The Story About When a Botnet Took Over Our Home Network

It started innocently enough with either slow network speeds or brief periods of time when our network was nonfunctional. Over the course of a year the outages increased in both frequency and duration, and a little probing revealed that we weren't actually having downtime, but rather that our network was maxed out at times, and therefore unavailable to us. Once the problem became clear to us we struggled to find a solution to take back control. I don't know if the concept of Network Hijacking is well known, or even if that's the correct terminology for it, but it describes perfectly our situation at that time.

After working with several different consultants who were all very well versed in networking, and who each brought us a little closer to a final solution, we were finally able to free our network of its unwanted intruder...but the process was a long and hard one. We began to suspect what actions we'd need to take to resolve the issues entirely, but were hesitant to take them because of the time and cost involved. In the end, we did spend a lot of time and money (a year and a half), and I'm writing this to share our experience, in the hopes that we can spare someone else from having to go thru the arduous process that we did.

The photo above is a mosaic I made on my iPad with the visolu2 app

The Dangers of Media Sharing Websites

We believe, in hindsight, that our problems originated from typical media usage that most teenagers engage in, and because that topic alone is so complex, I've written a second lens that discusses this topic in much greater detail. It's called "The Dangers of Torrent and p2p Sites to Home Computer Networks", and there's a section below that includes a click-able link to it.

In the meantime a brief description is in order. There are countless websites that allow people to stream media, or download media, for free. You're usually required to join as a member, but not always, especially with some of the older sites. The appeal of these sites is significant, since sometimes that's the only vehicle available for somewhat obscure titles.

For example, when I was a teen (a very long time ago) a movie came out briefly in theaters called 'Friends'. It was a sweet, coming of age love story about 2 teens, and I loved it. For some reason, I've always fondly remembered that movie and its title...which is somewhat surprising if you know me! So as my boys approached their teen years I scoured the Internet for it. That was in the early days of the World Wide Web, but after a lot of research, I was able to find the correct movie (tricky because of the generic title), and a source to order a VHS tape from. I think it came from Europe...I remember waiting a long time for it to arrive. But ultimately it arrived and I shared it with my family. In retrospect, this was not as memorable an event for them as it was for me, and I doubt that they even remember it now!

Is the Media you Download Safe?

My point is that streaming media sites and sites where you can find and download the most obscure titles imaginable are prolific now, and had I been searching for this title today, even with what I've learned about media sharing sites and their potential dangers, I might still be tempted, if that were the only source available. But teenagers like all kinds of media; music, video games, TV and movies, even apps and software. Actually, we all like these media forms, but teens are probably the heaviest users, and don't necessarily have the well-developed cautionary approaches that we acquire as we get older. They enthusiastically share links with friends to the sites that they've found useful, and share media avidly in more progressive manners than we as adults tend to. I'm referring to tools like Drop-box and even Facebook, which at least in my household, were introduced to the adults by teens.

To be brief, many of these sites use peer-to-peer sharing technology, which opens up your home network to outsiders. Anyone in your household can somewhat innocently provide the access to your network that these sites require. That access allows them to completely bypass any security measures that you may have in place to protect your home network. So my advice to you is this:

Don't download or stream media from any site that you haven't spent some time researching first. Whether they offer free media or inexpensive media is irrelevant. If it seems to be too good of a deal to be true...it probably is, and it's potentially unsafe!

Sometimes the danger lies in your acceptance of their user terms. Sometimes it can be from the information that you provide to them in the enrollment process. And sometimes, the danger can lay in the action itself...i.e. actually downloading or viewing/listening to media offered from their site. In a worst case scenario just clicking once to enter the site can be the trigger for allowing malicious content onto your network. Regardless of the method, the end result can be complete access to your network that you didn't intend or even realize. My warnings may be overly rigid, but from my experience, it doesn't pay to take a chance like this. Getting rid of an unwanted intruder on your network is extremely difficult, and it suffices to say that the better alternative is to not allow intruders in at all. Ever.

The First Signs

There are some indicators that if noticed, can provide you with early warning signs of network infiltration. These include things like occasional accounts getting hacked into; email or Facebook accounts, for example. Another indicator could be that your credit card number is used without your knowledge. Your email account may be receiving many undeliverable email notices for emails that you never sent.

These were some of the early warning signs for us, but since they are not uncommon occurrences in general, they didn't immediately alert us to the problem. Because these types of events do occur on a somewhat infrequent basis to most people, and one isolated instance, doesn't mean much because there are so many different paths that could lead to any one of these events. But if they are happening a lot, or several of them occur within a short span of time, that may be an early indicator that something more serious is going on.

