When a massive cyberattack took down many major websites in 2016—including those of Amazon.com, HBO, Netflix, The New York Times, and Spotify—authorities feared that it may have been the work of a hostile nation-state. But the culprits turned out to be less interesting than the way the attack was carried out: More than 600,000 hacked devices flooded the Internet with more than 1 terabyte per second of junk data, in what came to be known as the Mirai botnet.
A botnet, or robot network, is a string of infected computers that carries out a task. Often, that task is a distributed denial-of-service attack to block access to a site or service, says David London, senior director at security and risk management advisory company The Chertoff Group. The word “computers” is loosely used today, he says, as botnets can infect servers, mobile devices, laptops and, in the case of Mirai, Internet-connected devices such as DVRs, cameras, and “smart” light bulbs and meters, collectively known as the Internet of Things.
Cybercriminals recruit computers to build their botnets through traditional malware avenues. These might include malicious links sent through emails, phishing attempts, vulnerability exploits, or drive-by downloads, London says.
READ MORE ON BOTNETS
New botnet Torii showcases next stage of IoT abuse, researchers say
FBI’s router reboot call reminds us why to check for updates
Your old router could be a hacking group’s APT pawn
Why hackers love your Wi-Fi (and how to protect it)
Time for a Department of the Internet of Things?
The long reach of Mirai, the Internet of Things botnet
5 questions to ask before buying an IOT device
Once thousands or even millions of devices are infected, cybercriminals typically use the botnet to carry out a DDoS attack against various targets, says Richard White, professor of cybersecurity at the University of Maryland University College, rendering their sites inaccessible.
Cybercriminals can also use botnets to steal log-in credentials, create backdoors, laterally move previously implanted malware inside an organization, or provide remote access to view traffic or files or pull other data, White says. He calls botnets “the workhorses of the middle strata of cybersecurity bad actors.”
Unlike with other successful cyberattacks, such as ransomware—in which hackers lock your computer or files until you pay a ransom—most people aren’t aware that their devices have joined a botnet, London says.
“You’ll have no idea that you’re infected by a botnet because there are activities happening in the background that you don’t get visibility into,” he says. Botnets often “can function without creating a drag on your computing power, so you’re not noticing a reduction in that or your processing speed.”
That’s what makes them effective, White says, and it’s one of the reasons why cybercriminals continue to use them. “They’re very efficient and easy to implant. Once they’re implanted, they have very little chance of being detected.”
Botnets were originally used to carry out legitimate functions across the Internet, such as keeping processes efficient and helping regulate Internet relay chats, White says. “But like every good thing, they’ve become a tool of choice for the bad actor.”
The first known botnet used for a malicious purpose, discovered in 2001, generated about 25 percent of all spam email that year. Since then, botnets have become commoditized, as cybercriminals rent them out on the Dark Web. They’re becoming more widespread, London says, because cybercriminals have greater access to them.
“You’ll have no idea that you’re infected by a botnet because there are activities happening in the background that you don’t get visibility into.”—David London, senior director, The Chertoff Group
A device’s participation in a botnet is largely detectable only through a forensic examination, London and White say. However, there are steps consumers can take to protect their devices against botnets.
- Change default passwords. One of the most popular ways cybercriminals compromise devices is by trying default passwords, London says. If a bad actor accesses a device through a known default password, he could change the device’s functionality. “When you bring a device home, the first thing you should do is change the password from its default,” he says.
- Don’t click on suspicious-looking links. Humans are the weakest links in practicing safe Internet use habits, particularly when interacting with phishing campaigns, London says. To determine whether a link is legitimate, experts recommend hovering your mouse over the link in question, using a URL unshortener to review, or pasting the link into a safety verification service to view a link’s actual destination.
- Keep your antivirus software current. Merely having antivirus software installed on your devices isn’t enough, London says. Make sure that the software is up-to-date and that you’re receiving automated updates.
- Buy reputable devices. Be an astute consumer when purchasing new technology, London says. Not all Internet-connected devices are created equal. Make sure that wireless connections to your Internet-connected device are encrypted, that the passwords it requires are of a sufficient complexity and length, and that the device allows you to update the access password, experts say.
“These are some of the basic cyber hygiene practices people should practice, regardless of whether or not they’re concerned about becoming part of a botnet,” London says. “It’s really an arms race. Security professionals are becoming more capable of anticipating and trying to mitigate the impacts, but the adversaries are continuing to evolve their craft as well.”