Botnets: The Information Stealers Mama Never Warned You About

Botnet warning label

Trojans, malware and botnets are all information stealers, but there’s levels to this stuff – and they are much more insidious than you might think.

I grew up a Windows kid in the 80s, before the internet was really a thing. As you can imagine, if you wanted to download software or send someone a message, your options were extremely limited (back then, magazines included articles with pages of BASIC code you could type in hopefully without error – thus downloading was preferred!).  Sure, CompuServe and Prodigy were around, but they were terribly expensive, so many of us were stuck using a modem to dial up Bulletin Board Systems (BBSs).

And with downloading software came the potential threat of infecting your personal computer with a virus. But the world was different back then. By today’s standards, computer viruses in the 80s were simply a nuisance. Today, bad actors infect your computer with the worst of intentions – specifically, criminals are looking to monetize your data, including the credentials you use to log into websites and apps.

With that in mind, this article focuses on the most nefarious of information stealers – botnets – and how to protect yourself.

What are botnets?

Built on the client/server model, botnets (short for “robot network”) are a network of computers infected by malware that are under the control of a single authority known as the “bot-herder.” The bot-herder relies on a Command & Control Server (C2) to administrate the bots, and since the infected computers are under the control of the C2, a botnet infection is like having a malicious hacker inside your network.

In the beginning, botnets were used to propagate spam or carry out Distributed Denial of Service (DDoS) attacks. As they matured, some botnet infections even included keyloggers to record your keystrokes, allowing the bad guys to capture the usernames and passwords that you use to log into your favorite services such as email, streaming services, financial institutions, and social media.

The botnets of today are much more sophisticated. They are typically delivered in the form of a trojan – an email attachment or maliciously embedded in software that you might download. And while antivirus software might provide some protection, oftentimes the botnet delivery methods are sophisticated enough to evade detection even by the best antivirus software.

Once botnet malware is installed, it steals information from your computer including:

  • Usernames and passwords
  • Hostnames from browsers & FTP clients
  • Browser cookies
  • Autofill data
  • Bitcoin wallets
  • Files with specific extensions
  • Screenshots of the user desktop
  • Chat history
  • List of installed programs and running processes
  • Machine globally unique identifier (GUID) as well system architecture, system language, username and computer name

…and much more.

And let us not forget that even after stealing everything I mentioned above, botnets still have the ability to execute backdoor commands from a remote bot herder. Not only does this mean they can collect your computer’s network settings, download additional malicious software, as well as execute, delete files, etc. – they can also use your computer to perpetrate malicious criminal behavior.

Once the bad guys have your data, the next step is to monetize it. Typically, this means trading your data with other bad guys they know, or openly commoditizing it on the dark web. That’s right, your video streaming credentials, bank login information along with the other best kept secrets harvested from your computer are actually for sale on an open market. And if you are a bad guy, you can even pay to install your own malware on previously infected hosts to help you carry out large scale attacks or other bad behaviors en masse.

Some of the largest botnets can sport 600,000 to 1 million bots, resulting in huge revenue streams for threat actors. According to research from the University of Twente in the Netherlands:

Distributed denial-of-service attacks using a network of 30,000 bots can generate around $26,000 a month. Spam advertising with 10,000 bots generates around $300,000 a month, and bank fraud with 30,000 bots can generate over $18 million per month. But the most profitable undertaking is click fraud, which generates well over $20 million a month of profit.

In all fairness, that’s not all profit. There are costs associated with setting up and maintaining botnets: according to the same research, it’s estimated at 2 to 10 cents per device to install the malware, plus the costs to maintain the network – re-infecting machines that have had it removed by anti-malware software or an OS patch. Regardless, this remains a lucrative endeavor, which is why threat actors continue to invest their time and effort.

Security leaders and practitioners rightly remain concerned about users’ exposure to malware and other exploits – in fact, in a report we’re publishing this month, we found that 39% of survey respondents from companies of all sizes reported such concern. Malware was at the top of their list of risks to remote users.

How can you protect yourself from malware?

  • Deploy antivirus / anti-malware software, keep it up to date, and run frequent scans on downloads and on your full machine.
    It’s a critical first step to protect yourself from many cyber threats, but it’s not a silver bullet due to the growing sophistication of malware and, no surprise, human behavior. While most companies have deployed antivirus solutions (most market studies cite 80%+ of machines have it installed), in some locations, 50% of people aren’t using it. With remote work becoming more common, it becomes harder to mandate such usage, so I also recommend…
  • Think before downloading anything.
    While that free program looks tempting, it could be malware in disguise. Be suspicious of attachments from unknown sources; 94% of malware is delivered by email.
  • Educate yourself and your users constantly.
    Some of us have gotten complacent with once/year security awareness training. It’s not enough. We need reminders not to click suspicious links and avoid downloading attachments from untrusted sources. I believe in the benefit of the Baader-Meinhof phenomenon, where after noticing something for the first time, you see it all the time. The goal of security training isn’t to make you afraid to use the tools you need to do your work, but instead to make you cautious about clicking that link or downloading that invoice from that new vendor’s finance contact.
  • Be vigilant about your online account security.
    Malware can result in breached accounts, particularly keyloggers that can siphon your login credentials. If you notice an uptick in suspicious activity on several of your accounts (especially if you’re doing the right thing and using a unique, complex password for each account), the cause could be malware. I recommend installing an antivirus program and running a scan, then going through accounts and changing passwords once your machine has been cleaned.

We created a guide to remediating infections from keylogger malware, and I encourage you to check it out to learn how to handle these situations for your employees and consumers.

We want to help you solve the problems posed by botnets. Please contact us for a ‘healthcheck’ on your domain – we’ll share the data we’ve collected and discuss proactive approaches that keep your users (and your corporate data) safe.

Stop exposures from becoming account breaches.