means that botnets don’t just target computers: They target anything with an internet connection. Smartphones, routers, printers, and now Internet of Things (IoT) devices are all popular targets for botnet malware.
IoT devices in particular are becoming a preferred product for botnet managers. The Internet of Things has grown by leaps and bounds in the past several years, and not all hardware is secured as well as it should be.
The Internet of Things is by its very nature designed to be invisible; the devices that power it are often placed in out-of-the-way areas or go unnoticed for long periods of time. The massively successful Mirai botnet is well known for its 2016 takedown of DNS provider Dyn, which resulted in outages for sites like Twitter, Amazon, Reddit, and other high-traffic sites.
Mirai was successful in attacking IoT devices because many ship with default usernames and passwords that are well known, and many people fail to change them when devices are deployed. All an attacker has to do, as was the case with Mirai, is scan for IoT devices, log in with those default credentials, and install malicious firmware updates that turn the device into a botnet zombie.
Botnets typically spread through similar methods: Looking for unsecured devices that can be logged into without having to directly attack the device. They also spread traditionally to computers through malware, malicious email attachments, smartphone apps that contain malicious code, and other common methods.
Additional resource
When an attacker has control over hundreds of thousands, or potentially millions, of devices there’s a lot they can do to enrich themselves and make life difficult for others.
The most common use of malicious botnets is to launch DDoS attacks that knock down websites, DNS providers, and other internet services. DDoS attacks rely on massive amounts of traffic that paralyze a provider, making it impossible for legitimate traffic to reach it before eventually knocking it offline.
SEE: All of TechRepublic’s cheat sheets and smart person’s guides
DDoS attacks are hardly the only application that botnets have. They’re also commonly used to:
In addition to these uses, many botnets are also available for rent to cybercriminals looking to use them for their own purposes. With that in mind, a botnet known for launching one kind of attack could be used for any of the above purposes, or anything else an enterprising attacker can dream up.
Additional resources
Like other varieties of malware, the kind that turns an internet-connected device into a botnet node is designed to be as unnoticeable as possible. Users that notice something odd with their computer, smartphone, or IoT device may become suspicious, and that means the botnet could lose a valuable node.
SEE: 5 Internet of Things (IoT) innovations (free Pdf) (TechRepublic)
That doesn’t mean traces aren’t left behind. Botnets use other people’s computing resources to accomplish their tasks, which means telltale signs are visible if you know what to look for.
A blog post from antivirus software maker ESET has a list of 10 signs to be on the lookout for if you’re concerned you may have botnet malware on your computer. This list only applies to PCs and macOS devices–malware symptoms on smartphones and IoT devices can differ and will be discussed below.
This could be a sign your computer is working hard without your knowledge, but then again it could be a sign that updates are being downloaded. Check your computer to see what’s running, and if you can’t find updates being downloaded and your fan is clean, it’s time to scan for malware.
Shutdown failures or a computer taking a long time to power down can be a sign that malware is running in the background and interrupting the normal shutdown cycle. Again, this can also be caused by bugs in legitimate software so don’t automatically assume botnet malware is the case.
Malicious software attempting to propagate itself can use some ingenious methods of spreading without being detected. One way is via social media. If you’ve noticed some posts you didn’t make yourself, or if people have warned you that you’ve sent direct messages you know you didn’t send it’s possible you’re infected.
As with the above, malware on your computer may not be the cause of this–your account may have been hacked, your password stolen in a data breach, or another device may be compromised.
A noticeable and sudden slowdown in your computer’s speed is a sign that a lot of resources are being used, which can indicate software running in the background that you aren’t aware of. Again, this can be caused by other problems as well.
Some malware, especially the kind that relies on known vulnerabilities, will prevent a computer from downloading updates in order to keep its essential vulnerabilities available for exploitation. If you can’t download updates this is a serious issue that needs to be rectified immediately.
If you try to update your antivirus software in order to scan because you noticed these other symptoms, but can’t download the update, there’s a pretty good chance you’ve been infected by malware that blocks antivirus updates. This is also indicated by being unable to visit antivirus vendors’ websites, which malware frequently blocks as well.
If your machine is being used to send spam or as part of a DDoS attack it’s probably eating up a lot of bandwidth, which can cause your internet connecting to slow to a crawl. Turn the machine off, or disconnect it from the internet, and see if the problems persist by using another machine. If the internet is fast when the suspect is disconnected, but slow when it’s online, there’s a good chance it’s up to something.
Botnets often send spam, and if one has infected your computer it can use your accounts to send malicious messages to your contacts.
This is often a sign of other types of malware, but botnet malware on your computer can install other malware as well. At the very least, if you’re seeing this you probably have some sort of infection.
Legitimate programs and services can have hard-to-recognize names, but bizarre ones and total gibberish can indicate malware, especially if they’re eating up a lot of resources.
This is a much greater problem for Android users. iPhones can still be infected by malware, but it’s incredibly rare unless a device has been jailbroken and a third-party app store is being used. Android, on the other hand, is much more open, and Google has far more lenient screening on the Google Play app store.
Regardless of what platform you’re using, signs of smartphone malware include:
It can be nearly impossible to detect a compromised IoT device, but the US Department of Justice said there are some signs, like the sluggish performance and slow response that was seen during the Mirai botnet outbreak.
Compromised IoT devices may also refuse updates, and unusual internet activity may be noticed at a firewall or router that indicates an IoT device is sending traffic that it shouldn’t be.
Additional resources
There’s quite a bit that goes into protecting internet-connected devices from becoming slaves to the latest botnets, and not all of it is as simple as good cybersecurity hygiene. As security provider Norton points out, good security habits are generally enough to protect computers, but when it comes to smartphones and IoT devices precautions vary, and all of them are equally important if you own the latter two types of devices.
To protect computers, be sure to:
Computer protection tips apply to other devices as well: Keep them updated, don’t click on bad links, and don’t download suspicious attachments. There are some different security considerations to keep in mind when using a smartphone, though:
For IoT device security recommendations, the DOJ suggests:
Additional resources
Brandon is a Staff Writer for TechRepublic. He's an award-winning feature and how-to writer who previously worked as an IT professional and served as an MP in the US Army.
