As a common and effective method of cyberattack, botnets pose a huge threat to today’s Internet security. This article introduces the concept and control methods of botnets, as well as the 6 notorious botnets. I hope that after reading this article, I can have a preliminary understanding of botnets.
A botnet is a network that uses one or more means of propagation to infect a large number of hosts with a bot program (zombie) virus, thus creating a network that can be controlled one-to-many between the controller and the infected hosts.
They are sometimes called “bot armies” and can be used by cybercriminals for a variety of activities, including sending spam and conducting distributed denial of service (DDoS) attacks.
Any Internet-connected device can be added to a botnet, including laptops, desktops, smartphones, DVR players, wireless routers, and other Internet of Things (IoT) devices.
Botnets are controlled by command and control (C&C) servers, which are computers controlled by hackers or hacker groups that can send commands to botnets in the botnet and can also receive information collected by the botnets. The controller of the botnet is called Bot Botder or Bot master.
The advent of the IoT (Internet of Things) means that more devices can now be added to the botnet. Also, it is worth noting that many IoT devices are now insufficiently secured and mostly rely on default passwords and firmware that is difficult to update. This means that the size of botnets can easily grow in the future.
How does botnet control your computer
A botnet can be controlled by a botmaster controller in several different ways.
Traditionally, a botnet may be controlled by a C&C server. In this case, the Bot device returns to a predetermined location and waits for a command from the server. the Bot controller sends the command to the server, which then forwards the command to the Bot network, and then the collected results or information is sent back to that central server by the Bot device.
However, having a centralized server makes the botnet more vulnerable to attacks and sabotage attempts. For this reason, many botnet controllers now mostly use the peer-to-peer (P2P) model.
In P2P botnets, interconnected bot devices share information without reporting to a central server, i.e., infected bot devices both send and receive commands. These bot devices then probe random IP addresses to contact other infected devices. Once contacted, the Bot device replies with information such as its software version and a list of known devices. If the contacted Bot has a newer software version, the other Bot will automatically update itself to that version. This approach allows the botnet to grow and stay up to date without contacting a central server, making it more difficult for law enforcement or other agencies to take down the botnet.
The two most common uses of botnets are to send spam campaigns and to conduct distributed denial of service (DDoS) attacks.
Bot devices can also be used to send email malware, and different types of malware may have different targets, including collecting information from infected computers. This may include passwords, credit card information, and any other information that can be sold on the black market. Sensitive company information may also be at risk of being stolen if devices in the corporate network become Bot devices.
Bot devices are also commonly used for click fraud, visiting websites to create fake traffic and generate revenue for the owner of the Bot device, and they are often used for bitcoin mining as well.
6 infamous botnets
Many botnets have emerged throughout history, but some of them have been more influential than others. Here are 6 very famous botnets.
Bagle
Bagle is one of the world’s first botnets, which was used for a massive spam campaign. It emerged in 2004, and it consisted mainly of Microsoft Windows computer devices. Bagle is a worm that infected more than 200,000 computers, and it is estimated that the virus sends out more than 10% of all spam worldwide.
Conficker
Conficker is a notorious computer worm that first appeared in late 2008 and has been plaguing network security personnel.
The first version of Conficker appeared in November 2008, and it quickly spread through network shares and infected USB drives. By one count, it has infected as many as 11 million computers. This makes Conficker a huge botnet that could cause a lot of damage through huge DDoS attacks if attackers wanted to use it to attack. However, it did not issue any attacks, and even now the true intentions of the creators behind Conficker remain a mystery, and it was never clear what group it was attributed to.
The cost of cleaning up Conficker is estimated to be as high as $9 billion, and surprisingly, computers infected with Conficker still exist despite the fact that it has been released almost a decade ago.
ZeroAccess
One of the largest known botnets, the ZeroAccess botnet emerged in 2013 as an army botnet with nearly 2 million computers. It is a difficult botnet to tackle due to the use of a P2P + C&C server model, but researchers at Symantec investigated the botnet in 2013 and found that nearly 500,000 of the Bot devices had sandboxes (browser sandboxes).
ZeroAccess is primarily used for click fraud and bitcoin mining, and given the size of the botnet, it is thought that it generated significant wealth for the controllers behind it at the height of its activity.
Gameover Zeus
Gameover Zeus is a huge botnet that is primarily used to steal people’s banking information. The botnet has up to 1 million computer devices. It is estimated that the botnet has been used to steal over $100 million.
Gameover Zeus is a variant of the Trojan.ZBot malware, and it is still active today. Gameover Zeus is a sophisticated variant of the original malware that can enable large-scale financial fraud by hijacking the online banking sessions of thousands of victims. Like many current email malware campaigns, it is typically sent via outgoing emails. Once an infected user visits their banking site, the malware intercepts the session, accesses the victim’s information and steals their money.
