How to Detect, Prevent and Remove Botnet Malware
Before we can talk about removing botnet malware, we have to talk about what it is in the first place.
What is a Botnet?
A botnet or “bot network” is a mass of computers that have been taken over by malware created by a hacker. However, the idea is not to attack these machines themselves individually. Rather, the hacker takes control of this army of “zombie” computers and gives them commands to carry out. Usually for very illegal purposes.
What Are Botnets Used For?
One common use for botnets is to execute DDOS attacks. That's where thousands of computers deliberately try to access the same website. This causes so much congestion that legitimate users can't actually use it.
Botnets are also commonly used in order to send massive spam attacks out into the world. It's a way to send bulk email for free with little risk of the true culprits being found.
Botnets are also sitting on the net looking for unencrypted data packets, hoping to pick up usernames, passwords, and any other potentially valuable information.
They can also be used to manipulate online systems, such as voting sites. Botnets can be used to spread more malware and of course, expand the existing botnet. They can even be used to generate fraudulent ad revenue for the malware creators.
How is Botnet Bad for My Computer?
Well, apart from the horrible breach of your data security and making you involved in several crimes, botnet malware can destroy your computer and internet performance. Like all malware, the botnet software is not doing your system any favors. You need to get rid of it ASAP.
How Did I Get Infected?
Botnet malware uses the same vectors to infect your machine as all other malware. It's usually an email attachment, download or other similar scam meant to get you running malicious code on your computer.
Stopping Infections
Prevention is better than a cure. So keep your security software and operating system up to date. Don't download and run executables you don't know can't be trusted for sure. Especially don't click on weird adverts or hang around in the shadier parts of the net, unless you know exactly what you're doing.
How to Detect Botnet Malware
The obvious first step is to use a good antivirus program. You should also consider using specialized anti-malware programs such as Malware Bytes.
Unfortunately, programs like these will often miss botnet software, so there are also other symptoms you should be aware of.
If your CPU usage and network traffic are strangely high when the computer is meant to be idle, that's a cardinal sign things aren't OK. The computer's fans spinning up and down when idle is another potential sign.
If your computer's DNS addresses have been changed in your network settings to something you don't know, that's a big sign your computer has been turned into a zombie.
These are not definitively linked to botnets. But if the symptoms go away when you disconnect the network connection, it might turn out to be a botnet after all.
If you see strange internet popups for things you didn't click on, that's a red flag too.
More advanced detection methods involve using network monitoring tools. You can use a program such as Wireshark to see what's being sent from your machine into the net. These are common signs on your network that a botnet is afoot:
- IRC (Internet Relay Chat) traffic when you aren't using it (port 6667)
- Connecting to server addresses known to be command and control nodes for botnets
- Activity on port 25 and 1080
How to Remove Botnet Software
If your main anti-virus software doesn't detect a botnet infection, but you are still suspicious, here are some additional steps. First, try using a specialized malware removal tool. If that doesn't work, you should try using a specialized botnet removal tool.
Indian internet security company Quick Heal, for example, has released a dedicated botnet removal tool. If you know the name of the botnet you're infected with, but your current tools can't remove it, you can also try Symantec's Threat Specific tool search.
Pulling the Plug
The most important thing you can do immediately, before getting your hands dirty with removal, is to disconnect the infected machine from the internet and the rest of your home network. You should also check all other computers on your LAN, since infection can spread across a LAN as well. Scan all network-attached storage and USB drives you've connected to the infected machine in the past.
Keeping all the above in mind, you don't have to be a victim of botnet infection and unwilling contributor to the internet's collective misery.