Architectures Used for Botnets
Botnet designs vary, but how they are controlled falls into two categories—client/server and peer-to-peer. Most botnets combine these models.
Client-Server Model
Botnets based on a client-server model are centralized and controlled by a single command-and-control server. Once a system has been infected, the malware contacts the command-and-control server to receive instructions (e.g., to launch attacks or infect other connected devices). From this centralized server, the cybercriminal can control all the botnet devices.
Client-server botnets have been found to use different topologies. Several common network topologies botnets use include star, multi-server, and hierarchical.
Star network topologies employ a hub-and-spoke structure, with each host connected to a hub at the center of the network. In this model, the hub provides a channel to share messages with the devices in the botnet, and all data runs through the hub for distribution.
The structure of a multi-server network topology also follows a hub-and-spoke model. However, with a multi-server network topology, one server handles communication and data transmissions between the bots.
In a hierarchical network topology model, a centralized server communicates and transmits data, and bots handle communication with bots lower in the hierarchy. In this model, the server is separated from most bots.
Peer-to-Peer (P2P) Model
P2P botnets are decentralized and do not use command-and-control servers. In this model, the malware is replicated on all systems in the botnet, and each system acts as both the client and server.
A bot herder can send commands to one bot in the network and share them with adjacent nodes. In a P2P botnet, the bots maintain a list of which systems are in the network and can be trusted to share data and communications, including malware updates and commands.
An advantage of the P2P botnet model is that bots are only connected with limited machines, making it difficult to identify all botnet systems. However, this decentralization makes the botnets more susceptible to hijacking. To mitigate this risk, cybercriminals often use encryption to restrict access.
The P2P botnet model also provides a distinct advantage over the client-server model because there is not a single point of failure. With a client-server botnet, if the centralized server is taken down, the entire botnet goes with it.
Why Are Botnet Attacks Suited for Long-Term Intrusions?
A number of unique functional traits of bots and botnets make them well-suited for long-term intrusions. The bot herder can update bots to change their entire functionality based on what he/she would like them to do and to adapt to changes and countermeasures by the target system.
Bots can also utilize other infected computers on the botnet as communication channels, providing the bot herder with a near-infinite number of communication paths to adapt to changing options and deliver updates. This highlights that infection is the most important step because functionality and communication methods can always be changed later on as needed.
Since the remote bot herder controls infected computers, a botnet is like having a malicious hacker inside your network instead of just a malicious executable program.
How Can a Botnet Be Disabled?
Once a botnet is discovered, the two widely used approaches for disabling it are to take down the control centers and remove the botnet malware. The best approach will depend on the botnet architecture, its scale, and the resources available to an organization.
Take Down Botnets Control Centers
If the botnet employs a client-server architecture, it can be disabled by shutting down the main server or servers that control it. Taking down a botnet control center usually requires the support of law enforcement.
Eliminate Botnet Malware on Infected Devices
Several approaches can be used to remove botnet malware from individual systems. The easiest is to use anti-virus tools. In cases where this does not work, systems need to be wiped and reimaged. The malware can be removed for IoT devices by doing a factory reset, reformatting the device, or flashing the firmware.
Preventing Botnet Infection
One of the most important steps an enterprise can take to control modern malware is to reduce the infection vectors and eliminate the ability for the bots to hide. Today, most of the infection vectors used by botnets are virtually unchecked, and botnet traffic is typically small enough to easily blend into the background of “normal” network traffic.
By regaining complete visibility and control of strictly what traffic is allowed into the network and why, security teams can greatly satisfy both goals.
Establish policies of approved applications and uses based on company needs and culture:
- Establish a baseline of what is on the network – applications, protocols, etc
- What applications are in use?
- What applications are required for the business and who needs to use them?
- What dual-use or personal applications does the enterprise want to allow
- Enforce positive control of all traffic
- Prevent the unnecessary or high risk traffic
- Regardless of port evasion or encryption
Investigate Unknowns
- Investigate “unknown” traffic by doing the following:
- Track source and destination, volumes of traffic
- Correlate against URL, IPS, malware and file transfer records
- Define Custom App-IDs as needed for any internal or custom applications
- Capture PCAPs for any unrecognized, publicly available applications and deliver to Palo Alto Networks
- Investigate “unknown” traffic for potential unauthorized user behavior or potential botnet behavior
Control Enabling Applications
Palo Alto Networks provides the tools and techniques to control and secure the use of these malware-enabling applications. This ability to securely enable any application is a critical requirement for enterprises where simply blocking all access to blogs, webmail, IM and social networking apps would be both impractical and unduly constrain the enterprise’s ability to communicate and stay connected with the outside world.
