All about botnets - networks of computers controlled by cyber criminals: SSO Alert Priority Low
17 December 2013
Botnets are networks of computers, called bots, which have been compromised by cyber-criminals. The computers could belong to anyone connected to the internet, from home users to businesses – including yours.
To become part of a botnet, a computer is first compromised by maliciously installed software (malware), and then controlled remotely by a cyber-criminal who can send commands to affected computers over the internet. Most people with infected computers do not know their computer has been compromised or that it is part of a botnet. Once this malware is on your computer, your computer becomes a “bot” and joins other compromised computers in the botnet.
A botnet is controlled by commands sent by the cyber-criminal. A botnet can be used as a large computing resource for malicious activity such as sending spam, attacking other computers, or sharing illegal material. Acting together, a botnet can be used to create far larger attacks than is possible with a single computer. At the same time, each individual computer in a botnet is also vulnerable to data theft, receiving further malware or other illegal activity.
BotnetImage source: Wikipedia
In the above image, the lifecycle of a typical botnet is shown.
Step 1: an attacker (in red) sends a malicious file to victim's computers (in black), infecting their computer and giving the attacker control of the machine.
Step 2: the attacker creates a botnet from the infected computers.
Step 3: another criminal pays for access to (hires) the botnet. In this example, the other criminal (in grey) uses the botnet in Step 4 to send spam to people around the world.
A common example is called a distributed denial of service (DDoS) attack, which is performed by having thousands of computers in a botnet all constantly access the same website. This causes the website to slow down and in some cases will take the website offline. Recent attacks against Australian government websites were undertaken using botnets performing a DDoS attack. A botnet is typically used for DDoS attacks, as a large number of computers will have a more significant impact than a single computer attempting this attack.
Cyber criminals can take over your system in a number of ways. This is most commonly done by tricking you into installing the malware by visiting a compromised website or by opening links or attachments in an email.
How to check if you are part of a botnet
Botnets are designed to be difficult to detect so they can remain operational for as long as possible. This means it may not be obvious to you that your computer is part of a botnet. It is therefore important to be aware of suspicious behaviour from your computer. This could include large numbers of advertisements being displayed when you are not browsing the internet, the computer not shutting down correctly or becoming much slower than normal.
1. Run up-to-date anti-virus software
The first step in detecting any infection is to ensure you are running an up to date version of your antivirus product. While antivirus products vary significantly in how they operate, almost all products will allow you to perform a manual update. Some antivirus vendors also include options or products that analyse network traffic for suspicious activity. While not perfect, an updated antivirus product is your best defence against botnets. If you suspect your computer might be affected, run a full scan of your computer.
2. Examine network usage
A second useful step is to examine your network usage. Most internet service providers (ISP) offer a way for you to monitor how much data you are downloading and uploading. Information being sent to your computer is called a “download”, while an “upload” is information being sent from your computer, such as putting a photo onto a website. A sudden, unexplained increase in your upload usage may be a sign that your computer is part of a botnet. Botnets often send large amounts of information, such as email spam, to other computers. Even so, in many cases an overall increase in your network traffic can be difficult to distinguish and identify.
3. Update operating system
A third useful step, which we always recommend automating, is to update your operating system. Operating system updates can help detect if your computer is part of a botnet. In recent years, updates to Windows operating systems have included detection of some common botnets. Updates also address (patch) vulnerabilities, or security holes, in your operating system that malware uses to infect your computer, and turn it into a bot.
In some cases you may also receive a notification from your ISP that your computer is part of a botnet. The Australian Communications and Media Authority (ACMA) monitors internet traffic for botnet activity and where possible, will notify your ISP. Most ISPs will forward this information onto their customers to alert them of the infection. You can check with your ISP about how they manage this.
What to do if you suspect your computer is infected and how to fix it
If you suspect that your computer is part of a botnet, it is important to immediately minimise your risk—stop using online banking or other private activity such as email or social networking on the suspected computer.
If you have access to an unaffected computer or mobile device, use this device to change your passwords for all online services, such as online banking and shopping, email, social media and subscription services, particularly those services where your credit card details may be stored (eBay, PayPal). The old passwords may have been stolen by the malware so it is important to not reuse them again. If you cannot access another computer, change your passwords after you have cleaned your computer using the steps below.
1. Update your computer
First, try to perform an update for both your operating system and your antivirus product. If these fail, it may be a sign that malware on your computer is blocking updates and you may require technical assistance from a local service provider at this point. If the updates are successful, run a manual scan using your antivirus to check your computer for any further infection.
If no further sign of an infection is found, continue to keep an eye on your computer as you may not need to undertake any more steps. Keep your system up to date, and continue to run scans of your system.
3. Remove the device from your network
If scanning and updating doesn’t work, disconnect the infected computer from your network and the internet. Botnets try to spread the infection to other computers, starting with other computers and devices (such as smartphones) that are directly connected to the same network.
4. Consult a technical expert
Removing malware is a difficult task with no guarantees of success. Some malware can hide itself deep within your computer. If you are still seeing signs of a malware infection, take the computer to a technical expert for them to run a full clean of the computer.
5. Restore your computer to a point before the infection
If the infection cannot be removed, a final option may be to perform a system recovery and restore your computer to a state before the infection took place. Unfortunately, any data on your computer that has not been backed-up will be lost in this process. Again, you may require the help of your local computer technician.
6. Immediately secure and update your restored computer
After restoring your computer, immediately secure the computer using security software and ensure applications are updated.
How to avoid becoming part of a botnet
As with any malware, the easiest and best approach is prevention.
A computer that is fully patched, with an up to date operating system, up to date applications, and running up to date antivirus software is far less likely to be vulnerable to malware—including those used for botnets. Many botnets target computers running out of date operating systems or software, something which could easily be avoided.
We also recommend keeping regular backups of your system and data. If your computer becomes infected, the best solution may be to perform a recovery or rebuild your system. Any data not backed up may be lost, but this may be a small price to pay to prevent compromising the security of your personal and financial information.
For more background information, security company Norton has an article on botnets including links to further information. A more technical overview of botnets is available via the ShadowServer foundation which track botnets and provide information to companies to help protect against these threats.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.