Botnet: What It Is, How They Work, Examples

[Man]

If you have never heard of botnets, then read this article. Here we will tell you what they are, how scammers create them, give examples of botnets and find out what danger they pose to advertisers. Let's say right away that botnets do not bring anything but trouble, so it is better never to encounter them.

Table of Contents
1. What is a botnet?
1.1. Bots are...
1.2. How Botnets Attack
1.3. Who manages them
2. Types of botnets (directions)
2.1. DDoS
2.2. Botnets for mining
2.3. Advertising and click
2.4. Email spam
3. Examples of the most famous botnets in the world
3.1. Mirai
3.2. Andromeda
3.3. ZeuS
3.4. 3ve (Eve)
4. Is there protection against botnets?

What is a botnet?​

A botnet is a network of malware-infected devices used to carry out fraudulent attacks on websites, ads, social networks, instant messengers, mobile applications, and other resources and devices. Managed by a botmaster.

The digital world first encountered botnets in the 2000s. Fraud committed with the help of automated botnets brings in millions and billions of money to attackers, which is why this business is thriving. Cybersecurity experts even conducted a study in which they compared this type of cybercrime with others, and found that ad fraud is the least risky and most profitable type of cybercrime.

Attackers create and use botnets to infect devices and extort money for unblocking access, steal personal data on websites and other sites, generate accounts on websites and social networks, send spam, mine, buy goods in online stores, DDoS attacks, automated clicking of advertisements, and much more.

Bot networks are in high demand among cyber fraudsters around the world. Why? Because they allow you to scale attacks that come not from one device, but from hundreds of thousands and millions of machines at once. Imagine how long it takes for a botnet, which includes a million infected devices from all over the world, to "take down" a website after a DDoS attack.

Each newly converted bot has its own IP address, which makes it difficult to find its operator. Actually, this does not make sense. It only makes sense to block the access of individual machines to the protected site, advertising or other resource. And preferably not by IP, but by ID, taking into account the entire set of technical and behavioral parameters.

According to the creator of the TCP/IP protocol, Vint Cerf, a quarter of the 600 million computers worldwide may be in botnets (and their owners don't even know it). Of all the countries in the world, India has the most such infected devices - about 2 million.

Bots are...​

Bots themselves are not viruses, but software created to perform certain tasks coming from the operator in automatic mode. More precisely, it is a set of programs that consists or may consist of virus software, OS hacking tools, firewalls, software for intercepting information and remote control of the device. Cybercriminals compromise victims' devices in a variety of ways, including social engineering, phishing, hacking, and more.

There are many ways to infect devices. Scammers are constantly coming up with new ways to distribute their malware. The most popular are sending e-mail with dangerous links and attachments or penetrating a computer through vulnerabilities of legitimate software.

Owners of infected devices may not even suspect that their computer or some smart plug is already part of a botnet. Note that most new malicious networks can remain undetected for a long time.

Fortunately, banks, major platforms, and services developing special cyber defense algorithms to combat bots and attacks. In addition, government agencies and large commercial companies unite against botnets and their owners and regularly suspend the activities of a particular network. But even so, the fight against them has already turned into a game of "Cat and Mouse". Scammers find loopholes and develop new deception technologies.

How botnets attack​

A bot, that is, an infected computer or other device as part of a botnet, such as a smart kettle, attacks a website, advertising, or other resource. In the same way, they can infect other devices to control them for their own purposes and scale the network. It can be a personal computer on any OS, a router and even a brand new smart vacuum cleaner. In the future, the infected device is called a "zombie".

Botnets do not appear overnight. Attackers gradually build up their networks: the larger the network, the more powerful the attack can be.

Fact: In 2014, the Emotet botnet was created. It infected Windows PCs of various organizations by sending phishing emails with malicious stuffing in the form of an infected Word document. Europol, the FBI and the UK's National Crime Agency were involved in the operation to uncover this network and stop its spread.

When a shepherd bot (also known as a botmaster or operator) has a sufficient number of devices or computers on its network, it proceeds to remotely manage them.

Who manages them​

Botnets are operated by an operator. It can be one person or a group of people. The operator sends commands with a specific task or tasks to the server and individual infected devices. For example, it can be a command to surf all the pages of the site, scrape, execute a piece of code, just go to the site, etc.

Botnets are often rented out to other scammers to perform a number of more resource-intensive tasks: clicking ads on a particular site, generating fake applications, installing mobile applications (most often, of course, they are performed by click farms or device farms).

The most interesting thing is that it is very difficult to find out who is behind the botnet, that is, its operator, and many of them remain anonymous forever. Cyber crooks are adept at hiding their identities.