Although Gameover Zeus was removed in 2014, many variants of the Zeus malware are still active today.
Necurs
Necurs is one of the most active and well-known botnets right now. It was one of the largest distributors of malicious emails in 2016, and it also promoted Locky ransomware campaigns on a large scale. However, it mysteriously ceased operations on December 24, 2016, and remained inactive for nearly three months. During this period, the rate of malicious emails detected by Symantec (a cybersecurity agency) dropped dramatically.
Activity resumed on March 20, and Symantec blocked nearly 2 million malicious emails on that day alone. However, since its return, Necurs has not been focused on sending malicious email campaigns, but rather has been sending “pump and dump” stock spam campaigns. It began sending these types of campaigns before it disappeared in December and has stepped up its efforts to continue doing so since its return.
The purpose of sending stock spam is to drive up the price of a stock in the hands of the emailer by encouraging the victim to buy shares of the same company. Once the stock price is pushed up by the victim’s stock purchases, the spammer sells all the shares. This causes the stock price to drop dramatically and makes it less likely that the victims will sell their stocks.
Mirai
Most people are probably familiar with Mirai, which ravaged networks around the world in the final months of 2016, using a range of IoT devices to launch DDoS attacks on various targets around the world.
The initial targets of Mirai’s DDoS attacks in September were the websites of hosting provider OVH as well as security expert Brian Krebs. These were massive DDoS attacks, which at the time were the largest ever at 1 Tbps and 620 Gbps, respectively. in late September, Mirai released an update on its online hacking community HackForums, and three weeks later it launched a massive DDoS attack against DNS provider Dyn to block user access to several well-known websites, including Netflix, Twitter and PayPal.
In late November, a variant of the Mirai network exploited a vulnerability in the routers in Germany for Internet access, leading to an attack on nearly 1 million home Internet users; the same vulnerability also affected the routers of Irish home Internet users.
The Mirai botnet consists mainly of infected routers and security cameras, and this incident highlights that IoT devices are very lax when it comes to security.
5. Overview
Botnets have been around for a long time and have grown as technology continues to evolve. With the growth of IoT devices and the increase in the number of devices associated with the Internet, the story of botnet development may be far from over.
English 
Français 
日本語 
Deutsch (Sie) 
Italiano 
Polski 
Português 
ไทย 
Bahasa Indonesia 
Español
What is Botnet? How Does It Work? The 6 Most Notorious Botnets
As a common and effective method of cyberattack, botnets pose a huge threat to today’s Internet security. This article introduces the concept and control methods of botnets, as well as the 6 notorious botnets. I hope that after reading this article, I can have a preliminary understanding of botnets.
What is a botnet?
A botnet is a network that uses one or more means of propagation to infect a large number of hosts with a bot program (zombie) virus, thus creating a network that can be controlled one-to-many between the controller and the infected hosts.
They are sometimes called “bot armies” and can be used by cybercriminals for a variety of activities, including sending spam and conducting distributed denial of service (DDoS) attacks.
Any Internet-connected device can be added to a botnet, including laptops, desktops, smartphones, DVR players, wireless routers, and other Internet of Things (IoT) devices.
Botnets are controlled by command and control (C&C) servers, which are computers controlled by hackers or hacker groups that can send commands to botnets in the botnet and can also receive information collected by the botnets. The controller of the botnet is called Bot Botder or Bot master.
The advent of the IoT (Internet of Things) means that more devices can now be added to the botnet. Also, it is worth noting that many IoT devices are now insufficiently secured and mostly rely on default passwords and firmware that is difficult to update. This means that the size of botnets can easily grow in the future.
How does botnet control your computer
A botnet can be controlled by a botmaster controller in several different ways.
Traditionally, a botnet may be controlled by a C&C server. In this case, the Bot device returns to a predetermined location and waits for a command from the server. the Bot controller sends the command to the server, which then forwards the command to the Bot network, and then the collected results or information is sent back to that central server by the Bot device.
However, having a centralized server makes the botnet more vulnerable to attacks and sabotage attempts. For this reason, many botnet controllers now mostly use the peer-to-peer (P2P) model.
In P2P botnets, interconnected bot devices share information without reporting to a central server, i.e., infected bot devices both send and receive commands. These bot devices then probe random IP addresses to contact other infected devices. Once contacted, the Bot device replies with information such as its software version and a list of known devices. If the contacted Bot has a newer software version, the other Bot will automatically update itself to that version. This approach allows the botnet to grow and stay up to date without contacting a central server, making it more difficult for law enforcement or other agencies to take down the botnet.
Uses of botnets
The two most common uses of botnets are to send spam campaigns and to conduct distributed denial of service (DDoS) attacks.
