What is a Botnet?

As you are reading through cybersecurity content you might have noticed a word that pops up a lot: “botnet.” A botnet is a collection of internet-connected devices that have been infected by malware and are now under the control of a bad actor. Often, botnets use widespread vulnerabilities that are relatively trivial to exploit and persist due to lack of patching. These infected devices or bots can be anything – a laptop, a server, or internet of things (IoT) devices. The larger the botnet, the more damage that can be inflicted, it’s all a numbers game.

How are botnets used?

Once an actor creates a botnet, they use them to carry out actions, such as sending spam emails, engaging in fraud campaigns, and generating false traffic to launch DDoS attacks.

• Spam emails – botnets are used to send out spam emails because they can do so at an extremely large volume. The emails might serve the purpose of extending the botnet by infecting computers with the same malware. Or their goal may be to distribute additional malware intended for other nefarious purposes, such as ransomware. Or the intent could be to simply overwhelm an email server with a mass of useless emails.
• Fraud campaigns – botnets can be leveraged to generate fake clicks on ads, webpages or social media posts. Fake clicking can increase the popularity of a social post or webpage, which an actor could be doing to increase the visibility of certain information. Or fake clicking can be used on a pay-per-click ad where the hacker wants the organization paying for those ads to spend more money.
• DDoS attacks – massive botnets are used to overload a specific network or server. So many requests come in that the targeted network or server just stops responding. This results in legitimate users being unable to access the website or application.

Why are botnets used?

There are many reasons for infecting devices and creating botnets. The most basic reason is scale, the larger the botnet the larger the attack, the more potential for their malicious activities to work. This leads to what the attack will get out of this: profit – bad actors can use botnets as a source of income. The more devices they infect the more income potential they can act on. Additionally, they can rent out their infrastructure to others for malicious intent. Botnets can be created with very little effort so it’s a lucrative business.

How do botnets affect my organization?

You don’t have to be the intended target of a botnet campaign to feel its effects. For example, there’s a lot of focus on the victims of DDoS attacks, who was targeted, why they were targeted, and what they were targeted with. But botnet attacks do have a broader impact than just the victims. When a botnet is leveraged, attackers are using legitimate devices, devices that could be part of your organization. You could be an unwitting participant in cyberattacks from propagating spam to overwhelming another organization’s website. Simply being part of a botnet can lead to increased bandwidth costs and performance issues for your online tools and applications. And once an adversary has access to your system, you’re open to a myriad of attacks, from information stealing to crypto mining and ransomware.

How do I avoid becoming part of a botnet or tell if I’m already part of one?

One of the main ways to avoid becoming infected with malware is to continually train your staff. Just clicking on a link or opening an attachment from a malicious email opens up your organization to threat actors and provides an avenue to your devices, servers, and network. Telling employees how to spot fake emails, which are increasingly sophisticated, will help stop malware from infiltrating your systems.

Having proper security solutions in place, such as anti-malware/anti-virus can help defend your organization as well.

What do I do if I’m part of a botnet?

Being able to tell if you’re part of a botnet can be very difficult. Most malware is meant to be stealthy and includes functions to avoid detection. Watching network bandwidth and usage can help determine if your network is being used for something other than regular activities. Additionally, if your employees are complaining about slow devices – it might be because the compute power is being used for something other than your business needs.

If you suspect you’re part of a botnet, take appropriate mitigative actions, such as changing credentials, quarantining and cleaning impacted devices and removing or disabling mechanisms that would allow the threat to persist within your environment.

Basic cyber hygiene like software patches can help your organization avoid a lot of common vulnerabilities that many botnets rely on for access.

How does Lumen protect customers from botnets?

Black Lotus Labs^® is the threat intelligence arm of Lumen focused on leveraging Lumen’s global network visibility to help protect customers and keep the internet clean – including from large-scale botnets cybercriminals use to wage attacks. In fact, every month, Black Lotus Labs disrupts roughly 150 command and control nodes that serve as the brains of botnets.

Defend your organization from botnets and more!

This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. All third-party company and product or service names referenced in this article are for identification purposes only and do not imply endorsement or affiliation with Lumen. This document represents Lumen products and offerings as of the date of issue.