A bot is a computer that has been compromised through a malware infection and can be controlled remotely by a cybercriminal. The cybercriminal can then use the bot (also known as a zombie computer) to launch more attacks, or to bring it into a collection of controlled computers, known as a botnet.
Short for “robot,” the term “bot” originally had a positive connotation, especially in Internet Relay Chat circles. These bots were programs that were designed to run as a user in the various chat rooms. They could proctor a room, booting out people who used foul language, or referee a trivia game, giving out point and declaring the winner.
But soon after the first beneficial bots started to appear on IRC, so did others that could exploit vulnerabilities and steal passwords and log keystrokes. Out of that usage came the concept of using the IRC client as the basis to launch attacks against other computers. Most botnets today are run through IRC, although more advanced cybercriminals can create their own client.
The two main reasons why cybercriminals create botnets are for financial gain and for recognition. Much like the guy at Muscle Beach who can lift the most weights, bot herders (slang for the hacker who created the bots) gain their notoriety among their peers by the number of infected computers they collect in their botnet. One discovered botnet in Holland collected more than 1.5 million computers.
Bot creation
A bot is created when the malware containing the programming to take over the computer is placed onto its target. Any form of malware delivery can be used to bring the programming onto a computer. It could be brought by a network worm that deposits its payload. It could be a virus that was launched from an infected e-mail attachment. It could be a Trojan horse disguised as a program the target user desired.
After implantation, the bot then attempts to connect with the command-and-control server (as stated above, usually an IRC server). From there, the bot herder can launch any number of attacks.
Types of attacks
As mentioned earlier, most bot attacks have some sort of financial gain as the aim of such cybercrime, while others are done purely for recognition. Some of the types of attacks that can be launched after a computer has been taken over as a bot include:
- Spambot –One of the most common uses of a bot, a spambot is a machine that automatically distributes spam e-mails. Mostly, these are e-mails that contain advertisements for questionable products (pornography, black market pharmaceuticals, fake antivirus software, counterfeit goods) or contain computer viruses themselves. A spammer will usually purchase a botnet from a bot herder in order to use the infected computers to send out the spam e-mails, concealing where the attacks are actually originating.
- Denial-of-service – Another popular use of a bot, denial-of-service attacks look to invade a network or an Internet service provider, usually by stealth, in order to disrupt or cripple service. Here, the attacker tries to get as many computers infected as possible in order to have a bigger botnet network to perform a Distributed denial of service attack.
- Spyware –Spyware is any malware that can be used to gain information from its target or targets, anything from passwords and credit card information to the physical data contained within files. These can be lucrative to a bot herder, as they can sell the data on the black market. If a bot herder gains control of a corporate network, these can be all the more lucrative, as they may be able to sell the “rights” to their bank accounts and their intellectual property.
- Click fraud – This form of remote control can allow a bot herder to surreptitiously click links on Web sites and online advertising, bolstering numbers for advertisers and producing more money.
- Dial-up bots – Dial-up bots look to try to connect to dial-up modems and force them to dial phone numbers. Sometimes the effect is to tie up the line, eventually forcing the user to change numbers. Other times, the effect is to dial into premium phone number (1-900 numbers) in order to rack up charges on someone else’s bill. It goes without saying that this type of attack is beginning to go by the wayside, as more and more people move away from dial-up modems to broadband connections.
What is Mirai?
Mirai is malware that infects smart devices that run on ARC processors, turning them into a network of remotely controlled bots or "zombies". This network of bots, called a botnet, is often used to launch DDoS attacks.
Malware, short for malicious software, is an umbrella term that includes computer worms, viruses, Trojan horses, rootkits and spyware.
In September 2016, the authors of the Mirai malware launched a DDoS attack on the website of a well-known security expert. A week later they released the source code into the world, possibly in an attempt to hide the origins of that attack. This code was quickly replicated by other cybercriminals, and is believed to be behind the massive attack that brought down the domain registration services provider, Dyn, in October 2016.
How does Mirai work?
Mirai scans the Internet for IoT devices that run on the ARC processor. This processor runs a stripped-down version of the Linux operating system. If the default username-and-password combo is not changed, Mirai is able to log into the device and infect it.
IoT, short for Internet of Things, is just a fancy term for smart devices that can connect to the Internet. These devices can be baby monitors, vehicles, network routers, agricultural devices, medical devices, environmental monitoring devices, home appliances, DVRs, CC cameras, headset, or smoke detectors.
The Mirai botnet employed a hundred thousand hijacked IoT devices to bring down Dyn.
Who were the creators of the Mirai botnet?
Twenty-one-year-old Paras Jha and twenty-year-old Josiah White co-founded Protraf Solutions, a company offering mitigation services for DDoS attacks. Theirs was a classic case of racketeering: Their business offered DDoS mitigation services to the very organizations their malware attacked.
Why does the Mirai malware remain dangerous?
The Mirai is mutating.
Though its original creators have been caught, their source code lives on. It has given birth to variants such as the Okiru, the Satori, the Masuta and the PureMasuta. The PureMasuta, for example, is able to weaponize the HNAP bug in D-Link devices. The OMG strain, on the other hand, transforms IoT devices into proxies that allow cybercriminals to remain anonymous.
There is also the recently discovered - and powerful - botnet, variously nicknamed IoTrooper and Reaper, which is able to compromise IoT devices at a much faster rate than Mirai. The Reaper is able to target a larger number of device makers, and has far greater control over its bots.
Bot prevention
With all the damage that can be done to a computer – and through a computer – that has been turned into a bot, it’s important to take these steps to help prevent this type of attack. Prevention methods include:
- Education –Be aware of the Web sites that are visited, and if IRC is used, be wary of certain chat rooms. Also, since the bot programming can be delivered like any other form of malware, be careful of e-mails and instant messages from strangers and chain e-mails that have been forwarded (especially ones with attachments and funny links).
- Software updates – Make sure all operating system and application software is kept up to date with free updates and patches. Their manufacturers are constantly looking to correct vulnerabilities in their products that allow cybercriminals to deliver malware.
- Use antivirus software When looking for subscription-based, high quality antivirus software, make sure to use one with antibot protection. Using appropriate security software also helps stopping bots use your machine for DoS (Denial of Service) attacks, and for activities like click fraud.
No protection, including using multiple ones, is 100 percent guaranteed to stop a computer from turning into a bot and becoming a part of a botnet. But using these protections can help raise the odds against an attack.