A botnet is a network of computers controlled remotely for illegal purposes. The individual computers of a botnet are known as bots or zombies. Botnets can be very large and sometimes consists of millions of zombies. The potential damage that botnets can cause makes them one of the main sources of illegal income on the Internet. Botnets can be also hired in the Internet to provide a sort of cloud-computing illegal service.
When connected to the Internet, your computer might be infected and become part of a botnet. Computers of a botnet generally belong to unsuspecting Internet users who, not having updated and adequately protected their system with the latest versions of the operating system, browser, anti-virus or other basic software, are infected by ad-hoc malware and captured in the botnet. If your computer is part of a botnet you have probably not noticed that it is remotely controlled and used, for example, to launch attacks or to infect other computers when connected to the Internet. Namely, a private computer can be used to send unidentified spam, but also to perform a DDoS attack (Distributed Denial of Service) or a phishing attack, without the knowledge of the rightful owner.
A botnet is sustained and increases its size by distributing malware and infecting other computers. Therefore, the controllers of botnets aim to capture the largest possible number of computers, in order to increase the number of available resources. Some botnets may also include millions of bots. Every single computer that is freed from infection reduces the potential of botnets and avoid spreading the infection in the network. For this reason, the contribution of Internet users is critical for containment of botnets.
So, it is important to regularly check your computer and free it from any infections and ensure regular security updates that are made available for the operating system and installed applications.
How you can get infected
Botnets are expanded by a bot being installed on a not-yet infected computer. This can happen in a variety of ways. The most common ways of infection are the following:
- Infected Emails: Over an email, the user is invited to open an attached program or click on a link which leads to an infected website. If the user runs the program or click on the link, malware will be installed on the computer, making it part of a botnet. These invitations are often made using phishing emails, which appear original messages. The email can pretend to come from the user’s own bank for instance.
- Downloads: Malware is coupled with another program which is available for download over the Internet. Whoever downloads this program will infect their computer with the malware. This coupling of malware to a harmless application makes what is called a trojan (abbreviation of "Trojan horse"). This occurs most often with programs downloaded illegally. However, for security reasons, even legal and serious programs should only be downloaded from the original website of the provider, and should be checked by a virus scanner.
- Exploits: An infection by this method exploits security holes and errors in applications, in the browser or in the operating system itself. Exploits are activated when the user, for example, clicks on a ad-hoc link.
- Drive-by-Downloads: A drive-by-Download is characterized by an undetected and unintentional software download onto a user’s computer. Among other things, drive-by downloads refer to the unwanted downloading of malware caused just by visiting a manipulated website. Unfortunately, simply avoiding dubious websites is no protection, because hackers regularly succeed in manipulating official websites.
What damages botnets can cause
A computer which is hijacked can be abused for different purposes. The most common cases of illicit usage are the following:
- Distribution of Spam: The resources of remotely controlled computers are used to send spam. A botnet can send several billion spam emails a day.
- DDoS Attacks: So-called Distributed Denial of Service attacks are attacks on a server or computer, with the goal of causing a break-down of its services. For example, if a company's server is bombarded with a large number of requests, it may become overloaded and crash as a result. Coordinated and simultaneous requests from bots can lead to a system overload.
- Proxies: Over a proxy within the botnet, the master computer which controls the bots can establish an attack connection to a third-party computer, and can hide its address of origin. For the victim of the attack, the bot (infected computer system) appears to be the attacker. The actual attacker – the remotely controlling bot herder– cannot be traced easily.
- Data Theft: Most bots can easily access locally stored usernames and passwords for applications such as instant messaging programs, or can read data such as passwords and credit card numbers from web forms. This data will be transferred to the bot herder.
- Storage medium for illegal contents: The hard drives of hijacked computers can also be used for the storage of illegal content, which can then be spread from this computer.
A relatively small number of botnet operators have hijacked millions of computers to form botnets, and, as a result, they have at their disposal a processing capacity that is higher than all the high speed computers worldwide put together. Alone, the "Mariposa"botnet, uncovered in April 2009, consisted of 13 million hijacked computers. Among these are increasingly computers from companies and the public sector. Links in Instant Messenger (e.g. in chat programs), which led to manipulated websites and exploited a security flaw in the browser, were one cause of the infection, alongside infected data from file-sharing platforms and from USB sticks.