Types of botnets (directions)​

Let's take a look at why attackers need armies of infected computers, sockets, TVs, and mobile devices. Let's find out in which attack vectors botnets are used.

DDoS​

The most primary and main direction of botnets is the organization of large-scale denial-of-service attacks on websites (DDoS). Bots are given the task of generating visits to a specific site or an entire competitor's server in order to "put down" it. Sites can remain inaccessible for a long time, and therefore the business suffers serious losses.

Botnet operators do not do this for fun. They rent out their "armies" for a certain fee with per-second billing, certain cooldowns, the number of vehicles used in the attack, and other parameters.

Also, it is not always a lease. Cybercriminals themselves can organize attacks and blackmail site owners. In order for the attacks to stop and the site to become accessible to ordinary users, they ask for a bribe from the owner of the resource.

Botnets for mining​

An up-to-date trend in our time, which was developed back in 2009, when Bitcoin appeared. The whole world rushed to generate this cryptocurrency. And to make the generation process even faster, some cunning developers began to use other people's computers for this. This is how mining with the help of botnets (mining farms) appeared - parasitism on someone else's device, or rather, on the resources of his video card, to generate power and generate cryptocurrency.

Pay attention to the performance of your device. Has it increased a lot? Does your phone keep warming up? Not enough memory for simple programs? Can you hear the coolers buzzing all the time? Most likely, your device is infected and it is likely that it is being used for cryptomining.

Look at the cost of one bitcoin and think about how profitable it is to use botnets to generate them.

Advertising and click-through​

Botnets used to click advertisements are not uncommon and dangerous. Attackers not only drive clicks, but also generate views of video ads (marketing campaigns targeting CTV devices suffer greatly from this), as well as applications.

Why fraudsters chose botnets for click fraud:

• Automate attacks. Unlike ordinary clickers, bots make clicks much faster.
• Separate IPs. Each device in the botnet has its own IP address. They can be scattered all over the world. So it is more difficult to understand that the visits are artificial.
• Each device has its own digital footprint (fingerprint), which allows you to hide fraudulent activity.

Attackers create dozens and hundreds of sites, add them to Google AdSense and Yandex Direct for monetization, place ads, and use botnets to buy clicks. Imagine how much a scammer can earn on clicks if he owns a whole network of bots. He is in the black, and advertisers are in the red.

Email spam​

Who among us has not encountered email spam? Yes, we all encountered. Either the bank writes to us, or they offer us free money, or our dear great-uncle of my grandmother's great-grandmother died and left us an inheritance. All this is spam sent using botnets.

The advantage of botnets used for spam mailings is the unique IP addresses of each device in its composition. This simplifies the mass sending of emails and reduces the risk of blocking by the email service.

Examples of the most famous botnets in the world​

Below are the largest and most well-known botnets that have caused incredible damage to commercial companies and ordinary users from all over the world. We do not indicate the status, whether the network is active or not, as their variations can develop, change names and directions. Even if the botnet's activity has been stopped, there is no guarantee that a new one will not appear tomorrow based on it.

Mirai​

To hack IoT devices and perform DDoS attacks

• Software Family: Worms
• Who's at risk: smart devices (IoT)
• Application: DDoS attacks
• Damage: ~$100 million

Mirai is a botnet designed specifically to carry out DDoS attacks. As infected targets that were supposed to become part of the network, the developers chose smart household devices (IoT, Internet of things). By default, the account of such devices was set with the same type of login and password. Its operators found exactly this vulnerability and thus gained access to them.

In 2016, hackers used toasters, refrigerators, and heat regulators that were part of the Mirai botnet for one of the largest DDoS attacks.

A hacker group known as Mirai has carried out a number of high-profile attacks. The most famous were the attacks on the website of journalist Brian Krebs, who had recently published an article about making money on such botnets, as well as on Dyn DNS, an American DNS service provider.

In 2017, Daniel Kaye, one of the operators of Mirai, also known by the nickname BestBuy, was arrested. He was convicted in Germany, where he received a suspended sentence, and then in the UK, where he was sentenced to a real prison sentence.

Andromeda​

Spam botnet with malware; it was used to steal credentials (formgrabbing), etc.

• Software Family: Trojans
• Who's at risk: Any device
• Application: Multiple Uses

The Andromeda botnet was first spotted in 2011, but is best remembered for the 2016 attack, when users received spam in their inboxes and installed malware. The botnet used various distribution methods, including phishing, spam, warez sites, and content download sites.

The FBI, Interpol, Europol, Eurojust, the Joint Cybercrime Group, and other commercial companies took part in the operation to disrupt the activities of the Andromeda botnet. In 2017, 464 separate botnets were terminated. The creator of the network turned out to be Sergey Yarets from the Gomel region (Republic of Belarus), also known as Ar3s.

