Are you responsible for your organization’s security? Do you believe blocking all of the threats on your network is impossible without hardware-based solutions? How much time would it take you to set up at least one bot management detector on each of your endpoints? Would this be a simple task if possible?
Well then, it looks like you might not need that extra coffee after all. You can skip through this article and bookmark it whenever you eventually manage to get approval from management. Botnets are becoming very popular with cybercriminals, which has made them more dangerous than ever before.
What are Botnets?
A botnet is a collection of Internet-connected devices that have hidden software installed on them. These devices might be servers, desktop computers, or even mobile devices such as smartphones or tablets.
With the help of these infected machines – also called zombies – hackers can send email messages, spread malware, and launch DDoS attacks against websites and other networked systems. An effective way to control a computer for a hacker is through a Trojan, which disguises itself as a legitimate program or file.
Usually, this software will come from an email attachment, website download, or USB stick. The most common Trojans used in creating botnets are Zeus and Citadel. This type of software can easily infect a computer and make it part of a botnet.
Botnets can be used for any number of illegal or malicious purposes, such as sending spam, distributing malware, click fraud, and DDoS attacks. With several million computers known to be infected by bots worldwide, cybercriminals have used them for their benefit.
Hackers install Remote Control System (RCS) software on victims’ computers to achieve the biggest threat possible from a botnet infection. This program gives the hacker complete control over all processes running on an affected machine.
Computer networks made up of small devices – such as smartphones and tablets – instead of desktop machines also fall prey to this kind of Trojan malware. One of the most well-known mobile botnets is the one known as RootSmart.
This variant of Zbot (also known as Zeus) infects Android devices, notably those running version 2.2 or earlier of the Google operating system.
How are Botnets Used?
Hackers use either DDoS attacks or spam emails to take over computers and networks with botnet malware. The chance of an attack or infiltration increases exponentially if they manage to install RCS on their victims’ machines.
These programs allow hackers to control a computer remotely and do whatever they want with it without its owner finding out about it. Other malicious software services include keylogging, click fraud, harvesting credentials, and spreading malware through infected computers.
DDoS attacks are coordinated attempts to make websites and other Internet-based systems unavailable to users by flooding them with traffic from multiple sources. In a DDoS attack, the attackers use a botnet – which they control through RCS – to direct large amounts of data at an online target.
This overloads the site’s servers, causing it to crash or become so slow that it is almost unusable. Without proper protections in place, hackers can even use a small number of bots for this purpose. According to researchers from IBM X-Force, 10 million computers or devices would be enough to take down most banks’ websites.
Spam email is another way that attackers use botnets for their purposes. Most prominent among these are so-called “pump and dump” stock spam campaigns. In these cases, a spammer will send massive messages to advertise a small, unknown company to inflate its share price artificially.
People who receive this email might be enticed to buy shares advertised as very profitable at current prices. After enjoying a quick increase in their value, those stocks will crash just as quickly as they rose after the original owner sells off all of his positions.
Spreading malware is another use for botnets. When hackers take over a computer or other device with RCS, they can upload malicious programs onto it and make it download other harmful software from hacker-controlled servers. This can eventually turn a machine into part of an even larger botnet.
Why Should I Care About Botnets?
- They’re very hard to detect if you don’t have proper security software installed (and configured) on all endpoints.
- There are over 100,000 bots connected to a single C&C server at any given time worldwide.
- The top 10 countries with the most infections account for over 61% of all bots connected to IRC-based command and control servers as of August 23rd, 2016.
- More than 2 million devices were infected with bots every day in Q2 of 2015 alone.
- It takes an average of 22 minutes for a new infection to be detected if it’s connected to the internet.
- A majority of bots are used for spam, DDOS attacks, or any other types of malicious activities on the internet.
How Can I Prevent My Users from Bot Attacks?
Use Up-to-Date Antivirus Software
Make sure endpoints have antivirus software that can detect botnet malware before it becomes a problem. Antivirus companies are constantly releasing new signatures to identify botnet malware more accurately and detect them faster.
Keep Operating Systems Updated
This includes Windows, OSX, Android, etc. If security holes are identified in one part of an operating system, cybercriminals will exploit them as quickly as possible.
Use a Firewall
A firewall is one of the best ways to track suspicious traffic coming in and out of your network. Ensure you have one on all subnets, including DMZs, VLANs, or subnets that are not protected by any other security devices.
Perform Server-Side Authentication
This makes it impossible for bots to connect to unprotected endpoints since they don’t have credentials to authenticate with server infrastructure. Authentication can be based on anything, including username/password combinations, secret questions, certificates, etc.
Use Anti-Bot Software on Servers
A great way to prevent bots from communicating with C&C servers is by adding a bot management solution on servers, hosting, public-facing websites or other applications linked to the internet.
Limit Infrastructure Access for Endpoints Not Owned by Your Organization
Corporate laptops should have access to internal networks, but personal devices should only have access to subnets with no company assets.
Apply the Principle of Least Privilege
This simple concept dictates that users should only be given the minimum level of access they require to perform their job duties. For example, you wouldn’t want an accountant who needs access to any sensitive data to have administrator rights on endpoints.
By limiting account privileges for specific users, you’re reducing the risk of botnet malware infections dramatically.