Bot devices can also be used to send email malware, and different types of malware may have different targets, including collecting information from infected computers. This may include passwords, credit card information, and any other information that can be sold on the black market. Sensitive company information may also be at risk of being stolen if devices in the corporate network become Bot devices.
Bot devices are also commonly used for click fraud, visiting websites to create fake traffic and generate revenue for the owner of the Bot device, and they are often used for bitcoin mining as well.
6 infamous botnets
Many botnets have emerged throughout history, but some of them have been more influential than others. Here are 6 very famous botnets.
Bagle
Bagle is one of the world’s first botnets, which was used for a massive spam campaign. It emerged in 2004, and it consisted mainly of Microsoft Windows computer devices. Bagle is a worm that infected more than 200,000 computers, and it is estimated that the virus sends out more than 10% of all spam worldwide.
Conficker
Conficker is a notorious computer worm that first appeared in late 2008 and has been plaguing network security personnel.
The first version of Conficker appeared in November 2008, and it quickly spread through network shares and infected USB drives. By one count, it has infected as many as 11 million computers. This makes Conficker a huge botnet that could cause a lot of damage through huge DDoS attacks if attackers wanted to use it to attack. However, it did not issue any attacks, and even now the true intentions of the creators behind Conficker remain a mystery, and it was never clear what group it was attributed to.
The cost of cleaning up Conficker is estimated to be as high as $9 billion, and surprisingly, computers infected with Conficker still exist despite the fact that it has been released almost a decade ago.
ZeroAccess
One of the largest known botnets, the ZeroAccess botnet emerged in 2013 as an army botnet with nearly 2 million computers. It is a difficult botnet to tackle due to the use of a P2P + C&C server model, but researchers at Symantec investigated the botnet in 2013 and found that nearly 500,000 of the Bot devices had sandboxes (browser sandboxes).
ZeroAccess is primarily used for click fraud and bitcoin mining, and given the size of the botnet, it is thought that it generated significant wealth for the controllers behind it at the height of its activity.
Gameover Zeus
Gameover Zeus is a huge botnet that is primarily used to steal people’s banking information. The botnet has up to 1 million computer devices. It is estimated that the botnet has been used to steal over $100 million.
Gameover Zeus is a variant of the Trojan.ZBot malware, and it is still active today. Gameover Zeus is a sophisticated variant of the original malware that can enable large-scale financial fraud by hijacking the online banking sessions of thousands of victims. Like many current email malware campaigns, it is typically sent via outgoing emails. Once an infected user visits their banking site, the malware intercepts the session, accesses the victim’s information and steals their money.
Although Gameover Zeus was removed in 2014, many variants of the Zeus malware are still active today.
Necurs
Necurs is one of the most active and well-known botnets right now. It was one of the largest distributors of malicious emails in 2016, and it also promoted Locky ransomware campaigns on a large scale. However, it mysteriously ceased operations on December 24, 2016, and remained inactive for nearly three months. During this period, the rate of malicious emails detected by Symantec (a cybersecurity agency) dropped dramatically.
Activity resumed on March 20, and Symantec blocked nearly 2 million malicious emails on that day alone. However, since its return, Necurs has not been focused on sending malicious email campaigns, but rather has been sending “pump and dump” stock spam campaigns. It began sending these types of campaigns before it disappeared in December and has stepped up its efforts to continue doing so since its return.
The purpose of sending stock spam is to drive up the price of a stock in the hands of the emailer by encouraging the victim to buy shares of the same company. Once the stock price is pushed up by the victim’s stock purchases, the spammer sells all the shares. This causes the stock price to drop dramatically and makes it less likely that the victims will sell their stocks.
Mirai
Most people are probably familiar with Mirai, which ravaged networks around the world in the final months of 2016, using a range of IoT devices to launch DDoS attacks on various targets around the world.
The initial targets of Mirai’s DDoS attacks in September were the websites of hosting provider OVH as well as security expert Brian Krebs. These were massive DDoS attacks, which at the time were the largest ever at 1 Tbps and 620 Gbps, respectively. in late September, Mirai released an update on its online hacking community HackForums, and three weeks later it launched a massive DDoS attack against DNS provider Dyn to block user access to several well-known websites, including Netflix, Twitter and PayPal.
In late November, a variant of the Mirai network exploited a vulnerability in the routers in Germany for Internet access, leading to an attack on nearly 1 million home Internet users; the same vulnerability also affected the routers of Irish home Internet users.
The Mirai botnet consists mainly of infected routers and security cameras, and this incident highlights that IoT devices are very lax when it comes to security.
5. Overview
Botnets have been around for a long time and have grown as technology continues to evolve. With the growth of IoT devices and the increase in the number of devices associated with the Internet, the story of botnet development may be far from over.
Related posts:
Related