The second set of signs began for us after the situation was already well established. We would occasionally lose our internet connection. Usually, at first at least, this was also somewhat isolated and seemed random. Generally only one computer would be knocked off, and by the next day the situation would correct itself. But over time the problems grew. There were times that every computer in our house was bumped offline at the same time. But even in those situations, there could be, and sometimes were, other explanations for the occurrence. ISP's do have problems, and in our location, they seemed to have more than the average number of problems.

That, combined with the fact that there was a temporary cable line that ran to our house for over a year before the cable company was able to get the necessary equipment here to properly install a more permanent cable, meant that our line could be severed by something as simple as a large truck driving down our little road. Or, the snowplow service ran their shovels too deep or too far off course.

But when the temporary cable situation was finally resolved, and our problems continued to increase, we began to realize that there was in fact, some regularity to the outages. And when the situation became so disruptive that we hired a network specialist to try and resolve the issues, we learned that the router software we were using (dd-wrt) had a wealth of reporting capabilities we never knew existed. Upon running some of those reports it became overtly obvious to us that there was a pattern, it was significant, and that it had been going on for a long time.

We began to suspect that our network was incorporated into a botnet of some kind, and we learned that the creators of those types of hijacking methods do everything in their power to run 'under the radar' so as to not arouse suspicion that there is any type of problem at all. When your computer network is incorporated into a botnet, your computers become drones to some large server, which is probably involved in large scale spamming at best, or illegal internet activities at worst.

Either option is scary, for all kinds of reasons, but especially because it means that anything thing you do on your computer is probably viewable to those who've hacked into it. We did have frequent problems with email accounts and credit cards during this time, but we were fortunate to have our bank involve extra security to keep our credit safe once we knew what was involved.

We came to this conclusion based on the activity reports that our router software made available to us. It makes sense if you think about it, because if your network is being used for someone else's objectives, they would want to continue their activities in an undisturbed manner as long as possible. But once we were aware of what was going on we were alarmed, to say the least, and took measures to try and take back our network. Our efforts initially were incident specific, and when we addressed one problem and corrected it, another would crop up on another computer.

We spent about a year addressing the situation on a piecemeal basis, until it became evident to us that none of our attempts were having the desired effect, and we ultimately planned a more organized and coordinated effort.

But before I address how we resolved the situation, I'd like to present a few more symptoms which could help you determine whether or not this situation might be affecting your computer network.

Try to Learn Everything you can About the Current State of Technology as it Relates to Small Computer Networks

When you setup your network initially, if you never setup any kind of security to protect it, but left the default router settings in place, you should log into it and change the settings to something more secure. If you're unable to log onto your router, then it's probably been hacked and the security changed to something which has effectively locked you out of it. If you are able to log in, then you should explore the users that are actively using your network, and make a habit of monitoring this on some regular basis, but especially when you're having problems. I found the most reliable way to sort out devices on our network was by using MAC addresses, because those are static, and easy to find on the types of devices that we had at the time.

If you find more devices on your network than you think should be there initially, don't panic, just try to remember that there are many more devices than just computers that are generally using your network for internet access. Cell phones, Tablets, Tivos, wireless printers, Rokus, cell signal boosters like our AT&T Microcell, access points, repeaters and amplifiers, and possibly a modem or gateway device, a firewall, furnace, or even a security system, can show up as devices on your network. It takes some time in the beginning to figure out which devices are which, and link each to a MAC address, and then to isolate potential stowaways.

Additionally, when you first setup your network, you should have setup an encrypted password that users need to enter to gain access to the network. At a minimum, this encryption should be WEP, but the newer and more secure WPA is better, and the strongest generally used for home networks today, WPA2, is best. If you didn't setup a security code to access the network, you should do that now.

If you seem to be experiencing bandwidth issues, confirm with your ISP that the speeds you think you've subscribed to are actually the ones you're receiving. These are generally stated in terms of megabits per second and a typical speed from a cable company is 15 mbs down and 3 up. If you're on a hub or branch in your neighborhood, check with others users of your ISP to see if they are experiencing the same types of bandwidth problems that you are. Then use a website service like Speedtest.net, to measure your speeds both when they are good and when you're having speed problems. The results may not be 100% accurate since there are so many variables that can affect bandwidth at any given moment, but they give you a rough idea of what the actual speeds that your experiencing are. When you're having speed issues, it's a good idea to conduct speed tests, and to log the results for future reference. At Speedtest.net, you can setup an account that keeps track of these results for you, and the last time I used it they provided some rudimentary ways to compare your measurements to other users.

