SOCRadar® Cyber Intelligence Inc. | How to Detect Your Network is Used by Botnets Without Touching Your Systems?
Home

Resources

Blog
Jun 28, 2021
8 Mins Read

How to Detect Your Network is Used by Botnets Without Touching Your Systems?

Malicious bots called “bad bots” not only evolve continually, but are very specific to certain applications, such as defense providers or even evasion tactics, as the talents and degree of development for humans and bots. Botnets provide a route to cyber criminals from another perspective that allows them to start numerous transactions, malware, cryptocurrency, and DDoS attacks, including e-bank fraud.

  • 57% increase in the number of Mirai variants detected during 2019 Although Mirai variants are known to use brute-force attempts predominantly for compromising IoT devices, there was an increase in both brute-force (51%) and web exploitation (87%) attempts during 2019.
  • 300.000 notifications of Emotet botnet traffic observed during 2019. This accounted for over 100.000 more victim alerts than the same period in 2018. Researchers believed that there was a 913% increase in the number of Emotet samples having compared the second half of 2018 and 2019.
  • 60% of new rival botnet activity is associated with stealing credentials.
  • 17.602 fully functional botnet C2 servers found in 2019. 71,5% increase compared with 2018.

What is Botnet?

 

A botnet is a network of infected computers that are controlled by a single host computer and work together to achieve a goal. They serve a malicious purpose to one or more hackers. A botnet consists of a series of interconnected computers and devices that can be hijacked and controlled to carry out cyberattacks. Botnets can infect computers, laptops, servers, smartphones and all types of IoT devices with security vulnerabilities. 

Some botnets have legions of bots or soldiers waiting for commands to attack a target server and overwhelm it with distributed denial of service (DDoS) attacks. Other botnets target specific devices to steal passwords or mine cryptocurrencies

Botnets may seem simple and harmless, but they can be a powerhouse for some of the worst attacks that hackers can try. The term botnet (a combination of botnet and network) was coined in 2001 by EarthLink, Inc. in a suit against Khan C. Smith, a Tennessee man who swindled $3 million in advance of the largest spam network ever discovered. A botnet is structured like this: Many compromised computers, often home PCs, are managed via Internet Relay Chat (IRC) channels.

How does a botnet attack work?

 

Botnet owners may access and command several thousand machines simultaneously to do harmful actions. Initially, malicious hackers get access to these devices using specific trojan viruses to assault the computer’s security mechanisms before developing software for command and control to enable them to do large-scale destructive operations. These actions may be automated to promote as many attacks as feasible simultaneously. Various sorts of attacks may include:

  • Distributed Denial of Service (DDoS) attacks that cause unplanned application downtime
  • Validating lists of leaked credentials (credential-stuffing attacks) leading to account takeovers
  • Web application attacks to steal data
  • Providing an attacker access to a device and its connection to a network

What are the biggest Botnet Attacks?

Srizbi BotNet is regarded to be one of the largest botnets in the world and is responsible for spam transmitting more than 50% of all the major botnets. The botnets consist of Srizbi Trojan PCs that send spam on order. In November 2008, after the hosting company Janka Cartel had been brought down, Srizbi experienced a huge reverse; worldwide spam volumes decreased to 93 percent as a consequence1.

Some other biggest botnet attacks are as follows2;

  • ZeuS

Category: banking Trojan

Life span: 2007 – the present day

Infected computers: over 13 million

Distribution: exploit kits, spam

Geographic coverage: 196 countries

Financial impact: at least $120 million

  • Storm 

Category: email worm for spam and DDoS

Life span: 2007-2008

Infected computers: about 2 million

Distribution: spam

  • Mariposa

Category: Trojan/worm

Life span: 2009-2011

Infected computers: 12 million + 11 million (two outbreaks)

Distribution: pirated software, USB thumb drives, P2P networks, MSN messenger

Geographic coverage: 190 countries

  • 3ve

Category: click fraud botnet

Life span: 2013-2018

Infected computers: about 2 million

Distribution: social engineering, spam

Financial impact: $30 million

  • Mirai

Category: DDoS botnet

Life span: 2016 – the present day

Infected devices: at least 560,000

Distribution: brute-force attacks

How to Detect Botnets?

