T2021_05 Protect Yourself from Becoming a Bot (16th March 2021)

What is a bot?

A bot, short for “robot,” is a software application that runs simple automated tasks at high performance rates. There are some legitimate bots which are used by large companies to perform tasks over the internet while others are malicious and are used to perform several attacks.

In the past bots were a script hitting a website to perform actions or retrieve data. Those scripts could not accept cookies and did not parse JavaScript which made them very easy to detect.

Over the past decade bot technology has evolved, they can now accept cookies and parse JavaScript but with all this they can still be easily detected because they do not use dynamic website elements as often as human users.

The next step in evolution was the implementation of headless browsers, they can process website content in its entirety. Despite all this sophistication headless browsers are still unable to perform all actions that a human user can.

Bots have now reached their most advanced form and now can imitate human activity such as clicking on-page elements. These advanced bots are based on the Chrome browser and are almost impossible to distinguish from real users.

What is a Botnet?

A computer that has been compromised through a malware infection and can be controlled remotely by a cybercriminal is known as a malicious bot. The cybercriminal can then use the bot (also known as a zombie computer) to launch more attacks, or to bring it into a collection of controlled computers, known as a botnet.
[1]

How botnets are created

A bot is created when the malware, containing the programming to take over the computer, is placed onto its target. Any form of malware delivery can be used to bring the programming onto a computer. It could be brought by a network worm that deposits its payload, a virus that was launched from an infected e-mail attachment, or a Trojan horse disguised as a program the targeted user desired.

After implantation, the bot then attempts to connect with the command-and-control server (usually an IRC server). From there, the bot herder can launch any number of attacks.

Types of botnet attacks

Some of the types of attacks that can be launched after a computer has been taken over as a bot include:

  • Spambot – This is one of the most common uses of a bot. A spambot is a machine that automatically distributes spam e-mails. Mostly, these are e-mails that contain advertisements for questionable products (pornography, black market pharmaceuticals, fake antivirus software, counterfeit goods) or contain computer viruses themselves.
  • Denial-of-service – Another popular use of a bot, denial-of-service attacks look to invade a network or an Internet service provider, usually by stealth, in order to disrupt or cripple services.
  • Spyware – Spyware is any malware that can be used to gain information from its target or targets, anything from passwords and credit card information to the physical data contained within files. These can be lucrative to a bot herder, as they can sell the data on the black market. If a bot herder gains control of a corporate network, these can be all the more lucrative, as they may be able to sell the “rights” to their bank accounts and their intellectual property.
  • Click fraud – This form of remote control can allow a bot herder to surreptitiously click links on websites and online advertising, bolstering numbers for advertisers and producing more money.

Botnet prevention and detection

Prevention and detection methods include:

  • Education – Be aware of the websites that are visited, and if internet relay chat (IRC) is used, be wary of certain chat rooms. Also, since the bot programming can be delivered like any other form of malware, be careful of e-mails and instant messages from strangers and chain e-mails that have been forwarded (especially ones with attachments and funny links).
  • Software updates – Make sure all operating systems and application software are kept up to date . Their manufacturers are constantly looking to correct vulnerabilities in their products that allow cybercriminals to deliver malware.
  • Use antivirus software – When looking for subscription-based, high quality antivirus software, make sure to use one with antibot protection. Using appropriate security software also helps to stop bots using your machine for DoS (Denial of Service) attacks, and for activities like clickfraud.
  • Check botnet status sites. There are two sites that provide free botnet checks: Kaspersky’s Simda Botnet IP Scanner (https://checkip.kaspersky.com/) and Sonicwall’s Botnet IP Lookup (http://botnet.global.sonicwall.com/view). When you catch wind of a botnet attack, pop on to these sites to see if you’re part of the problem.
  • Keep an eye on your Windows processes. If you open up the Task Manager in Windows 10, you can see which processes are using your network. Do a brief survey of these and take note of anything that looks suspicious. 

No protection, including using multiple ones, is 100 percent guaranteed to stop a computer from turning into a bot and becoming a part of a botnet. But using these protections can help raise the odds against an attack.

How to stop bot traffic on your website

There are a few simple measures you can take to reduce your websites exposure to malicious bots. They are as follows:

  • Place robots.txt in the root of your website to define which bots are allowed to access your website. Keep in mind, this is only effective for managing the crawl patterns of legitimate bots, and will not protect against malicious bot activity.
  • Add CAPTCHA on sign-up, comment, or download forms, place CAPTCHA to prevent download or spam bots.
  • Set a JavaScript alert to notify you of bot traffic. Having contextual JavaScript in place can act as a buzzer and alert you whenever it sees a bot or similar element entering a website.

Advanced Techniques for bot mitigation

As bots evolved over the years so did the mitigation techniques. These techniques for detecting and mitigating bad bots are:

  • Static approach—static analysis tools can identify web requests and header information correlated with bad bots, passively determining the bot’s identity, and blocking it if necessary.
  • Challenge-based approach—you can equip your website with the ability to proactively check if traffic originates from human users or bots. Challenge-based bot detectors can check each visitor’s ability to use cookies, run JavaScript, and interact with CAPTCHA elements. A reduced ability to process these types of elements is a sign of bot traffic.
  • Behavioral approach—a behavioral bot mitigation mechanism looks at the behavioral signature of each visitor to see if it is what it claims to be. Behavioral bot mitigation establishes a baseline of normal behavior for user agents like Google Chrome, and sees if the current user deviates from that behavior. It can also compare behavioral signatures to previous, known signatures of bad bots.

By combining the three approaches, you can overcome evasive bots of all types, and successfully separate them from human traffic.

The Guyana National CIRT recommends that users and administrators review these recommendations and implement where necessary.

PDF Download: Protect Yourself from Becoming a Bot.pdf

References

Busch, Jack (2019, February 15). How to Tell If You’re Part of a Botnet. Retrieved from: https://www.groovypost.com/howto/detect-prevent-botnet-malware-infections/

Norton Life Lock. Bot and Botnet. Retrieved from: https://www.nortonlifelockpartner.com/security-center/bots.html#:~:text=A%20bot%20is%20a%20computer,computers%2C%20known%20as%20a%20botnet.

Imperva. What are Bots. Retrieved from: https://www.imperva.com/learn/application-security/what-are-bots/


[1] https://www.nortonlifelockpartner.com/security-center/bots.html#:~:text=A%20bot%20is%20a%20computer,computers%2C%20known%20as%20a%20botnet.