'Botnet' is a
jargon term for a collection of
software robots, or
bots, which run autonomously. This can also refer to the network of computers using
distributed computing software.
While the term "botnet" can be used to refer to any group of bots, such as
IRC bots, the word is generally used to refer to a collection of compromised computers (called
zombie computers) running programs, usually referred to as
worms,
Trojan horses, or
backdoors, under a common
command and control infrastructure. A botnet's originator (aka "bot herder") can control the group remotely, usually through a means such as
IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command and control takes place via an
IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the RFC 1459 (IRC) standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also
RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community.
Botnets have become a significant part of the
Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Often, a botnet will include a variety of connections, ranging from
dial-up,
ADSL and
cable, and a variety of network types, including educational, corporate, government and even military networks. Sometimes, a controller will hide an IRC server installation on an educational or corporate site, where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently, as most
script kiddies do not have the knowledge to take advantage of it.
Several botnets have been found and removed from the Internet. The
Dutch police found a 1.5 million node botnet
[1] and the Norwegian ISP
Telenor disbanded a 10,000 node botnet.
[2] Large coordinated international efforts to shutdown botnets have also been initiated.
[3] It has been estimated that up to one quarter of all personal computers connected to the internet are part of a botnet.
[4]
Organization
Botnet servers will often liaise with other botnet servers, such that a group may contain 20 or more individual cracked high-speed connected machines as servers, linked together for purposes of greater redundancy. Actual botnet communities usually consist of one or several controllers who consider themselves as having legitimate access to a group of bots. Such controllers rarely have highly-developed command hierarchies between themselves; they rely on individual friend-to-friend relationships. Often conflicts will occur between the controllers as to who gets the individual rights to which machines, and what sorts of actions they may or may not permit. There have been several famous botnet collections, known as VastGsm, OG, Rob-, and many others. They have infected millions of computers via the latest exploits.
Formation and exploitation
Using a botnet to send spam
This example illustrates how a botnet is created and used to send
email spam.
# A botnet operator sends out
viruses or
worms, infecting ordinary users' computers, whose payload is a trojan application -- the ''bot''.
# The ''bot'' on the infected PC logs into a particular IRC server (or in some cases a web server). That server is known as the command-and-control server (C&C).
# A spammer purchases access to the botnet from the operator.
# The spammer sends instructions via the IRC server to the infected PCs, causing them to send out spam messages to mail servers.
Botnets are exploited for various purposes, including
denial-of-service attacks, creation or misuse of
SMTP mail relays for
spam (see
Spambot),
click fraud, and the theft of application serial numbers, login IDs, and financial information such as credit card numbers.
The botnet controller community features a constant and continuous struggle over who has the most bots, the highest overall bandwidth, and the largest amount of "high-quality" infected machines, like university, corporate, and even government machines.
Botnet lifecycle
★ Bot-herder configures initial bot parameters such as
infection vectors, payload, stealth, C&C details
★ Register DDNS
★ Bot-herder launches or seeds new bot(s)
★ Bots spreading -- growing
★ Losing bots to other botnets
★ Stasis -- not growing
★ Abandon botnet and sever traces
★ Unregister DDNS
★ Single bot's lifecycle
★
★ Establish C&C
★
★ Scanning for vulnerable targets to install bots
★
★ Take-down
★
★ Recovery from take-down
★
★ Upgrade with new bot code
★
★ Idle
Types of attacks
Main articles: Denial-of-service attack
Main articles: Adware
Main articles: Spyware
Main articles: E-mail spam
Main articles: Click fraud
Preventive measures
If a machine receives a
denial-of-service attack from a botnet, few choices exist. Given the general geographic dispersal of botnets, it becomes difficult to identify a pattern of offending machines, and the sheer volume of
IP addresses does not lend itself to the
filtering of individual cases.
Passive OS Fingerprinting can identify attacks originating from a botnet: network administrators can configure newer firewall equipment to take action on a botnet attack by using information obtained from Passive OS Fingerprinting. The most serious preventative measures utilize rate-based
intrusion prevention systems implemented with specialized hardware.
Botnets typically use free
DNS hosting services such as
DynDns.org,
No-IP.com, &
Afraid.org to point a
subdomain towards an IRC server that will harbor the bots. While these free DNS services do not themselves host attacks, they provide reference points, often hard-coded into the botnet executable. Removing such services can cripple an entire botnet. Recently, these companies have undertaken efforts to purge their domains of these subdomains. The botnet community refers to such efforts as "
nullrouting", because the DNS hosting services usually direct the offending subdomains to an inaccessible IP address.
The botnet server structure mentioned above has inherent vulnerabilities and problems. For example, if one was to find one server with one botnet channel, often all other servers, as well as other bots themselves, will be revealed. If a botnet server structure lacks
redundancy, the disconnection of one server will cause the entire botnet to collapse, at least until the controller(s) decides on a new hosting space. However, more recent
IRC server software includes features to mask other connected servers and bots, so that a discovery of one channel will not lead to disruption of the botnet.
Security vendor, Symantec, has recently released a product named "Norton AntiBot" specifically designed to combat the "botnet pandemic". The tool is available here:
[1]. Free trialware of Norton AntiBot is also available.
See also
★
Storm botnet
★
Buffer overflow
★
Computer worms
★
Denial of Service attacks
★
Dosnet
★
Bot
★
Malbot
★
★
Clickbot.A
★
Script kiddie
★
E-mail spam
★
Spambot
★
Timeline of notable computer viruses and worms
★
Trojan horse
★
Zombie computer
References
1. Dutch Botnet Suspects Ran 1.5 Million Machines by Gregg Keizer, TechWeb Technology News.
2. Telenor takes down 'massive' botnet by John Leyden, The Register.
3. ISPs urged to throttle spam zombies by John Leyden, The Register.
4. Criminals 'may overwhelm the web', ''BBC'', 25 January 2007.
External links
★
SwatIt - Bots, Drones, Zombies, Worms - A gallery of botnet structure
★
The Shadowserver Foundation - An all volunteer security watchdog group that gathers, tracks, and reports on malware, botnet activity, and electronic fraud.
★
NANOG Abstract: Botnets - John Kristoff's NANOG32 Botnets presentation
★
Mobile botnets - An economic and technological assessment of mobile botnets
★
Lowkeysoft - Intrusive analysis of a web-based proxy botnet (including administration screenshots)
★
Honeynet - Know Your Enemy: Tracking Botnets - German research paper
★
WhiteStar - Botnets discussion mailing list
★
EWeek.com - Is the Botnet Battle Already Lost?
★
Wired Magazine - Attack of the Bots - How one company fought the new Internet mafia – and lost
★
Dark Reading - Botnets Battle Over Turf
العربية
中国
Français
Deutsch
Ελληνική
हिन्दी
Italiano
日本語
Português
Русский
Español
