Understanding Hidden Threats: Botnets
You've most likely heard of botnets. Still, even with all of the references to them in the news these days, it's not easy to gain a clear understanding of what they are, and how they might be affecting you. We've taken a few of the most common questions sent in by Lavasoft News readers, and answered them in plain and simple terms. Keep reading to set the facts on botnets straight.
What is a botnet?
A botnet is a network of compromised, or infected, computers that hackers have commandeered. PCs that are part of a botnet are often referred to simply as "bots".
Botnets are part of the multilayered and profitable crimeware industry, where the initial step is to infect and take control of a targeted computer. PCs in a botnet are under the remote command and control of hackers. As part of that, hackers can take advantage of all of the resources on a machine (from personal information to bandwidth), and use it to perform malicious tasks under remote direction - all to carry out their criminal intentions.
What is a zombie computer?
A zombie computer is a system that has been infected and taken over remotely by cyber criminals. A collection of zombie computers makes up a botnet.
What are botnets used for?
Botnets are controlled remotely by hackers to distribute spam, viruses, and theft schemes - and to hijack additional computers. The main motivation behind botnets, in recent years, is for monetary gain by cyber criminals. Once compromised, cyber criminals have complete access to the infected machine; they are able to load software onto it, or pull information off of it.
Bot herders, the hackers who control botnets, can instruct thousands of computers to follow their orders, whether it's to propagate spam messages, launch fraud schemes or to issue denial of service attacks, targeting certain, often high-profile, websites in order to make them unavailable to users. Once bot herders compile a group of compromised machines, they can sell it to fraudsters who are then capable of using the exploited machines for identity and data theft.
How do I know if my computer is part of a botnet?
Most owners of compromised PC are unwitting victims, never realizing that they have allowed unauthorized access to their computers. Machines are infected without the knowledge of the computer user; usually access to the system is gained through a virus, worm, or Trojan. The symptoms of infection are generally very subtle and are not immediately apparent to the average computer user without using special tools. Still, there are telltale signs and symptoms which may indicate a problem.
- A slow computer
The most apparent sign, according to the analysts as Lavasoft Malware Labs, is "slow computer" syndrome: your Internet connection becomes strangely sluggish, or your PC gets slower as you run a few programs on it simultaneously. (However, users should note that this can also be caused by other types of malware, as well as other PC problems.)
- Accused of sending spam
Being accused of sending spam is a sign that your system is infected and is part of a spam bot.
- Detecting malware responsible for bots
By running an anti-spyware and anti-virus program, the security software will be able to root out an infection and classify it as a bot.
- An unknown or suspicious process is running in the background on your PC
If you use a firewall to monitor network traffic, the program will allow you to spot suspicious traffic on your PC.
For more technically-oriented computer users, bot activity can be discovered through packet sniffer tools and knowledge about different protocols, ports, Windows Registry, processes and TCP/IP. This includes:
- Large amounts of network traffic
Bots often connect to remove servers; they may use a questionable amount of bandwidth and cause network traffic even if you are not online.
- IRC Traffic
Internet Relay Chat (IRC) is a type of real-time Internet messaging, designed mainly for group discussion forums. IRC bots connect to IRC as a client, performing automated functions but appearing to be another IRC user.
- SMTP Traffic
Simple Mail Transfer Protocol (SMTP) is an Internet standard for e-mail across IP networks. Bots may use a built-in SMTP-engine to send spam to other users.
- Open Ports
Open ports allows applications to multitask and use different protocols at the same time. All computer devices on a network need a channel to allow them to communicate with each other. Bots may search for open ports to be able to start a synchronization or communication.
To learn more about the specific steps you should be taking to prevent your system from becoming part of a botnet, read our next article, How To Guide: Preventing Bot Infections.