Bots and Botnets – CompTIA Security+ SY0-501 – 1.1

| October 28, 2017

It’s easy to guess your password if someone is already watching your keystrokes. In this video, you’ll learn how the bad guys use keyloggers to steal our login credentials and I’ll show the results of a keylogger running on my computer.

<< Previous Video: Adware and Spyware Next: Logic Bombs >>

A botnet is a very specialized kind of malware, it stands for robot networks. That means that there is a virtual robot inside of your computer performing functions that are being commanded to it. Your machine is infected, it now becomes one of the many devices that is part of this botnet.

In most cases, the end user of the computer has no idea that this bot is even running inside of its computer. Well, how does it then get into the computer in the first place? One way is through a Trojan horse. You’ll see these links all the time come into an email saying that I saw a funny video of you, click here to view it. Maybe there is an email that comes through with something that appears to be related to things that were in the news and those clicks then take you to a site that installs the botnet software onto your computer. Or the botnet developers will find a vulnerability in your operating system and take advantage of that as the way into your computer.

Once the botnet software installs itself onto your computer, it doesn’t do anything. It just sits there, and it waits for commands from the main system. There is a centralized command and control system that will send out messages, the botnets are looking for those messages and then will perform whatever function is being asked of them in those commands from the mothership.

One well-known botnet through the years is the ZeuS botnet. It’s well known because it took money directly from your bank account and transferred it over to the bad guys. They developed the software and installed it onto your computer as a botnet, and then it waited for you to log into your bank. At that point, it transferred the information back to the bad guys who then logged in using your credentials and transferred the money to a third party who then eventually got the money back to the bad guys.

There are many different kinds of botnets, and there’s botnet activity happening constantly. This is a real time view using the Looking Glass threat map. You can find this at This gives us an idea of how much traffic might be going across the network, what sites or areas may be attacked with live attacks. And you can see the real time view of the botnets. The sality botnet and the mobile botnets are the ones that are taking the most amount today. But of course, these botnets come and go. This is a good way to see what is happening right now with botnet communication anywhere in the world.

The developers of these botnets can have them operate as one large entity. They can send commands and have all of the devices perform those commands simultaneously. You see this being used a lot with a distributed denial of service attack because you can have all the botnets descend upon one single website, effectively overwhelming it, all from these very distributed botnets anywhere in the world.

The botnet developers have realized that this is also an opportunity to make money. So they will rent out time on the botnets, and if there’s a site that you’d like to bring down, you can spend a certain amount of money to have a certain number of botnets descend on that website, effectively, making it inaccessible by anybody for that amount of time.

Stopping a botnet is similar to stopping any other type of malicious software. We need to stop the initial infection by making sure that our operating system and our applications are updated to the latest versions. We also want to be sure we have the latest signatures for our anti-virus and our anti-malware software. You also might want to proactively scan your system every day or every week and have your anti-malware software look deeper to see if there might be an infection.

It’s also good to monitor your network and check for any incoming or outgoing traffic that you may not recognize. These botnets will usually log into a central chat room and wait for commands from the command and control center. If you can block that traffic at the firewall or you install a host-based firewall or host-based IPS, you can block the traffic on the device and prevent that botnet from ever receiving commands from the command and control center.

Category: CompTIA Security+ SY0-501

Comments are closed.

My Security+ Study Group is Wednesday! Click here to register
My free Live Network+ Study Group is Wednesday. Click here to register!