Posts Tagged


Learn how cyber criminals use BotNet

The reality is there are millions of botnet affected computers, and other networking devices are out there, yet to identify any is very hard. As for the end-user, everything seems as it should be, and no issues with connecting to the internet, neither problems on the real PC, however, it might be already turned into a zombie also known as a bot.

More and more compromised computers become bots, larger and more powerful it can become the actual Botnet. What’s happening is that each of the zombie computers is now would call home that would be called a C&C Server – Command & Control. C&C is software. However, it would be on a Server. Therefore people refer to it as a C&C Server.

The attacker now would be able to control from the C&C Server all bots and do as he or she would wishes.

Origin of Botnet

A botnet is so powerful that doesn’t necessarily require to be clicked on, but of course you can find those types of botnets too. The reality is that due to its malware type, Botnet can pick up from social networking sites, e-mails, free software downloads, youtube videos, free movie downloads. Similarly to Spyware, it can be obtained from many sources, and once your computer is affected, it can start to spread around to all your devices that might be on the same network as your modified device. For example, if you have a computer, a laptop, an X-Box, and a mobile phone on your home network and one of them is affected, believe me, all your devices will be affected. It can be self-spreader at some point, however, first when you would download a trusted free software from an untrusted source; it might contain a Botnet, that would be hidden under a Trojan type of virus. It might be in another form such as you receive a dodgy e-mail saying that you have been chosen and won x amount of money, so you must click on the link to claim your winning. Again, while you would click on that link, you wouldn’t realize that the Trojan is already installing itself on your computer. Therefore it’s very dangerous and nearly impossible to know if your PC might be already a Zombie. Additionally can be an infected media, that could be a USB Stick, or nowadays even cheap smartphones bought from China can contain Trojans that would spread around to other networking devices and create a robot network.

Relation between the bot and the C&C Server

Imagine that a torrent movie is effected with a Trojan that would contain a botnet, and there are around 2000 – 4000 people are downloading it every day for the next three months, and eventually, those 300.000 computers would become a bot for a certain robot network. However you might think, how on Earth would all those bots connect to a C&C Server? First of all 300K computers to be on the same botnet is an average number. However, Cyber Security Experts have compromised Botnets previously that was large as 30 million zombie computers called BREDOLAB also was running on an alias as OFICLA. This was a Russian botnet. However it has been now compromised, but the reality is that we just don’t know, at least can not be sure how many Botnets are out there.

So back to the victim’s computer, once the botnet would install itself, called a BOT Binary, it would still have to look for a way to connect itself to the C&C Server to communicate with each other and exchange messages. BOT Binary can contain a hardcoded IP Address that would advertise out to the internet so the C&C Server would find it’s bots. However, there are other methods too. Another common way would be that a particular Domain name is written into the BOT Binary that would be advertised out to find it’s master C&C Server. Either way, once the Zombie computer registers itself to the C&C Server, it will become a BOT officially, and the Robot Network Army begins to grow.

Botnet purpose

There are good intentions too for some who creates and uses such Botnets. However, there are very few as we know yet. And what I heard is that in certain countries certain websites are blocked therefore a few communities are using Botnets to access the information that their government wouldn’t allow them to view according to their law.

The reality is that Botnets are used mainly by the bad guys, but to be more specific, large Underworld Cyber Criminal Organizations.

Similarly to Spyware, once your computer becomes a bot, it could forward all sensitive information to its master – C&C Server that might be usernames, passwords, bank account information, however, the primary purpose of the Botnets are deeper than that.

Some people would only build Botnets so that they could sell it to Cyber Criminals, and larger the botnet is more value it has. Of course, there are certain botnets would contain only bots from the US, or from Europe so those would be a little cheaper. However, large Botnets that has bots all over the worlds in different continents are more expensive. A botnet that would contain a C&C Server and 50-100 bots would be sold between $200 – 800 Dollars, however, it all depends on the locations of the bots too. Now taking this further, large Cyber Criminals have multiple botnets, each would contain 10K + zombie computers, and they would letting them out for an hourly fee, or daily fee. Again it would depend on the requirements, as well the quantity of the bots, and their location, but an average price would be for 5000 bots with C&C Server for 1 hour is around $100, or $1000/Day.

When it comes to a botnet of 5000 bots, you have to understand that not all 5000 zombie computers can be used at the same time, as some of them might be turned off. However, I wanted you to understand the pricing when it comes to a marketplace.

Again back to a purpose of the botnets, some organizations would use it to create a DDoS attack (Distributed Denial of Service) against a particular company, perhaps against their competition, or it could be a revenge of an ex-employee. Either way, botnets can be used for attacks, but more and more it used for financial gain, and that is Bitcoin mining.

Bitcoin mining is very popular, however to mine Bitcoin you must have a huge amount of CPU power combined. Therefore large botnets can be a perfect for this exercise. This process is also known as Silent Bitcoin Mining. However, this must be controlled accurately as for Bitcoin mining all the bots would use 100% CPU. Therefore they would control that so the victims wouldn’t realize that silently their computer (bot) is mining Bitcoin.

Who is the behind the C&C Server?

As I mentioned, all the bots are Centralized and controlled by the C&C Server. Due to the centralized coordination to compromise such robot network the source must be identified and caught. The reality is that such Bot-master would always be very careful and would probably only log into the C&C Server if it’s fully Secured. Of course, there is nothing more than guaranteed then a multi-layered network called TOR.

TOR network would allow the BOT master to be anonymous. Therefore it would remove all traces of his or her identity, that would result in the BOT master to be untraceable.

How to Avoid your computer to become a Zombie?

The answer is simple – back to basics! Do not download software from untrusted sources, even if the software is free you must make sure that you are getting it from the trusted source. Downloading torrents like movies, music, or video games, I would recommend you do not do it, as for the potentials for those items might be affected is very high.

E-mails that advertising things that are too good to be true, DO NOT OPEN them, period.

Your Computer should not remember your username and password/s either. Also in case you buy a new laptop, of desktop computer, you must change the passwords. Furthermore, just be careful, and being reasonable with the information presented to you. For example that you have won 1Million Dollar, so all you have to do is to click on the link to claim it if you didn’t even play anywhere, how would you win anything right!? – So again, do not click on anything that you are unsure of, especially for weird programs that would supposedly help you achieving thinks like hack into someone’s Facebook Account and thinks like that.

You must (PURCHASE NOT CRACK) an Antivirus and update it regularly; second is you should install a Firewall even if it’s virtual, still would help you identify if you are affected. Next, to that, you must always run the latest operating system especially if you have Windows. Normally they do upgrades within their software as they have now found a vulnerability within the previous Operating system, therefore upgrade required to patch those vulnerabilities.