Understanding malware and botnets and how to protect your site

April 19, 2023
April 19, 2023
angry robots botnet malware

Malware is one of the most infective cybersecurity threats, with its roots dating back to the 1980s. Since then, malware has become more sophisticated, with new types discovered every day, with over 560,000 new pieces of malware detected every day. Malware is generally defined as software built for the purpose of disrupting or damaging a computer system and has existed almost as long as the internet has.

A botnet is a collection of computers that have been infected with similar malware. Once infected, they can all be controlled remotely and used to infect or disrupt other machines.

This article takes a look at the history behind malware and botnets, discusses their impact, and shares how you can protect your website from their effects.

What is malware?

Malware is an overarching term that describes multiple different types of malicious software. Before you learn how to protect yourself from it, let's take a look at the different types of attacks you could be dealing with.

Ransomware

In a ransomware attack, malicious software on a machine locks access to that machine until a ransom is paid. Usually, this process occurs as an on-screen message informing the user that their machine has been infected and telling them that their files are locked (and sometimes in danger of being deleted) unless a particular sum of money is paid. Sometimes this ransom is requested via cryptocurrency to make it more difficult to track down the perpetrators. Other times, the ransomware creators request a user's bank details, opening up the user to potentially being defrauded again in the future.

One of the biggest risks of ransomware, despite the ransom being paid, is that more malware may still linger, which could cause problems in the future.

The best way to protect yourself against ransomware is to make sure you update your operating system and all other software you use frequently and ensure any backup devices are stored securely, so that in a worst-case scenario you can restore your data.

Malvertising

Malvertising is short for "malicious advertising" and is the term for malware transmitted through website advertisements. In short, even though ad networks do their best to prevent malicious ads from getting uploaded, malware can sometimes get embedded in advertisements and be installed on a user's computer when they click or, sometimes, simply view the ad. This is also known as a “drive-by download”, which is when malicious software is downloaded to a user’s computer without their explicit permission.

Malvertising is mainly used as a delivery mechanism for the other types of malware discussed here. In addition, the fact that it doesn't take on a particular form in all cases makes it harder to prevent. For this reason, the best way to protect your system from malvertising attacks is to keep your web browser, browser extensions, and operating system updated with the latest patches.

Suspicious or overly alarming ads are another indication you might be dealing with malvertising, and these ads should be avoided. While an interaction isn't necessary for your system to get infected by malvertising, the majority of malvertising attacks require a click to deliver malicious code.

Spyware

Spyware is a type of malware that's designed to infiltrate a system and transmit data about that system and its users to a third party. From there, this data can be used to aid additional hacking efforts, perform identity theft, or gain profit by selling it to a third party.

One common way for spyware to be delivered is through malware known as a trojan, which occurs when one software is hidden inside another, legitimate software. When the user downloads the legitimate software, the spyware is also installed and begins transmitting the information it's designed to collect.

For example, a particular piece of spyware might collect data about the keys that a user is typing, which could be used to guess a user's password on popular websites. This highly valuable information can be sold to a third party. And once this information is in the hands of a third party, identity theft or further social engineering becomes easier.

What are botnets?

Instead of collecting and extracting information from your system, certain types of malware take a different aim — turning your infected machine into one of many as part of a botnet.

A botnet is a group of computers or other internet-connected machines that have been taken over by malware to be used in a coordinated attack. Botnets infected with similar malware and working in coordination tend to be given a specific name describing the behavior of all the machines on the botnet, making them easier to reference. Let's take a look at two of the more infamous botnets that have been discovered.

Zeus

Zeus was a dangerous botnet first identified in 2007 that mainly attempted to spy on users, log their keystrokes, and steal banking information. Originally, the Zeus malware targeted users via phishing and drive-by downloads (as discussed previously in the malvertising section). In addition to capturing and stealing a user's information, when the Zeus trojan infected a machine, the machine then became a bot in the botnet.

Unlike some malware that stays mostly stagnant, there have been over five hundred documented versions of Zeus as it has continued to evolve over the years. This is one of the reasons that it's been more difficult to detect and stop: it's a constantly moving target. In addition to having variants, Zeus is unique in that it is "capable of re-encrypting itself every time it infects a system, making each infection 'unique' and therefore harder to detect."

