What is a botnet?
A botnet, or bot network, consists of hijacked computers whose owners and users are usually unaware that their computers are being remotely controlled. The clandestine takeover of the computer begins with a malware infection.
The malware enables the attacker to take control of the system, the computer acts like a robot or bot for short. The hijacked computers are usually controlled by so-called command-and-control servers (C&C servers), and the attackers who control the botnet are called bot masters or bot herders.
If a computer is not sufficiently protected, an attacker can take over the role of the administrator and thus gain complete control over all data, applications, services, and IT systems accessible through it. Not only can the attacker view, manipulate and abuse data, he can also use the computer itself with all available functions for his criminal purposes, be it computing power, Internet connection, or storage space.
Unsuspectingly, the owners and users of the hijacked computers become part of criminal activities in which their remotely controlled computers participate, be it spamming, distributing malware, storing illegal files, or DDoS (Distributed Denial of Service) attacks.
Botnets or bot networks were also popularly referred to as zombie PCs in the past. However, this figurative, evocative term does not capture the essence of the threat: not only PCs but any networked device with Internet access can be hijacked and abused as part of a botnet if protection is inadequate.
The Internet of Things (IoT) in particular is still a long way from achieving the kind of security status that exists for office PCs. Mobile devices such as smartphones and tablets are also usually less well protected than PCs and notebooks. That is why IoT devices, mobile devices, and also IP cameras, and smart TVs will also increasingly be the basis for botnets and botnet attacks.
The recent example of the DDoS attack on the website of security expert and journalist Brian Krebs clearly shows how powerful botnets from IoT devices can become.
Significance and recommendation for companies
Botnets are already among the biggest threats on the Internet and will become even more threatening with the Internet of Things, as the number of devices that can be hijacked and abused with relative ease continues to grow thanks to IoT and mobile devices. Companies should therefore pay more attention to protection against botnets for two reasons:
- On the one hand, companies can become targets for botnets, for example, by having a huge number of remotely controlled devices launch a massive DDoS attack on the company’s systems.
- On the other hand, a company itself could unintentionally and unsuspectingly become part of a botnet and be accused of criminal activity as the traces of the attack point to the company.
The necessary protection against botnets consists of two lines of defense:
- First, companies must arm themselves against potential DDoS attacks and against spamming.
- Second, companies must prevent their own devices from becoming part of a botnet. For desktop systems, notebooks, and other mobile devices, professional anti-malware solutions that detect malware based on both signatures and behavior are mandatory. Likewise, vulnerabilities must be promptly and automatically closed through patches so that attackers cannot exploit the security holes to gain control of IT systems.
- For IoT devices, however, there are often no professional anti-malware solutions that can be installed locally on the devices, nor are updates offered reliably and regularly as a bug fix.
The only solutions that can help here are those that detect malware before it can reach the devices and shield the vulnerabilities from the outside (virtual patching).
An additional layer of protection is to analyze the network activity of devices used in the enterprise, whether from office IT or the Internet of Things. Suspicious activity can be signs that owned devices belong to a botnet, these include:
- An unusually high load on the network and internet access
- Unusual network traffic (IRC traffic)
- An extremely high volume of outgoing emails
- A significant delay in sending mail and in computing power
- Massive scanning of certain ports from external sources
- Complaints from third parties about