A botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks. This can be as mundane as keeping control of anInternet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the wordsrobot and network.
A quick introduction to botnets – what they are, how they work and the potential consequences of being unwittingly press-ganged into a botnet array.
What is a Botnet?
To understand botnets, we first need to know more about ‘bots’. The term ‘bot’ or ‘robot’ program refers to a program that:
• Performs repetitive tasks OR
• Acts as an ‘agent’ or user interface for controlling other programs
Bots can be very beneficial programs when they are designed to assist a human user, either by automating a simple task, or by simplifying a user’s control over various programs or systems.
Unfortunately, bots can also be created to perform malicious tasks that compromise the system or any information stored on the machine. The ‘bot’ in botnets definitely refers to the second type, as these bots are used by an attacker to ‘hijack’ and control a computer system.
These malicious bots can arrive on a victim machine in many ways. The most common method involves dropping the bot in the payload of a Trojan or a similar malware. Other methods include infecting the computer via a drive-by download, or distributing the bot via spam e-mail messages with infected attachments.
Once installed, the bot can take control of the sytem. A remote attacker can then give commands to the infected computer via the bot and force it to perform malicious actions. In this context, a bot is very similar to a backdoorprogram, which is also forcibly planted on a computer and used by a remote attacker to direct the infected machine.
When more than one computer has the same bot installed on it, the multiple infected machines form a network, which is under the direct control of the attacker. This network is a botnet – a network of ‘enslaved’ computer systems infected with malicious bot programs. A single machine in a botnet can be referred to as a ‘bot’, a ‘zombie’ or a ‘zombie computer’.
How A Botnet Is Controlled
The attacker giving directions to the botnet is usually referred to as the botherder or controller. Botnets used to be run by individuals, but in recent years, botnets have become more ‘commercialized’, and it is thought that many botnets nowadays are in the hands of criminal syndicates.
To control the botnet, the botherder uses an application known as a client program to issues commands to the bot programs installed on zombies. This is very similar to how a backdoor is controlled and allows the botherder to operate very efficiently, as they can easily give instructions to a single zombie, or multiple zombies, or even the entire botnet – all via a single client program.
Using the client, the botherder can direct a single zombieto perform a certain action. For example, it can be ordered to send all the e-mail addresses stored on its hard drive to a remote website, where it can be added to a spammer’s mailing list. Alternatively, all the zombies in the botnet can be commanded to perform the same routine, such as sending requests to a specific website (basically, a Denial of Service or DoS attack).
The relationship between the zombies and the client controlling them is known as a command-and-control (C&C)infrastructure. The zombie or website or server that hosts the client is known as the C&C server. The following image is a simplified view of this infrastructure:
Of course, in real life, a botnet’s organization can be far more complicated. Some botnets will use multiple C&C servers, using the redundancy as a type of protection; others will have only one C&C server, but will continually change the machine the client application is saved on, also for better security.
Botherders put in all these security measures for one simple reason: the C&C server is the nerve center of the entire botnet, and also its Achilles heel.
Botnet Take-Downs
To ‘kill’ a botnet, one of the most effective methods is to find and take down the C&C server. This action will usually be done by legal authorities such as national Computer Emergency Response Teams (CERTs), and effectively prevents the botherders from sending commands to their botnet. The zombies would still be infected, but because no new directions are coming in, they do not actively engage in malicious activities. This also makes it easier for administrators to take control of and disinfect their zombies, and implement more protective measures.
One noteworthy botnet takedown of recent years involved the rogue McColo Internet Service Provider (ISP), a US-based web hosting firm which many security experts believed hosted the C&C servers for a number of botnets (as well as malicious websites and other unsavory offerings). Following the takedown, the level of spam send globally over the Internet was estimated to have dropped by as much as 60 to 75 percent, depending on sources cited.
As botnets have become more sophisticated however, botherders have developed a number of techniques that made tracking down the C&C server almost impossible, forcing security researchers and CERTs to develop improved or new techniques to deal with the changing botnet threat.
Why are Botnets a Threat?
