Botnet Detection and Prevention

Botnet, a fusion of the words “robot” and “network”, is basically a group of computers that have been compromised by a malicious attacker and are under his control. Botnets are primarily used for executing Distributed Denial of Service (DDoS) attacks, where the targeted servers are crippled by overloading them with packets of data. Eventually the applications and services become unavailable to their users. Once the computer becomes a part of the botnet, attackers can remotely execute commands on it. The actual owner is usually unaware of the malicious activity taking place on his machine. Once a computer is under the attacker’s control, it becomes a “zombie computer.” In order to create a truly effective botnet, the malicious attacker must infect hundreds or even thousands of computers.

How do botnets affect company networks?
Botnets can be disastrous for companies as the botware can give the malicious attacker complete control over their networks. While most commonly used in DDoS attacks, botnets have other malicious uses. For example, a botnet can be used to send out millions of spam emails. Attackers can also use botnets to attack servers in an effort to gain access to restricted accounts with privileged data. Compromised computers can also “recruit” other computers by infecting them with botware, thus adding to the overall size and effectiveness of the botnet army. The attacker’s central operation center is called the Command and Control (C&C) Server. This server controls all the computers in the botnet army. Think of it as a general commanding thousands of troops in an army. The attacker can simply input his desired commands into the C&C server, which in turn dispatches these commands to each of the “zombie computers”.
One of the most notable botnets is the Zeus botnet. Commanded by approximately 100 malicious attackers, it has affected over 3.6 million personal computers (PCs) worldwide. This botnet has enabled the attackers to get away with more than $70 million by using various hacking techniques and scams.
Avoiding and removing botnets
Once a botnet has been detected, internet access should be disabled immediately on the affected computer(s). The botware should then be removed with the help of dedicated solutions offered by security software providers. Newer and sophisticated botware is tougher to eliminate. In such cases, the C&C server must be isolated before the rest of the botnet computers can be effectively sanitized. This step is mandatory when huge botnets are exposed and simple mitigation techniques are ineffective.
Botware is designed to operate in stealth mode, which means most users will be unaware that the computer they are using is contaminated and is secretly running malicious commands. Here are some of the most common symptoms of a computer or network that may be infected by botware.

  • Outbound connection attempts to unknown web servers (possibly a C&C server)
  • IRC traffic
  • Large amounts of SMTP traffic
  • Sluggish computer performance, problems accessing the internet
  • Unauthorized messaging sent over social media, chat, instant messaging, etc.
  • Random popups and windows

Botnet detection software should be installed on computers and networks in order to avoid botware infections. All applications and software should be patched and up-to-date with the latest official updates. Monitoring software should be installed as well, as newer botware versions are capable of bypassing traditional security barriers like anti-virus and anti-malware programs.