Detection of botnets can be tricky because it is in the hackers “interest that victims do not know that their devices have been infected. If a botnet appears benign, it may be a command-and-attack, and you may not know that it exists. 

The first developed botnets were Internet Relay Chat (IRC) botnets that follow the botnets of Hypertext Transfer Protocol (HTTP) and Peer-to-Peer (P2P) bot networks. IRC botnets are the easiest type of botnet to detect because they use a centralized architecture, which means that all bots are monitored from a central point. The existence of a central point makes it visible and easy to recognize. 

Some botnets use HTTP and IRC protocols to communicate with infected botnet clients. Some botnets find other ways to control infected botnet clients on non-traditional network ports such as social networks or PTP networks

Botnets are often controlled via Internet Relay Chat (IRC) today and one possible way to detect IRC-based botnets is to monitor TCP port 6667, which is a default port for IRC traffic. 

Built-in Internet Relay Chat (IRC) server scanners can identify potential botnets by searching for non-human behavioral traits in traffic. However, we advocate a third approach to botnet detection, which identifies secondary characteristics of bot infections such as spread and attack behavior. Trying to find command and control traffic is key to this approach and correlating data from different sources can find bots and detect command and control connections. 

Botnet detection techniques have been developed that include host-level detection and network-level detection. These techniques implement a multi-modular approach that combines information from different host and network aspects to achieve efficient and effective detection. 

Many botnet detection strategies include packet analysis, which allows you to identify irregular data transfers from devices to your servers. Detecting botnets is difficult, but not impossible, and you can use botnet detection tools to highlight and warn if there is an unusual activity pattern of devices on your system. 

Traffic flow data does not require full security proofs, and effective botnet detection tools can measure traffic patterns and flows in time to detect unusual behavior from malicious centers to trigger an attack. 

Behavioural analysis is an essential approach to detecting botnets. When it comes to static and behavioral best practices for botnet detection, use at least static analysis, conduct behavioral analysis, if possible, talk to internal or external analysts about P2P botnet detection techniques and make sure that the rules of your behavior-based network-based botnet detection system take into account common systems. Use static analysis as a minimum when the organization focuses on botnet discovery, but conduct behavioral analysis, if possible, to be effective. 

Today, the focus is on open-source solutions such as Snort, which integrate security and intelligence offerings to determine network activity in unusual and predefined ways, identify its network shift, analyze its nature and impact (quarantine, limitation, elimination of local bots, etc.). 

Botnets are highly customizable and can be used for many kinds of abuse, including spamming, snooping, keylogging, spreading new malware, Google Adsense abuse, attacks on IRC chat networks, manipulation of online surveys and mass identity theft. 

As an ISP it is critical that your network abuse team is able to detect when one of your customer servers is being used in a botnet attack. Malicious use of botnets can trigger coordinated attacks over the Internet. These attacks are used to increase the size of the botnet and to attack more devices as well as to gather data from millions of infected devices. 

There is a simple reason why detecting abnormalities can detect infected systems that are not part of a botnet. By integrating rules and symptoms into the network-based security tools, they can be tailored to botnet detection

Because of their sheer size and the difficulty of tracking them, botnets can operate under the radar long before anyone can do anything about it. Once used, a variety of network-based botnet detection tools can find instances themselves over time. 

There are several symptoms that manifest during botnet infiltration, when a compromised machine begins to execute its instructions. As you will see, these symptoms manifest on all levels, from individual compromised workplaces to the network as a whole. 

It is simply a collection of bots on compromised computers and devices that execute the commands supplied by the botnet owner. The owner is a command-and-control server (C2) dedicated to a compromised server that communicates with the bots over the internet and relays chat commands. Botnet owners use the C2 to get the botnets to carry out attacks, whether it is a DDoS attack, data theft, identity theft or any kind of attack.

One of the best solutions to detect botnets in your network is Cyber Threat Intelligence products since they constantly monitor your assets. Would you like to know how? Try SOCRadar.


Discover SOCRadar® Community Edition for free

With SOCRadar® Community Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.
Try for free