A botnet (combination of “robot” and “network”) is a collection of compromised devices within a network that harnesses computing power and network connections through host computers. Communication is received from a command & control server (C&C server) with instructions to perform coordinated actions that an attacker can use to carry out malicious activities. The effectiveness of a botnet is based on its size, network bandwidth, and processing power. Devices participating in botnets can be drained of company resources and/or steal sensitive data.
Some botnets have built-in C&C server redundancy, so they will attempt to communicate with several backup C&C servers if they cannot contact the main server. Security researchers are able to disrupt botnets by taking out their C&C servers, using sinkhole servers which interrupts the DNS names the botnet is programmed to use for coordination.
Botnets have developed sophisticated techniques to avoid disruption, such as using peer-to-peer technology to relay instructions and hiding C&C servers using Tor services.
Types of Botnets and Examples
Spam
- One of the largest botnets in the world (as of 2015) is the Srizbi botnet, estimated to have around 450,000 compromised machines. The botnet is reported to be capable of sending around 60 billion spam messages a day, which is more than half of the total of approximately 100 billion spam messages sent every day.
- Cutwail controlled up to 2 million computers in 2009, sending a vast 74 billion spam emails per day – equivalent to nearly a million per minute. This made up 46.5% of the entire world’s spam volume at the time.
Malware
- The popular ransomware, Cryptolocker, is distributed by botnets.
- Carberp, a banking-oriented, credential-stealing botnet kit, was used to steal over $250 million from financial institutions and their customers.
- Shylock/Caphaw is another notorious piece of botnet-delivered banking malware.
Cryptocurrency
Botnets can tap the distributed computing power of their host systems to do the intensive math, called “mining,” required to generate cryptocurrency, such as Bitcoin.
- A LiteCoin botnet, Lecpetex, was dismantled in 2014, by Facebook, having compromised some 250,000 computers and 50,000 Facebook accounts.
- Microsoft also remotely removed a large coin mining botnet, Sefnit, in 2014, which used the Tor network to communicate.