penetration testing tutorial day one the basics

TechTarget ANZ expert Ed Eliff explains botnets and offers advice on how to make sure your machines do not get get caught up in one.

What is a botnet and how can I tell if I am part of one?

A botnet is a virtual network of compromised computers under the control of a hacker. A computer becomes part of a botnet after it has been infected with virus, worm, Trojan, which installs a botnet agent that is designed to allow control of the computer from a central remote source. Once a computer has been infected and becomes part of a botnet, commonly referred to as a zombie as it mindlessly follows the instructions issued to it by the botnet controller without the knowledge of the computer user.

Zombies communicate to a botnet controller via increasing sophisticated means. Traditionally using Internet Relay Chat (IRC) to control botnets, hackers have had to innovate as protections into IRC have been introduced, hackers now use a mix protocols and hiding techniques in order to make botnets harder to detect. Botnets are now a stable feature of the Internet, with as many as 10,000 new computers being taken over day and becoming zombies. Botnets with as many as 1.5 million zombies have been found.

Hackers, organised crime, phishers and spammers are the biggest users of botnets, allowing them access to massive amounts of computing resources and bandwidth. This distributed bandwidth allows the botnets to send massive amounts of email in incredibly short periods of time, challenging or even outstripping the ability of even the largest mail forwarding houses. This makes botnets very attractive to spammers. Organised crime uses botnets to conduct denial of service attacks on companies, by saturating corporate mail or web servers with spurious requests. They then try to extort money out of the victim company to stop attack.

Zombie computers are also commonly tasked with searching for other vulnerable systems to infect with their backdoor software. This not only allows botnets to grow quickly but also to adapt as zombies are discovered and cleaned. The botnet "market" has become quite mature, with the rise of professional botnet operators, who operate large botnets that they do not use them themselves but rent access to them to spammers, organised crime groups and other hackers.

Most users of zombie computers are unlikely to know or be aware that their computer is being used in a botnet, as activity is low while the zombie is not actively involved in attacking another system or sending spam. Some tell tale signs do exist and many precautions can be taken.

Ensure that your computer operating system and internet applications are updated regularly as this will close many of the vulnerabilities used by botnets to infect your computer and install their agents.

A modern up to date virus scanner will detect some but not all botnet agents running on your computer. However, sometimes a virus scanner will detect only the virus that was used to deliver the botnet agent on your computer, but not the botnet agent itself.

Botnets can generate a lot of traffic slowing down your network and Internet connection. Investigate your computer if you notice large amounts of network activity when you are not using the internet. If the internet and your network connection appear slow, but a lot of data is being transferred, you computer may be being used in an attack.

Firewalls are effective in controlling access to the botnet control servers, but require some effort to configure correctly. Most domestic firewalls only place restrictions on traffic coming from the Internet into your network or computer but do not restrict any traffic leaving your computer or network. This means that they will not stop your computer from joining a botnet control chart room on IRC or prevent your computer from sending spam. Even if your firewall is configured to limit these outbound connections, botnets are getting smarter and will mix control traffic with other protocols such as HTTP in order to make it harder to detect and control. Look at your firewall logs and see if there is anything out of the ordinary that may indicate your computer is connected to a botnet, this may include regular requests to IRC or websites that you do not visit.

Botnet agents will often open ports on your computer and listen on these for connections from other zombies or botnet controllers. Check the open ports on your computer and look for anything that shouldn't be listening.

Using strategies like this, your risk of being part of a botnet is significantly reduced.



Enjoy the benefits of CW+ membership, learn more and join.

Read more on Data breach incident management and recovery



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: