Botnet is a network of infected “zombie” computers (bots), which are most often used by hackers to organize DDoS attacks and mass spam mailing, but also for more intricate activities – for example, cryptocurrency mining. In most cases, the botnet is managed by a server (client-server model); less often it is a decentralized network (P2P). A botnet can consist of millions of infected computers.
By design, the botnet client software is a hybrid of a Trojan and a rootkit. Signs of infection usually do not appear in any way until the bot receives a command to activate. During its operation, Internet traffic and resource load increase (this, by the way, is a possible sign that the device has become a bot).
In addition to massive mailing lists and attacks, botnets spread viruses and steal personal data. Malware may include a downloader that downloads Trojans and other viruses over the network, updates an old version of the bot, etc.
Information security audit
Most versions of bots support the proxy function so that an infected computer can act as a proxy server, masking the real address of the attacker’s server.
The most common use case is DDoS attacks, which can disable a website or network (for example, a network of IoT devices). DDoS attacks are often ordered by competitors — for example, online stores and financial organizations, where the main flow of customers comes from the Internet, and prolonged downtime threatens serious losses. Therefore, advanced botnets such as Emotet or Dridex are quite a profitable business.
In about half of the cases, the computer turns into a bot after downloading a Trojan. But this method, due to the increasingly active improvement of antiviruses, is already considered old-fashioned.
An example of a more sophisticated infection: a hacker scans blogs and forums, finds vulnerabilities in them, attaches an exploit (executable malicious code) to the site, which is activated through a browser “hole” when a user visits an infected resource.