- Prevent use of known “bad” applications
- P2P
- Limit application usage to users/groups who have a need
- Prevent the use of dangerous features
- File transfer
- Desktop sharing
- Tunneling of other applications
- Prevent Drive-by-Downloads and train users to use the feature
- Selectively decrypt SSL based on application and URL category
- Decrypt social networking, webmail, Instant Message
- Do not decrypt traffic to/from health care or financial sites
- Inspect and enforce all allowed risky application traffic
- Intrusion and Threat Prevention
- Malware Protection
- URL Filtering
Control Circumventors
- Limit Remote Desktop Usage
- Securely Enable SSH
- Allow but prevent SSH tunneling
- Block use of unapproved proxies
- Block Encrypted Tunnels
- UltraSurf
- Hamachi
- Update App-IDs weekly
Protect Remote Users
- Enforce full enterprise firewalling and threat prevention regardless of user location
- Include GlobalProtect to protect remote users
- Enforce Drive-by-Download protections
- Enforce customized policies based on user location
- Not allowed to download files from secure systems when remote
Find Infected Host
- Enforce full enterprise firewalling and threat prevention regardless of user location
- Include GlobalProtect to protect remote users
- Enforce Drive-by-Download protections
- Enforce customized policies based on user location
- Not allowed to download files from secure systems when remote
List of Tools and Techniques for Defense
Several tools and techniques are available to defend against botnet threats. Some are specific to botnets, and others are part of an organization’s overall security program. The following are several tools and techniques that can be employed.
- Access controls
- Advanced anomaly detection
- Anti-virus software
- Behavioral analysis and machine learning
- Command-and-control (C2) server detection
- Device authentication
- Honeypots and decoys
- Installing updates and security patches
- Masking IP addresses
- Network segmentation
- Rate limiting
- Real-time monitoring
- Signature-based tools
- Strong password policies
- Threat intelligence
- User and entity behavior monitoring
- Using proxy servers
What Are Common Botnet Actions?
The simple answer as to what botnets can do is anything. Botnets are used to automate and scale many malicious cyber activities. The following examples demonstrate the variety of actions that botnets can be directed to execute on behalf of cybercriminals.
These functions are made possible because once botnet malware is installed, it enables the botmaster to send commands such as:
- Exfiltrating files and other data
- Gathering data from the device
- Installing and running applications on the device (e.g., spyware)
- Monitoring the user’s activities
- Reading and writing system data
- Searching for vulnerabilities in other devices
Email Spam
Though email is today seen as an older vector for attack, some of the largest botnets are used to send spam. Known as spambots, these bots send spam, spread phishing messages, and add more systems to the botnet.
Execute Distributed Denial-of-Service (DDoS) Attacks
Botnets are widely used for DDoS attacks. Due to their massive scale, botnets are highly effective at overloading a target network or server with requests, rendering it inaccessible to its intended users.
A twist on the spamming botnet model involves using bots for DDoS attacks, overwhelming a target system with traffic from numerous endpoints. The enterprise with the infected client is often not the target, but the compromised host is used to flood a remote target with traffic.
DDoS attacks may target specific companies for personal/political reasons or to extort payment. These attacks pose a dual risk for the enterprise, potentially causing downtime and lost productivity if targeted, or consuming valuable network resources if end-users participate in the attack.
Probe Networks for Vulnerabilities
In addition to launching attacks, botnets scan networks for exploiting vulnerable systems. In some cases, these are broad scans of the Internet. Botnets seek out particular types of devices or organizations to scan to support targeted attacks.
Run Brute Force Attacks
The scale of botnets makes them very effective for running programs designed to breach web accounts by force. This includes dictionary attacks and credential stuffing that exploit weak user passwords to gain unauthorized system access.
Steal Information
Systems infected with botnet malware collect sensitive information from devices. Tools employed by botnets to steal information include keyloggers and screenshot grabbers. The collected data is then sent back to an attacker’s remote server.
Target High-Value Assets
Targeted intrusions leverage smaller botnets designed to compromise specific high-value systems of organizations from which attackers can penetrate and intrude further into the network. These intrusions are extremely dangerous to organizations as attackers specifically target their most valuable assets, including financial data, research and development, intellectual property, and customer information.
Real-World Examples of Botnets
Many botnet attacks are zero-day varieties. The following is a review of several real-world botnet attacks. While most of these have been disabled, a few are still active.
EarthLink Spammer (Disabled)
One of the first botnets that gained public attention was the EarthLink botnet, also called the EarthLink Spammer. Launched in 2000, the botnet was used by its creator and other cyber criminals to send more than 1.25 million phishing emails over the EarthLink network.
This botnet software used Trojan horse malware to infect systems and access users' information remotely. Over a year, the EarthLink botnet affected about 12% of EarthLink's email traffic and cost the organization an estimated $4.1 million in lost profits.
