Battling the Botnets
Botnets are not necessarily a bad thing. Consider a SIEM (Security Information and Event Management) solution; it needs to gather data from individual nodes to build up a picture of the state of the network. On the wider Internet bots are core to search engine indexing.
The presence of botnets is on the rise. The Spamhaus botnet threat update for Q4 2021 found a 23% increase in botnet controllers since the previous quarter. A Statistica report on distribution of bot and human web traffic worldwide in 2019 and 2020 indicated that about 40% of web traffic consisted of some sort of bot activity.
Find more statistics at Statista
The consequence to the nodes hosting bots is that some proportion of their processing power and bandwidth connectivity will be taken up; reducing resources for other tasks and potentially lowering performance. As network and processing speeds have increased the impact of bots might be expected to be diminishing. This is unlikely because the number of bots and the activity of those bots is also increasing. As an analogy, we have more, wider, roads but more vehicles are spending more time on them. Simpler bots require a controller system to send instructions and gather data from the network. More sophisticated systems use a peer to peer approach. Each bot seeks out and maintains information on other bots in its network. Without a dedicated controller it becomes harder to shut down the network. As the bots continually chatter to keep the botnet linked up there will be a consequent increase in processing and network traffic.
Malicious botnet traffic is historically linked to Denial of Service attacks. The Zeus malware for example, designed to steal financial information, was first reported in 2007 and later evolved into over 545 variants. The Zeus legacy is still with us. Zloader (based on Zeus code) was the target of legal action from Microsoft in 2021.
Bots are not confined to desktop computers but can run on simpler Internet of Things (the clue is in the name) devices. Devices that can be remotely controlled or updated are most at risk due to their management connections facilitating bot spreading. Simpler systems that are set up by dedicated connection to a desktop machine (such as through USB) are not as vulnerable but it will be much harder to clean the bots out if all IoT devices need to be individually reset.
SpamBots are another implementation of malicious botnet activity. Spam filters on emails and comment sites filter out obvious Spam. In many cases the purpose of the Spam traffic itself is obscure. Why would the recipient want some niche service in a far-off country and in a language they do not speak? Some implementations will be simply vanity hacks, just because the sender can. Many will be exploiting pay per click mechanisms. Either to drive clicks and the associated income, likes or referrers for search engine rankings or to cause someone the expense of paying for clicks from non-existent customers. Others can be the first step in a phishing attack leading to the theft of personal information and eventual financial fraud.
There are no obvious legal or financial implications of unknowingly hosting a botnet. If the network operator can prove that they are unaware of any botnet infestation they may be exempt from any fines caused by that botnet’s activity. Botnets can traffic in personal information, at the very least the host IP addresses of other nodes in the network. It is unlikely that this would be a case for a GDPR breach even if the host were deliberately accessing the botnet for research or other legitimate use.
There are, however, ethical consequences in being partly responsible for a botnet directed attack. These should be considered alongside the loss of system performance caused by the bot activity.
There may be no indicator that a botnet is present on a system. Kindus suggest that botnet presence or attempted presence be assumed. We recommend the following precautions to minimise the chance of a botnet infestation:
- Update SPAM filters to block suspect sites and domains.
- Ensure that staff are trained to recognise suspect links or sites.
- Encourage staff to report potential incidents without any fear of personal blame.
Anti-malware programs will detect some botnet infestations and should be ideal for individual users. Within corporate networks Kindus provide support for sophisticated detection and removal tools appropriate to the system scale and activities.