ZeuS​

For stealing bank data

• Software Family: Trojans
• Who's at risk: PCs, all versions of Windows
• Application: Theft of funds from bank accounts
• Damage: $>100 million

At its core, ZeuS is a Trojan created to intercept passwords to users' payment systems. In the future, the attackers used the stolen data to steal money. This program is capable of running on all versions of Windows OS without drivers, and the most frightening thing is that it was possible to get infected with it even through a guest account.

Users from 196 countries around the world have become victims of ZeuS. Fraudsters chose different ways to deliver malware to devices: e-mail spam, fake links and, for the first time, social networks. For example, on Facebook* (owned by Meta, an organization banned in Russia), users were sent spam with photo messages leading to malicious sites infected with a botnet.

The program injected itself into the system, compromised credentials from online banking accounts, and transferred money to the accounts of other victims to cover their tracks. According to analysts, ZeuS was the culprit in 90% of bank fraud cases worldwide.

3ve (Eve)​

Botnet for clicking ads

• Software Family: Trojans
• Who is at risk: advertisers; PC
• Application: Draining advertising budgets
• Damage: $>20 million

The 3ve botnet distributed malware by infecting computer devices through email spam and pseudo-content downloads. As soon as the virus infected the victim's PC, commands were sent to click ads. Attackers uploaded their fraudulent sites to Google AdSense and directed traffic from botnets to click ads and fake traffic.

Every day, 3ve generated about 3 billion pseudo-requests on ad exchanges. He had more than 60,000 accounts, 10,000 fake advertising sites, and more than 1,000 servers in data centers. The scammers controlled over a million IP addresses.

The creators and operators of the network were citizens of Russia and Kazakhstan. The network was exposed, servers and domains were taken offline, and botmasters were prosecuted (who was caught).

Is there protection against botnets?​

All of these malicious networks can cause serious damage to a business. Whether it's attacks on websites, mobile apps, or ads.

If your resource is protected from DDoS attacks with the help of special software, then what to do with advertising? How to protect it from click and cheating?

Try a special cyber security service Botfaqtor.ru. It uses unique algorithms and analyzes ad traffic by 100+ technical and behavioral parameters. The process uses machine learning to optimize algorithms for detecting fraudulent and non-targeted visits. Bots are blocked from displaying ads, and your finances remain safe.

Source

 

[KeepTrying]

Amazing post !
For those who wanna read things in general:

What is a Botnet?

A botnet is a network of devices infected with malware, controlled by cybercriminals (botmasters) to carry out fraudulent activities like attacking websites, sending spam, and more. Botnets can be extremely profitable for attackers, who often use them to steal data, perform DDoS attacks, mine cryptocurrency, and generate fake clicks on ads. Botnets are hard to detect because each infected device has its own IP address, making it difficult to trace the botmaster.

How Botnets Attack

Botnets infect devices like computers, smartphones, and even IoT devices (like smart kettles), turning them into "zombies" that can be remotely controlled. These infected devices are used to launch large-scale attacks, such as flooding a website with traffic to make it crash (DDoS) or clicking on ads to drain advertising budgets. Cybercriminals build botnets slowly, adding more devices over time to increase the power and scale of their attacks.

Who Manages Botnets?

Botnets are controlled by operators, who can be individuals or groups. These operators send commands to the infected devices to perform specific tasks, like visiting a website or clicking on ads. Botnets are often rented out to other criminals for various purposes, making it difficult to track down the people behind them.

Types of Botnets

1. DDoS Botnets: Used to launch denial-of-service attacks that overwhelm websites, causing them to crash. These attacks are often rented out to other criminals or used to extort money from website owners.
2. Mining Botnets: Use the resources of infected devices to mine cryptocurrency, often causing the devices to slow down or overheat.
3. Click Fraud Botnets: Generate fake clicks on ads, draining advertising budgets. These botnets can create massive amounts of fake traffic, making it difficult for advertisers to detect fraud.
4. Spam Botnets: Send massive amounts of spam emails, often using the unique IP addresses of infected devices to avoid detection.

Famous Botnets

1. Mirai: Targeted IoT devices for DDoS attacks, causing millions in damages.
2. Andromeda: Used for spam and spreading malware, stealing credentials and causing widespread harm.
3. ZeuS: A Trojan that stole banking information, leading to over $100 million in losses.
4. 3ve (Eve): A click fraud botnet that drained over $20 million from advertisers by generating fake clicks on ads.

Protecting Against Botnets

To protect against botnets, businesses should use specialized cybersecurity tools that detect and block malicious activity. For example, services like Botfaqtor analyze traffic and use machine learning to identify and block bot-generated clicks, keeping advertising budgets safe.