For almost two decades, botnets have plagued our networks. Named by combining the words robot and network, a botnet is a network of computers that are infected with malicious software and remotely controlled by cybercriminals known as botmasters.

This task force of bots carries out repetitive, nefarious missions issued by their cybercriminal operators. Botnets are extremely hard to detect because they lay dormant until triggered to execute their tasks.

Cybercriminals Embrace Botnets

Cybercriminals cause harm with botnets in many ways, such as using the Waledac botnet to conduct a pump-and-dump stock spam campaign or launching denial-of-service (DoS) attacks. Botnets can also be used to track victims’ Internet activity, stealing their credentials and personal information. For example, the infamous Gameover Zeus botnet was primarily used to steal infected victims’ online banking login credentials and then initiate fraudulent transactions. It resulted in more than $100 million in reported losses.

Botnet operators can steal confidential documents, source code, trade secrets or other intellectual property. Botnets are also widely used against political targets by hacktivist groups who control a massive beehive of distributed denial-of-service (DDoS) bots. They use these bots to take down government websites, and some even implement them in an effort to extort victims into paying a ransom in exchange for terminating the attacks.

The Shift to Thingbots

The resiliency of botnets continues to surprise security analysts and law enforcement. In December 2015, IBM X-Force malware researchers found a new variant of the Ramnit banking Trojan and botnet less than a year after it was taken down. While we have seen spam botnets come back after being taken down, this is the first time we have seen a banking botnet come back to life.

Aside from new and reappearing botnets, another, newer angle to this threat is the thingbot — a botnet composed of infected Internet of Things (IoT) devices. These types of malicious activities, whether they leverage botnets or newer thingbots, can wind up costing businesses millions to remediate because they are primarily responsible for the loss of money and personal information of customers and employees.

Botnet components are widely available on the Dark Web, which makes them an appealing and effective tool for attackers. A new IBM X-Force research report takes a look at botnets in detail and at one particular botnet for sale in an underground marketplace. The report highlights the most commonly used botnet protocols, malicious uses of botnets and the botnet trends observed from IBM Managed Security Services data.

Read the full IBM Research Report: The inside story on botnets

more from Malware

Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine

Following ongoing research our team, IBM Security X-Force has uncovered evidence indicating that the Russia-based cybercriminal syndicate "Trickbot group" has been systematically attacking Ukraine since the Russian invasion — an unprecedented shift as the group had not previously targeted Ukraine. Between mid-April and mid-June of 2022 the Trickbot group, tracked by X-Force as ITG23 and also known as Wizard Spider,…

World’s Largest Darknet Market Shut Down, $25 Million in Bitcoin Seized

On April 5, German authorities announced the takedown of the Hydra marketplace, the world’s largest darknet market trading in illicit drugs, cyberattack tools, forged documents and stolen data. The criminal operation, with about 17 million customer accounts, raked in billions in bitcoin before getting shut down. On its website, the Federal Criminal Police Office (BKA) stated it had secured and…

Countdown to Ransomware: Analysis of Ransomware Attack Timelines

This research was made possible through the data collection efforts of Maleesha Perera, Joffrin Alexander, and Alana Quinones Garcia. Key Highlights The average duration of an enterprise ransomware attack reduced 94.34% between 2019 and 2021:  2019: 2+ months — The TrickBot (initial access) to Ryuk (deployment) attack path resulted in a 90% increase in ransomware attacks investigated by X-Force Incident…