0P3N Blog Blog Post

Understanding How Botnets Work

By: Antr4ck
August 21, 2016
Understanding How Botnets Work - CybraryIntroductionBotnets are computer botnets, which are programs connected to the Internet to communicate with other similar programs to perform certain tasks.An Internet bot is an automated or semiautomatic software agent that interacts with computer servers. A bot connects and interacts with the server as a client program used by a human, hence the term "bot," which is the contraction (apheresis) of "robot".They're mainly used to perform repetitive tasks that automation enables quickly. They're also useful when rapid action is an important criterion (for example, with robots or robots game auction, but to simulate human responses, as with IM bots).Botnets can spread to botnets and be used for malicious purposes such as sending spam, computer viruses or computer denial of service (DDoS) - espionage and control computers.A zombie machine is a computer or a printer IP controlled by an attacker without the knowledge of its user. The latter is most often an example of an  attack of other machines by concealing their true identity. A zombie is often plagued initially by a worm or Trojan horse.Any machine connected to the Internet is likely to be a target to become a zombie machine. Windows machines represent the majority of infected machines, but also, to a lesser extent, Linux machines, Apple, game consoles or routers and Printers. Primary Malicious Uses of BotnetsThe main characteristic of botnets is the pooling of several different machines, sometimes very numerous, which makes the desired activity more efficient (since they have the ability to use a lot of resources). This also makes them more difficult to stop. One attacker can control hundreds of computers.Primarily, they're used for:
  • Relaying spam for illegal trade or handling of information (eg stock market prices)
  • Performing phishing operations
  • Identifying and infecting other machines, spreading viruses and malware
  • Participating in DDoS attacks (grouped)
  • Generating abused clicks on an advertising links on a web page (click fraud)
  • Capturing information on compromised machines (theft and resale of information)
  • Harnessing the computing power of machines or performing computing operations including distributed password cracking
  • Conducting illegal trade operations by managing the access to unauthorized product sales sites or counterfeit via fast-flux techniques (single or double-flow or RockPhish).
  • Theft of bank cards - passwords
The Motivation of Pirates
  • Spam: to send more mail.
  • DDoS: send more attacks on a server to do stop working.
  • Bruteforcing: find a password quickly
  • Infection: of machines (viruses, worms, Trojans ...)
 ActivationOnce installed, this software base may declare the machine to a control center, which will consider it and then active. This is a key concept of the botnet: the infected machine can now be controlled remotely by one (or more) third machine. In some cases, other phases are required (self-protection, update, etc.) to enter the operational phase. UpdatesOnce the infected machine and activation is carried out, the botnet can update, change themselves, add features, etc. This has significant impact on the danger of the botnet, and the ability of control tools to stop it because a botnet may modify its virus signature and other features that can cause it to be discovered and identified. Self-ProtectionInitially, or after an update phase, the botnet will seek to provide the means to continue its action and the means of concealment. This may involve:
  • Installing rootkits
  • Changing the system (changing the network filtering rules, disabling security tools, etc.)
  • Auto-change (to change his signature)
  • Deleting other malware that can disrupt the botnet
  • Operating fault of the host system, etc.
 SpreadingThe size of a botnet is both a guarantee of efficiency and added value for sponsors and users of the botnet. Therefore, it's common after installation, that the zombie machine will seek to extend the botnet by viral spread, often in a spam campaign (web links, malware in an attachment, etc.)By Scan
  • To exploit vulnerabilities that it will recognize;
  • To use known or previously installed backdoors;
  • To make brute force attacks, etc.
Once installed, the zombie machine can obey orders given to it to accomplish the desired actions by the attacker. By Antr4ck (Hoping to help you learn.)

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry