Introduction
In this article, we are going to learn about botnets and cybercrime. We will analyze a botnet and its use to perpetrate cybercrime.
Botnet
The word is a combination of ‘Robot’ and ‘Network’.
"A botnet is a network of devices on the internet which are infected by common malware code which is controlled remotely from its source called a botmaster which runs a command-and-control program which remotely infects and controls vulnerable devices. The program running on an infected client called a bot. This form of attack may be used to commit cybercrimes such as Distributed-Denial-of-Service (DDoS), credential theft, unauthorized access, data theft, etc.”
From the definition, we understand that this is a robot-like machine creating a network of infected client computers and the network continues to grow if not mitigated in time. Infected devices may include computers and the Internet of Things (IoT) devices through the use of the Internet and network protocols such as HTTP and IRC.
Botnet attacks remain a major crime in the cyber world and this requires organizations and developers to be aware of bots and scan their websites and web applications for vulnerabilities before being a victim to botnets.
Zombie Computer
A zombie computer refers to any infected computer that is running a bot and is being controlled remotely by the botmaster. They can be used for launching attacks such as DDoS or sending emails without being detected by the real user.
How a botnet is initiated
A botnet is from command-and-control (C&C), which is launched by the attacker. The C&C is also known as the "bot herder" or "botmaster". The program for the operation must communicate via a secret channel to the client (zombie computer).
Firstly the command searches for vulnerabilities on the victim computer. Once vulnerabilities have been figured out the attacker launches his payload i.e. malicious application – the bot. A bot continues to scan potential victim devices and the more victims it manages to manipulate the value that bot becomes to the source controller.
Once a bot has been launched it continues to search for vulnerable victim computers on the network. The infected computer continually receives instructions from the C&C server and in this way, the botmaster keeps count of how many bots active clients it has managed to attack. The botmaster then uses this capability to gather information from the infected computer through different cyberattack techniques. Botnets can be sold on illegal online markets by attackers or rented out to interested like-minded attackers for a profit.
Other forms of botnet attacks may come in the form of downloads, exploiting a web browser's vulnerabilities, or by tricking the user into executing a malicious program. Such downloads or executables files will install modules that allow the computer to be controlled by the botnet's operator.
Types of botnet connections
Client-Server Model
Traditionally, botnets used a client-server model to accomplish their task. Infected clients access a targeted network location and continue to get commands from the C&C. The C&C is initiated from the attackers’ server and sends them to infected clients. The clients will execute their commands and send results to the botmaster.
IRC
IRC is the most commonly used channel in botnet attacks because it is simple and uses low bandwidth communication methods. It normally requires a botnet operator controlling the IRC bots through an IRC configured server and channel. The botnet operator may need to avoid being tracked and has to move the IRC channel from time to time.
IRC bots have to keep in constant touch with the IRC server and channel for them to remain useful and this is considered one of IRC bots’ biggest disadvantages since this can easily disclose the source controller server. Once detected the servers can easily be shut down and further infections can be stopped but the infected will remain so.
Peer to Peer
Peer to Peer botnet attacks were survival techniques used by botnet community sources after having realized the closure of many botnet servers by large cybersecurity organizations. Bots that make use of Peer to Peer have C&C commands just like the server. This entails that a client may also behave like the server making mitigation to botnet attacks more difficult.
Botnets and cybercrime
Botnets are slowly becoming the biggest scare in cybersecurity. Their capability to attack any device on the internet has helped in their popularity in cybercrime. Botnets have been used for several levels of attacks which include manipulation of security cameras, rampant DDoS attacks and even to mine cryptocurrencies hence their effectiveness has moved them to be one of the most popular attack methods in cybercrime.
Mitigation Techniques
International Security organizations are yet to come up with a solid mitigation technique to avoid botnets. The biggest mitigation technique so far is to find the source controller and shut it down. Another way is the use of signature-based systems which has special communications software to detect patterns in the request packet. The most common technique nowadays is the use of Antibot techniques which try to distinguish the difference between humans and bots by testing their behavior and comparing it to an average human and it has been used in different scenarios in users, browsers, and network levels.