What is a BotNet?

BotNet (Robot Network) is the label given to a global network of machines remotely controlled by a single controller. Control is usually established through virus infections and in most situations, a machine within a BotNet may not even show signs of being controlled remotely.

BotNets are often used to perform brute force attacks from multiple machines on a single host or group of computers, to either break their security or cause a distributed denial of service (DDOS) attack. More recently, the software used to remotely control infected machines can also steal personal information, identities, passwords, etc.

How can I become compromised into a BotNet?

Successful BotNet attacks can occur when someone (or something) gains unauthorised access to your PC or network. This is referred to as a 'compromise' and can come in a variety of forms such as remote control methods, key loggers, viruses, trojans and other malware. A compromised machine is referred to as a zombie.

You can decrease the likelihood of infection by patching your operating system and software applications, using proper anti-virus software, and treading carefully around unsolicited messages and pirated files.

Who is doing it?

The types of people behind BotNets and hacking in general is quite varied, ranging from:

• hackers and 'script kiddies' - looking for bragging rights;
• businesses trying to better position themselves over the competition;
• criminals wanting information to sell on the black market for financial gain; and
• spies or terrorists wanting vital information of national interest.

There is also a market for disrupting others for commercial benefit, like damaging a business network to disrupt productivity for days, weeks or even months. Without proper business continuity/disaster recovery planning, untold damage could be done to the company as a whole.

You might be thinking this doesn't affect a residential customer, but unfortunately it does. Many forms of malware can infect a work environment through its employees and spread the BotNet to commercial machines. Emails sent to work with infections, portable storage brought in or out of work can spread infections and the resulting damage.

How viruses are hidden - Piracy and Unsolicited Files

Pirated material is a common attack vector for the delivery of viruses. Trojans and spyware can do anything from steal your private data to infest your system and attack others. They can be hidden in all forms of pirated material from pictures to programs and even audio files.

For best effect, these sneaky hidden 'features' are included in 'key generators' or 'cracks', if not in the program or file itself. Software may seem to function fine, while in the background the malicious software does as it will.

A more recent adaptation is the delivery of viruses via a compromised PDF or EXE file. The key here is that if you receive an unsolicited message containing a PDF or EXE file, treat the message as spam and immediately delete it.

How do I tell if I have been compromised?

On Windows machines, often a compromised machine will perform slowly or there will be a marked increase in Internet usage. Symptoms usually start after an unexpected reboot of the machine and once it resumes, the Windows firewall will be disabled.

Other symptoms include the inability to get Windows updates, and being unable to browse to security vendor sites on the Internet.

What to do if I have become compromised?

There is no easy answer with system compromises, and a knowledgeable person will be required to assist in removing the infection.

A good first step is to remove the PC from the network and restart it in 'Safe Mode'. In Safe Mode it might be possible to disinfect a machine using a program such as MalwareBytes (obtained from another machine and transferred via USB key).

How to make a complaint

It can be hard to make a complaint about some forms of intrusion, as identifying the source is often problematic.

Australian law only has jurisdiction if the system or computer server where the content is hosted is in Australia, or if the offender causing the intrusion, disruption or impairment is an Australian citizen.

If the intrusion it doesn't meet one of those criteria it becomes much harder for the law to handle locally reported cases. This is one of the reasons why so few cyber criminals are caught.

Spam and phishing are another thing entirely. Spam can be reported to the host of the offending email or to your spam filter vendor, so they can update the filter to block that for others. There is also the ability to report the SPAM to the Australian Government at http://www.acma.gov.au.

If you ever receive a suspicious and unsolicited email asking for your Internode credentials please forward it to Internode at support@internode.on.net. This will allow us to either track down and stop the sender, and/or block the emails from being able to reach any other Internode customer.