For almost two decades, botnets have plagued our networks. Named by combining the words robot and network, a botnet is a network of computers that are infected with malicious software and remotely controlled by cybercriminals known as botmasters.

This task force of bots carries out repetitive, nefarious missions issued by their cybercriminal operators. Botnets are extremely hard to detect because they lay dormant until triggered to execute their tasks.

Cybercriminals Embrace Botnets

Cybercriminals cause harm with botnets in many ways, such as using the Waledac botnet to conduct a pump-and-dump stock spam campaign or launching denial-of-service (DoS) attacks. Botnets can also be used to track victims’ Internet activity, stealing their credentials and personal information. For example, the infamous Gameover Zeus botnet was primarily used to steal infected victims’ online banking login credentials and then initiate fraudulent transactions. It resulted in more than $100 million in reported losses.

Botnet operators can steal confidential documents, source code, trade secrets or other intellectual property. Botnets are also widely used against political targets by hacktivist groups who control a massive beehive of distributed denial-of-service (DDoS) bots. They use these bots to take down government websites, and some even implement them in an effort to extort victims into paying a ransom in exchange for terminating the attacks.

The Shift to Thingbots

The resiliency of botnets continues to surprise security analysts and law enforcement. In December 2015, IBM X-Force malware researchers found a new variant of the Ramnit banking Trojan and botnet less than a year after it was taken down. While we have seen spam botnets come back after being taken down, this is the first time we have seen a banking botnet come back to life.

Aside from new and reappearing botnets, another, newer angle to this threat is the thingbot — a botnet composed of infected Internet of Things (IoT) devices. These types of malicious activities, whether they leverage botnets or newer thingbots, can wind up costing businesses millions to remediate because they are primarily responsible for the loss of money and personal information of customers and employees.

Botnet components are widely available on the Dark Web, which makes them an appealing and effective tool for attackers. A new IBM X-Force research report takes a look at botnets in detail and at one particular botnet for sale in an underground marketplace. The report highlights the most commonly used botnet protocols, malicious uses of botnets and the botnet trends observed from IBM Managed Security Services data.

Read the full IBM Research Report: The inside story on botnets

More from Malware

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same…

The Ransomware Playbook Mistakes That Can Cost You Millions

If there is one type of cyberattack that can drain the color from any security leader’s face, it’s ransomware. A crippling, disruptive, and expensive attack to recover from, with final costs rarely being easy to foretell. Already a prevalent threat, the number of ransomware attacks rose during the pandemic and nearly doubled in the year between 2020 and 2021, continuing to rise since. Focusing on the extortion price of these attacks, the cost of a ransomware attack can appear finite…

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti group), who are not known to have had a previous connection with Ramnit. This year has so far proven tumultuous…