In recent years, Zeus and its variants have become less prominent; however, there is probably Zeus code still circulating on the internet.

Mirai

Contrary to most other botnets that came before it, the Mirai botnet primarily targeted Internet of Things (IoT) devices. This is because they are usually configured with a default username and password and are often left exposed to the internet without antivirus protection; therefore, they are easy targets for malware.

As IoT devices gained popularity, the number of devices that Mirai could infect increased as well, and it's believed that the Mirai botnet was responsible for bringing down the domain registration services provider Dyn in 2016.

Now that you know about some infamous botnets, let's look a little deeper into what exactly botnets do.

What do botnets do?

Once a botnet has been assembled, it can carry out various tasks. One of the most common is a distributed denial-of-service (DDoS) attack. In this type of attack, the threat actor controlling the botnet directs all the machines that have been taken over to hit the same internet resource, overwhelming it with traffic and making it unavailable for other users. This is often accompanied by a request for ransom in exchange for relinquishing control.

In other cases, a botnet can be used to commit ad fraud. For ad providers, it's relatively easy to detect when a large number of clicks comes from a single machine. However, with a botnet, the operator can click on an ad from multiple machines all over the world, sometimes in an effort to cost their competitors money or get their ads banned from popular ad networks. The distributed nature of botnets makes this sort of malicious activity harder to detect.

In addition, botnets have also been used to deface sites themselves, leaving tons of spam comments, reviews, or other "user-generated" content that makes the main purpose of the site largely useless to real human visitors.

How to protect your site

Now that you know a bit about malware and botnets, what they look like, and how they exist and spread online, let's look at some things you can do to prevent your site from being a target.

Keep your software up-to-date

Software developers, particularly if their technology is prevalent on the web, are constantly monitoring new security developments and fixing vulnerabilities as they are discovered in their code. Even if you do nothing else, keeping your software up to date with the latest patches will limit the ability of malware that takes advantage of known vulnerabilities to affect your site.

Deploy a WAF in front of your site

A web application firewall (WAF) is a piece of software that aims to prevent malicious traffic from reaching your website. It not only proactively safeguards your website against various common attacks but also can be configured to block specific types of traffic, potentially helping to mitigate DDoS attacks. Because it sits directly between your website and the wider internet, deploying a WAF is a great first line of defense when it comes to the security of your site.

Use fingerprinting to detect bots

If, after implementing the previous steps, you're still having issues with bots accessing your site, browser fingerprinting could be the answer. What makes detecting DDoS attacks and other botnet activities difficult is that each bot in the botnet has a unique IP address and traffic profile and is actually a unique machine from the others in the botnet.

This is why browser fingerprinting is a powerful tool for distinguishing real traffic from bots. It doesn't rely on the IP address of the bot, but it can still detect it using just the browser attributes. It helps you reliably tell the difference between a legitimate user and an automated browser that should require some additional authentication.

Use a dedicated bot detection library

There are open source libraries that can handle the specifics of bot detection including BotD from Fingerprint. BotD runs client-side and uses a variety of browser APIs to detect whether a given browser interacting with your site is likely being automated by some sort of automation tool. With BotD, you can run bot detection quickly and take appropriate action based on the result:

<script>
    // Initialize an agent at application startup, once per page/app.
    const botdPromise = import('https://openfpcdn.io/botd/v1').then((Botd) => Botd.load())
    // Get detection results when you need them.
    botdPromise
        .then((botd) => botd.detect())
        .then((result) => console.log(result))
        .catch((error) => console.error(error))
</script>

Here is what the result looks like:

{bot: false}

Parsing the result and taking action on your site appropriately can help you limit the negative impact that bots can have.

While client-side detection is the easiest way to get started, using a tool like Fingerprint Pro Bot Detection can give you even greater bot detection accuracy and help you detect more powerful and harder-to-detect automation tools.

Wrapping up

As long as there are opportunities to defraud users, malware and botnets will continue to exist. By keeping your software up to date, taking frequent backups of your information, and being on the lookout for some of the most common malware scams, you can help keep yourself safe online.

If your site needs to be protected from bots and bot interactions, using a tool like Fingerprint is a great way to do so. Contact the sales team for more information about how Fingerprint can keep your site safe and secure.