What is a botnet and how can I protect myself?

In technical jargon, the word 'bot' refers to a remotely controlled program that runs on your computer system. Botnets are created when a large number of infected PCs, usually several thousand, are connected by remote control and misused for specific purposes. It is not just traditional PCs that can be exploited as bots; other devices that have an Internet connection or that are part of a network are also at risk. Examples include mobile devices such as smartphones or tablets, wearables or components used in the IoT, such as webcams or routers.

But what has all of this got to do with you? To put it simply: it's entirely possible that your computer, your smartphone, your smart TV or your robotic vacuum cleaner is part of a botnet and is being remotely controlled right now - without you knowing anything about it.

It's your responsibility to make sure that you take action to prevent others from taking control of your technology and using it for attacks.

How does your computer get infected?

When you browse the Internet or open e-mail attachments, it's relatively easy for malicious programs to install themselves on your device - unless you've taken action to protect your technology. These malicious programs include bots, which stealthily make their way onto your PC without you noticing. If a potential malicious program gets into your network, it can spread unhindered and infect other devices in your network.

Many bots are inconspicuous at first, so you do not notice anything unusual. But appearances can be deceptive. The person who created the malware can activate it at the touch of a button. They can also send commands to the infected device. One criminal can centrally control all of the bots and instruct them to execute exactly the same tasks. The only requirement is that the infected device is online. At this stage, even though everything seems to be working as normal, there is a lot of undesirable activity going on in the background.

Attackers primarily exploit weaknesses in Microsoft operating systems and Android devices to hijack end-user systems. However, if you use a different operating system, you can't afford to be complacent. Attackers are increasingly turning their attention to Linux systems and Apple devices too. Linux systems in particular are common in IoT devices and in professional servers.

What are botnets used for?

Cyber criminals use botnets in a number of different ways. They may use them to download yet more malicious programs (such as encryption trojans), to send spam messages or to execute DDoS attacks to bring down major websites. One of the other main ways criminals use botnets is to steal data, which can then be used in other crimes, such as online banking fraud. Botnets are also often leased out to other parties, who can then deploy the botnet for their own purposes in return for a fee. In short: Criminals put a great deal of time and energy into botnets, and their intent is clearly malicious.

With a botnet on board, your device is no longer just a victim, but also a perpetrator of cyber crime. The botnet receives commands and executes them without any intervention or control from you. The personal data stored on your PC or smartphone isn't safe either. In the media, botnets are increasingly referred to as "zombie computers" because they are "reanimated" like zombies brought back from the dead - with no free will of their own and under the control of the hacker's commands.

Botnet risk on the rise

The botnet problem has grown exponentially in recent years. With the vast majority of Internet users now having access to a broadband connection, many computers are connected to the Internet day and night, thanks to the widespread availability of low-cost, flat-rate tariffs. Unlike with analogue Internet connections, computers connected to the Internet via DSL or cable show virtually no signs that something is going on in the background; the secret activity behind the scenes does not noticeably slow down the connection speed. Research suggests that many thousands of computers are hijacked and misused by others every single day. A PC that has just been connected to the Internet will be attacked for the first time within minutes of going online.

To detect botnet infections, security researchers use sinkhole systems that take over from the regular control servers (C&C servers) to receive contact requests from bots. These systems work by recording the domain names or IP addresses used. The visibility of infections is heavily dependent on the type and number of sinkhole addresses recorded by the researchers, which means that it can vary considerably.

In 2019, security researchers registered up to 110,000 bot infections in German systems daily and reported them to German Internet providers via the BSI. Internet providers inform their customers about the infection and in some cases also offer assistance in cleaning up the systems. As sinkhole systems cannot be used for all botnets in existence, the reported infections represent just the tip of the iceberg of the actual infection levels in Germany. Based on experience from successful botnet shutdowns, it can be assumed that the number of unreported cases is significantly higher and is at least in the seven-figure range.