How Does a Botnet Attack Work?

By Zac Amos, Features Editor, ReHack

Keeping up with cybercriminals is a full-time job, as new attack types appear daily. Cybersecurity analysts must consider botnet attacks among classic ransomware and phishing schemes.

How new and common are these cybersecurity threats, and how do they compete against other methods concerning the danger to companies and individuals? No matter the novelty of cyberthreats, there are always ways to reinforce prevention and prepare for breaches.

What Are Botnet Attacks?

Hackers create infected groups of devices connected to the internet, known as the botnet. They can make these machines run bots using command and control (C&C) software, and they perform everything from ransomware to distributed denial-of-service attacks (DDoS) to infect networks. Since one of the first botnet attacks in 2004 — called Bagle — botnets have taken advantage of internet relay channel (IRC) protocols to instigate infection.

The architecture evolved as botnets advanced to disguise their activity in a few ways. They began to use fake IP addresses and HTTP protocols instead of IRC because hackers masked it as typical internet usage. This client-based system was risky since it relied on connectivity to a server connected to the herder to issue orders.

That worry dissipates with peer-to-peer (P2P) botnets since the bots can communicate with each other to perform tasks instead of being connected to a client. This decentralized nature makes them more challenging to detect.

Creating a botnet is advantageous for hackers since these groups are profitable in more ways than one. The bot herder — the hacker behind the botnet — can instigate potentially lucrative attacks and rent out the net to other cybercriminals to use for whatever purposes they desire. The botnet can stay in operation for a long time without detection, so others may find value in the network a hacker built.

How Do They Work?

Botnets initiate the same way many attacks do — they find a vulnerability. The goal is to exploit that exposure without the target knowing. They first start by creating what some analysts call a zombie army. The first objective of the botnet is to increase the number of infected devices with any method, like spam and trojan horses. Then, the herder can initialize commands to steal data or install malware.

Popular botnets have thrived for over a decade. One of the most well-known is called Zeus or Zbot. It had over 3.6 million devices in its network in 2009, but eventually, it had to rebrand and switch to a decentralized architecture to stay hidden.

Another is Mirai, which exposed the vulnerabilities of IoT-connected devices. Mirai overtook sensors and security systems to perform bricking attacks — deleting a device’s firmware. To demonstrate the accessibility of botnet attacks, college students created Mirai to hack the popular internet game Minecraft — not a Fortune 100 corporation. They saw how much a Minecraft server could make a month and decided to capitalize on that as a side hustle that unfortunately went awry.

Other botnets seek to do more than just attack unsuspecting devices. Bot herders can also automate them to mine cryptocurrency, like Sysrv, especially since the prices are constantly in flux. It provides herders stability despite volatile prices if they can keep mining. This is problematic, especially since the nature of cryptocurrency is anonymous, giving botnets an extra layer of protection from identification.

What Protections Can People Take?

Technology isn’t defenseless against botnets despite their durability. This is especially true since almost all causes of botnet attacks — including phishing and brute force hacks — are problems analysts must prepare for daily. They are all considered, so they are a part of risk management programs and business continuity plans. However, nobody can ignore the impartial nature of cyberattacks — everyone and anyone should prepare, regardless of if someone is a solopreneur or a multimillion-dollar enterprise.

The ideal action is to shut down the server connecting the infected devices. This may not be effective if the herders have multiple C&C servers, but it’s a great place to start in the event of an attack. Severing the tie can allow teams to scan and potentially reformat devices if necessary to remove all instances of infection.

However, the best way to protect is through preventive measures. Here are some of the top tips to safeguard any number of internet-connected devices:

• Keep systems and programs updated, including firewalls and antivirus software
• Train on best cybersecurity hygiene, like strong password creation and email management
• Stay informed on recent trends and attack methods
• Implement measures for access and permissions like zero-trust infrastructure
• Install an intrusion detection system (IDS)
• Enable two-factor authentication (2FA)

Botnet Attacks in Cybersecurity

Botnet attacks don’t occur as frequently as other kinds of cyberthreats, but they often have the facade of another type of source. They can send out phishing emails or DDoS attacks, so it isn’t easy to know if it’s part of a botnet.

Fortunately, only a few new measures need to be implemented to respond to or protect against botnet attacks. The best protection is awareness — knowing they exist as a potential threat can help create a more comprehensive protection plan for every kind of device for the future.

About the Author

Zac Amos is the Features Editor at ReHack, where he covers cybersecurity and the tech industry. For more of his content, follow him on Twitter or LinkedIn.