A botnet is a network of malicious computers infected with bot malware and remotely controlled by the cyber attackers. Botnets are used by hackers for different attack purposes such as to send spam/phishing emails, launch Distributed Denial of Service Attacks or in some scenarios, botnet authors rent them out to other hackers to use or launch an attack.
Hackers expand botnets by passing on the malware infection to clean internet-connected devices. The bot-masters control botnets by a command and control server. Once one device on a network is compromised, the other devices connected to the same network become vulnerable and will be easily infected. Some of the notable botnet attacks which had taken the cyberworld by storm are Zeus, Gameover Zues, Srizbi, Methbot and Mirai.
There are different symptoms to detect if the system or the complete network is attacked by botnet. If the machine or the network is compromised by a botnet,
- The hacker connects the infected system with a command & control server to instruct and control the infected system
- Establishes Internet Relay Chat traffic to facilitate communication based on a set of rules.
- Creates similar DNS requests
- Generates SMTP (Simple Mail Transfer Protocol) which is a communication protocol that moves your email on and across networks.
How Botnet Works?
The word botnet is derived from two words robot and network. Botnet malware infects vulnerable devices connected to the internet. Botnets aim to attack multiple device connected to across a network; They then exploit the system resources and power of the infected devices to generate automated tasks concealed from the users of the devices.
The typical botnet architecture is built in such a way that the infection is carried by Trojan horses. It scans the target system for vulnerabilities, outdated security applications to possibly pass on the infection. Once a successful number of infections are carried by, attackers take control over the bots through two different methods
Client/Server approach implements the use of Command-and-Control Server to send commands instantly to infect target devices via Internet Relay Chat.
The other method involves the use of peer- to-peer network to take control of the bots. The infected devices are programmed to check for malicious websites or for any other malware infected devices within the same network. This will enable the bots to share the latest commands or versions of the botnet malware.
Botnet Detection at the Endpoint
Host-based detection on an endpoint includes rootkit installations, annoying pops, impromptu changes to Windows host files to limit the outbound server access attempts.
Botnet Detection on the Network
This is more complicated which involves the detection process by monitoring IRC traffic (Internet Relay Chat), which must be denied on a company’s network. The IRC traffic is unencrypted, which can be therefore accessed by the packet sniffer. 6667 is the default IRC port number, but the bots use the complete port range from 6000-6669 and 7000.
How to Prevent Botnet Attacks?
With an alarming rise in botnet attacks, it is important to prevail with effective preventive measures.
Installation of an effective and comprehensive antivirus solution would enable computers and the networks with well-informed virus protection techniques. Comodo offers antivirus software for Windows devices with best-in-class features to outplay the botnet malware attacks. To get more insights on Comodo Antivirus, visit our official page!