Cutwail (Disabled)
Discovered in 2007, the Curtwail botnet was sending more than 51 million emails every minute by 2009, accounting for more than 45% of the world's spam. It is estimated that, at its peak, the Curwail botnet comprised 1.5 to 2 million infected computer systems sending 74 billion spam emails a day.
This botnet targeted Windows systems with Trojan horse malware that used infected computers as spambots. Cutwail was also used to spread well-known malware families and was used as a DDoS botnet for SSL attacks.
ZeuS (Disabled)
In its heyday, the ZeuS botnet, also called Zbot, was thought to be the most widely used malware, infecting more than 13 million computers across 196 countries. ZeuS used Trojan horse malware for several nefarious undertakings, including spreading CryptoLocker ransomware and stealing credentials to users' accounts, including their social media, banking, FTP, and email accounts. Over 90% of all online bank fraud incidents were attributed to the ZeuS botnet.
Storm (Disabled)
Storm, also called the Storm worm botnet, Dorf botnet, and Ecard malware, was one of the first peer-to-peer botnets. This Trojan horse malware was available through a rental model on the dark web. Believed to have infected up to 2 million computers, Storm was used for a number of criminal activities, including identity theft, bank fraud, and DDoS attacks. This was one of the most virulent botnets to data as it had defensive capabilities that thwarted attempts to track and deactivate it.
Kraken (Disabled)
The Kraken botnet was a massive spyware botnet. It was estimated to have infected 10% of all Fortune 500 companies, but each of the almost 500,000 bots in the network could send about 600,000 emails a day. In addition to its size, the Kraken botnet is thought to have been one of the first to use evasion techniques to avoid detection by anti-malware tools.
Grum (Disabled)
Specializing in spam targeting the pharmaceutical industry, the Grum botnet could send almost 40 billion emails daily, accounting for nearly 20% of the world's spam. At its peak, the Grum botnet included more than 100,000 computers.
A notable feature of the Grum botnet was that it used two types of control servers, one for infecting systems and one for sending commands. Additionally, the control servers were located in Panama, Russia, and Ukraine, which gave it resiliency and allowed it to stay operational when one control server was disabled.
Mariposa (Disabled)
The Mariposa botnet, comprised of more than 12 million computers, used worm malware that propagated itself through malicious digital ads (i.e., malvertising). This botnet was used to steal sensitive data from over 800,000 users, including credentials for financial services sites and credit card numbers. It was also used to launch online scams and DDoS attacks.
GameOver Zeus (Disabled)
After the client-server ZeuS botnet was disabled, GameOver Zeus (GOZ) emerged with a peer-to-peer architecture that made it harder to disrupt. Before it was disrupted, GameOver Zeus had infected over 250,000 computers and an estimated $100 million in monetary losses.
Dridex (Active as of May 2024)
Dridex, also known as Bugat and Cridex, is Trojan horse malware that mostly spreads through phishing campaigns. It is delivered as a Word or Excel document attachment with a malicious macro that downloads and executes malware. Distributed through a malware-as-a-service model, this infostealer botnet is used to perform a number of malicious actions to steal users' information, including capturing screenshots, keylogging, and launching ransomware attacks.
ZeroAccess (Disabled)
Built to target Microsoft Windows operating systems, ZeroAccess is a peer-to-peer botnet that uses Trojan horse malware. The ZeroAccess botnet was particularly difficult to disable because it evaded detection by using a trick to turn off anti-virus software running on the infected systems. Growing to more than 9 million computers, the ZeroAccess botnet was used for cryptocurrency mining and spamming malware.
3ve (Disabled)
3ve was the head of three interconnected sub-botnets used for ad fraud. The botnet was used to create more than 5,000 fake websites, spoofing the domains of high-ranking and prestigious publishers and selling their "premium" traffic to advertisers. 3ve was believed to have generated 3-12 billion ad bid requests daily using the more than 1.7 million computers under its control. By using an anti-forensics evasion tactic, 3ve collected an estimated $30 million before it was disabled.
Emotet (Active as of August 2024)
Emotet, also known as Heodo and Geodo, is considered one of the most dangerous botnets because it is polymorphic, changing its code each time it is called up. It uses Trojan horse malware to spread and distribute other malware and ransomware. Threat actors use Emotet to commit financial fraud, espionage, and political sabotage with malicious spam.
Mirai (Active as of August 2024)
The Mirai botnet is known for targeting and weaponizing IoT devices. It is believed to have infected over 600,000 devices, which it uses to launch DDoS attacks. In 2016, it ran a 1TB/second DDoS. The Mirai source code is publicly available and has been used to create hundreds more botnets. Mirai is considered to be the largest IoT botnet.
Botnet FAQs