As I was doing research for this article I ran across something called a bandwidth monitor program, that can be installed to monitor bandwidth for you, and the Windows netstat command, which I'm also unfamiliar with. But had I known about these tools at the time I would have learned how to use them. In both cases the goal is to determine if there is network activity occurring that you aren't generating.

We Actually Experienced all of These!!!!

Some of the more bizarre things that happened while we were in the throes of figuring out what was going on with our network were:

1. Programs would show up on our Window's Start Menu's that we hadn't initiated.

2. A few times when we approached one of our Windows desktops to sit down and begin working on something, it showed a 'Syncing' icon as active, but we had never set up or utilized the Windows Sync functions.

3. There were a few instances of actually losing control of a desktop while someone was working on it: i.e. someone else was controlling the curser as in a Remote Desktop application.

4. On a few occasions when someone walked by a laptop that was just sitting unattended, there were sounds emanating from it that sounded like televisions shows.

5. Occasionally when we were viewing a television show on one of our Tivos, some weird lines of computer codes would be displayed on the television screen.

6. Our network reports, after we installed a hardware firewall, showed individual Tivo's were utilizing a large percentage of our network resources. This occurred one at a time, and rotated from one device to another, and our discussion with Tivo technicians revealed that there was no possible reason for this to occur, nor, in their experience, any way for this to occur.

In most of the instances, when we would try to discover the source of the 'disturbance' or try to save evidence of what was happening by recording it with our cell phone's video camera, the weird behavior would abruptly stop, as though someone, somewhere, had knowledge of having been discovered.

And What Didn't Work

Over the course of the year and a half that we knew for sure that we had serious network issues, we attempted to resolve them in a piecemeal fashion. This was both time consuming and expensive. In the long run we replaced every operating system, in most cases upgrading from Windows XP to Windows 7, and we replaced a good deal of our hardware as well. We went through routers like crazy and finally settled on a Sonicwall Firewall that was also a router. Early on we weren't familiar with how prevalent hardware firewalls have become in the home network environment. We wiped and reinstalled Windows 7 many times, eliminated all of the Tivos, and even replaced a few cell phones and wireless printers along the way. But nothing we did ever prevented the problems from returning.

Eventually we came to grips with the concept that the only real solution would be to do a complete wipe and reinstall of every single device in our home, or that could connect to our network 'inside' the firewall, at the same time. We accomplished this during a Xmas break when our boys were home, so that they could have their devices wiped and reinstalled too. And we made certain that we never reused a hard drive, or even a usb flash drive or CD, that had been used in one of our 'infected' computers during the problem period of time. It seems like years ago, but the wipe and reinstall was actually only done at the beginning of 2012. We utilized a network consultant who single-handedly managed to coordinate and accomplish everything that needed to be done in just one day, and the end result has been extremely gratifying.

The reality of the situation was that while we realized what needed to be done to address the issues sooner, the logistics were daunting, and I don't know that anything could have been accomplished any faster given the boys' school schedules. But we did kind of resist the notion of completely wiping everything simultaneously for a bit too, and in retrospect I'm not sure why that was. So my advice to you, if you are experiencing similar issues, is to learn from our experience, and attack the problem head on, and with full force, at the outset, and save yourself both time and money in the long run.

While we were slightly familiar with the type of hardware called firewall appliances, we weren't really aware that they were increasingly being used in home networks. These devices utilize a type of technology that 'deeply' inspects every packet of data the goes into your network. The level of security they provide is more focused than that provided by antivirus software, but using a firewall doesn't eliminate your need for that as well.

Some additional providers of traditional Firewall appliances are: Cisco, Netgear, Juniper, Checkpoint, Watchgaurd, and Barracuda.

There's also a newer, much less expensive type of firewall that'e,just entering the market now (in 2018) designed to protect homes, has compunters, mobile device few and IoT devices too. I'm currently testing out one called FingBox.

I'm in the process of learning more about the new breed of Firewalls that are just starting to come onto the market now. The Firewall we installed, made by Sonic Wall is intended to be a commercial one and is too expensive for most people consider using in their homes. But after four experience...the expense is warrante.

When I learn enough to give some good recommendations I'll update this to offer some alternatives to Readers.