Connecting to a Botnet Controller indicates an infection in your network.
Infected clients in your network will periodically connect to the Botnet Controller (or Command and Control server) to maintain contact with the attacker. This connection is facilitated using any available protocol to connect to any IP-address used by the attacker. Most controllers use port 80 and port 443 to obscure the data’s digital footprint. This method enables malware to bypass your firewall by making it look like ordinary web traffic. An alert in this category should be investigated at all times.
A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allow the attacker access to the device and its connection. The owner can control the botnet using command and control (C&C) software or server. The word botnet is a combination of the words robot and network. The term is usually used with a negative or malicious connotation.
A botnet is a logical collection of internet connected devices such computers, smartphones or IoT devices whose security has been breached and control ceded to a third party. Each such compromised device, known as a “bot”, is created when a device is penetrated by software from a malware (malicious software) distribution. The controller of a botnet is able to direct the activities of these compromised computers through communication channels formed by standards-based network protocols such as IRC and Hypertext Transfer Protocol (HTTP).
Botnets are increasingly rented out by cyber criminals as commodities for a variety of purposes.
Distributed denial of service attacks. These attacks cause loss of network connectivity by consuming network bandwidth and target any service available on the Internet. For example, botnets may use recursive hypertext transfer protocol (HTTP) floods on the victim’s Web site. Also known as spidering, this technique entails visiting a Web site from a given HTTP link and then visiting all links provided on the Web site repetitively.
Spamming: With the help of botnets, online thieves are able to send massive amounts of spam and phishing e-mails from an unsuspecting person’s computer to harvest e-mail addresses. “Botnets that use spam as their main distribution and infection mechanism, can cause organizations administrative nightmares, especially if the organization has a locally hosted e-mail server,” “Therefore, when the network administrator detects a computer is sending spam, he or she will shut down the mail server until the problem is fixed.”
Sniffing traffic: Zombies can use a packet “sniffer” to identify clear-text data traffic through a compromised machine, such as usernames and passwords. However, packet sniffers also can gather key information from other botnets, especially if the zombie is a member of more than one botnet.
Keylogging. A keylogger is a type of surveillance software that records every keystroke to a log file. Keyloggers can record instant messaging content, e-mails, and any information typed using a keyboard and are used to obtain information from compromised machines that use encrypted communication channels. All logged information is sent to a specific receiver such as a botnet herder.
Spreading new malware. Botnets can be used to acquire new bots, which are used to spread new viruses or worms.
Installing advertisement add-ons and browser helper objects. Thieves may construct fake Web sites with advertisements and negotiate a deal with hosting companies that pay for clicks on ads. The botnet is then used to click on all pop-up ads each time a user visits the fake Web site.
Attacking IRC networks. Botnets also can be used to attack IRC networks. Clone attacks are a common method in which a controller orders each bot computer to connect a large number of zombies to the victim’s IRC network. The compromised computer is then flooded by service requests from thousands of bots, bringing down the system’s IRC network.
Mass identify theft. Many of these illegal activities can be used for large-scale identity theft. For instance, bogus e-mails pretending to be from legitimate companies can be used to obtain private consumer information. The e-mails are generated and distributed by botnets through a spamming mechanism. Also, botnets can be used to host fake Web sites and obtain personal information.
The risks posed by botnets don’t end here. Because botnets may be sold or traded to other thieves, once a computer is compromised, any private information obtained may be used by additional people, thus increasing the severity of the problem. In addition, as technology evolves, thieves will find new ways to compromise computers and take advantage of unsuspecting victims and vulnerable networks. “Many hackers often upgrade their software to target different systems,” Kuehl explains. “This way, the zombie computer can search for vulnerabilities found in newer systems and software programs, as well as mutate to avoid older detection methods.”
- Disconnect infected computers from the network.
- Apply the appropriate patches to the infected computer.
- Clean the computer with current antivirus signatures.
- Change network-share passwords on all infected computers.
- Change passwords for all employees who have used the infected computer.
- Monitor the computer once it is reconnected to the network to verify it was cleaned successfully and does not become re-infected.