In 2016, a customer of one of the world’s largest cloud-hosting providers experienced a large spike in traffic on one of their servers. Nearly 150,000 devices visited the server at once, amounting to more than 1 terabit-per-second of traffic. Unable to support such a massive volume of server requests, the server was rendered inaccessible for 7 days before it was eventually salvaged.

This server had been subjected to the largest Distributed Denial of Service (DDoS) attack ever recorded up until that point, nearly doubling the volume of traffic experienced in another attack (around 620 gigabits-per-second) which had occurred only days prior. This large-scale attack had been carried out by hundreds of thousands of compromised Internet of Things (IoT) devices located all around the world, all making requests to the same target server in unison.

Unbeknownst to the owners of those compromised devices (which consisted of cameras, home routers, video players, etc.), malware distributed by an attacker had, at some point in the recent past, silently infected their devices and established remote connections between those devices and the attacker’s personal command-and-control servers. This centralized connection allowed the attacker to control the massive group of compromised devices all at once, and this in turn made it possible to launch a coordinated, overwhelming attack against a vulnerable cloud server.

Referred to as “Robot Networks,” or Botnets for short, these groups of compromised devices cumulatively represent a formidable malware threat – one which can be used to carry out disproportionately large cyberattacks on behalf of a single threat actor.

How are Botnets Formed?

To establish a network of compromised devices, an attacker must first gain hold of a smaller group of vulnerable devices using specially crafted malware. This can be accomplished by sharing malware-infected files through various mediums such as email, social media, and more.

Once the attacker’s malware is executed and the initial target devices are compromised, the attacker’s malware can run quietly in the device’s background to avoid detection. It then establishes a remote connection with the attacker’s command & control servers, communicating that it is now capable of receiving updates and instructions from the attacker’s personal environment. The attacker can now use these compromised devices to spread its original malware to an even larger number of devices, exponentially (and indefinitely) expanding their network. The larger the network the attacker can create, the more effective their eventual botnet attacks can be.

What are Botnets used for?

As outlined in the initial example scenario, botnets are most often utilized to carry out Distributed Denial of Service attacks. These attacks usually aim to temporarily disable servers associated with large corporations, governments and/or political groups, damaging the victims’ reputations while increasing the attacker’s infamy.

Botnets can also be used to carry out a variety of other & equally sinister malicious actions. Attackers can, for example, leverage botnets to distribute other common forms of malware (including viruses, trojans, ransomware, spyware, adware, and more) to a wider net of victims. Large botnets create the capacity for attackers to make billions of outgoing malicious requests per day, increasing the likelihood that their malware will infect a substantial volume of target devices.

Attackers can also utilize botnets to compromise smaller and more vulnerable systems within a larger network and leverage those compromised systems to launch subsequent attacks on the network’s interior. This can make it possible for attackers to steal valuable data directly from an organization’s servers, including anything from sensitive customer information to irreplaceable intellectual property.

When botnets become excessively large, the attacker in control of a network may even rent out or sell segments of their network to other cybercriminals on the dark web. There are many additional examples.

How can Botnet Threats be Mitigated?

Because botnets are typically amassed through regular malware attacks (via email, file sharing, etc.), preventing the growth and proliferation of botnets begins with protecting our own devices against regular malware attack vectors.
Staying alert to the possibility of dangerous spam emails, untrustworthy content and social engineering ploys has a key role in preventing the growth of botnets.

Further, it’s often possible to tell if our device has been compromised by analyzing the performance of our applications and the speed of our regular internet activities. If we suddenly notice a significant drop-off in speed and performance on our device, it’s possible that malware could be running in the background and passively eating up our computer’s resources.

Preventing Compromised Devices & Detecting Botnet Traffic with Cloudmersive APIs

The Cloudmersive Virus Scan API can be used to help prevent malware from infecting your devices and adding them to a botnet. In addition, you can use various iterations of the Cloudmersive Security API to determine whether devices which are known participants in established botnets are visiting your network.

The Advanced Scan iteration of the Cloudmersive Virus Scan API can be used to scan files and content for malware. This API can be deployed in no-code product form at the network edge (Cloudmersive Shield) within forward or reverse proxies, and it can be used to perform in-storage scanning (Cloudmersive Storage Protect) for AWS S3, Google Cloud Storage, SharePoint Online Site Drive, and Azure Blob storage instances. This API additionally scans files for viruses and unwanted content types including executables, invalid files, password-protected files, and more.

The Check if IP Address is a Known Threat Security API iteration can be used to determine if a certain IP address is currently included on a continuously updated list of bad Ips, botnets, compromised servers, and other similar threats. If one of these threats is detected, the threat type will be identified in the API response through the “ThreatType” string value.

Similarly, the Check if IP Address is a Bot Client Threat Security API iteration can be used to check if IP addresses are bots, robots or otherwise non-user entities. This API leverages real-time signals to check against high probability bots, returning an “IsBot” Boolean with the threat detection outcome.

For more information on Cloudmersive Virus Scan APIs and Security APIs, please do not hesitate to reach out to a member of our sales team.