Botnets are considering a menace for three simple reasons:
• To build them, attackers have to ‘steal’ a computer from its legitimate user
• Botnet operations can directly impact large numbers of real-world organizations and individuals
• Botnets appear to be increasing in size and capability
When a computer is harnessed into a botnet, the effects of the ‘theft’ can be direct, immediate and far-reaching. While ‘in use’ by the botherder, the machine may not perform its normal tasks effectively, or at all. If the compromised computer belongs to a major corporate, government, military or healthcare organization, a business or critical social service may be affected. Possible consequences may range from the relatively benign to significant.
For example, some of the machines pulled into the Conficker botnet were personal home computers; others were military resources in the United States, the United Kingdom and France. Many home users noticed no repercussions; others experienced major connection issues. Meanwhile, the various militaries concerned were forced to take significant disinfection actions due to security concerns.
Widespread Repercussions
Once created, a botnet can be used to commit more malicious acts, such as stealing data, sending out spam and launching attacks. Even then, a botnet might be considered only a nuisance if its impact were limited to a few dozen, or even hundreds of infected machines. Unfortunately, botnets can perform actions that directly affect hundreds of thousands, or even millions of people.
For example, one botnet known as Srizbi is thought to be responsible for up to 60 percent of all spam e-mails sent out globally in 2008 (approximately 60 billion messages per day), a major nuisance to the ISPs, businesses and home users who had to deal with the unwanted messages.
Another example involves the Conficker botnet, which some analysts believe has caused a disproportionately large effect on the Internet infrastructure of entire developing countries, in many cases severely impacting businesses and home users in the affected countries.
These examples show the impact botnets can have. These real-life cases involve the botnets of today, which can have zombies numbering in the hundreds of thousands, and even millions. What happens in the future, if the botnet becomes even larger?
With Greater Size Comes Greater Power
Generally, a botnet’s potential threat increases with its size, as the increased resources gives the controllers more power or capacity for their activities. For example, a DoS attack from a massive botnet is even harder to defend against than a similar attack from a smaller one, simply because a bigger botnet can generate more attack code.
There was a time – even as late as 2006 – when a big botnet comprised of hundreds, or at most, thousands of infected machines. Those days are long gone however, as contemporary botnets dwarf their predecessors. The Srizi botnet is thought to have about 250,000 infected computers, while the later Conficker botnet is estimated to have anywhere from 9 million to 15 million computers, depending on the source cited.
Unfortunately, current trends show that more and more users are connecting to the Internet, especially from developing countries. This translates to an increasing number of computers vulnerable to infection – and potentially far larger botnets emerging in the near future.
What Attackers Can Do With A Botnet
An attacker who controls a botnet can do a wide range of actions, both TO individual machines in the botnet and WITH the entire resources of the botnet.
Data Harvesting
Most people store highly sensitive personal information on their computers – personal identification, work-related materials, e-mail addresses of all contacts and so on. If all these details are stored on a computer in a botnet, then the bot herder is almost guaranteed access to it. Such information can be sold, often to criminals intent on perpetrating or facilitating fraud.
Botnets also actively harvest information related to banking accounts. For example, during research into the activities of the Torpig botnet in 2007, researchers observed the theft of credentials for thousands of accounts belonging to hundreds of financial institutions – all in a period of 10 days.
Stolen Resources
Rather than purchase all the hardware and bandwidth necessary for their operations, botnet controllers can siphon the physical resources they need (processing power, storage space, bandwidth, etc) from their zombies. These resources can be put to various uses, such as:
- Cyber attacks
A botnet can be used to launch a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack against a target. The target can be any resource linked to the Internet, be it a major corporate website or a military database. - Spam Generators
Probably the most common way a botnet is used is to send out massive quantities of spam e-mails. Botnets known to perform this activity include Srizi and Storm. To give an idea of the size of this activity, in 2008 about 153 billion spam messages were sent out every day – an estimated 60 percent of which is botnet-generated. - Malware Distributors
Another “product” being distributed by botnets is malware – trojans, viruses, worms and other things of that ilk. These offerings may be attached to spam e-mails or sent out via vulnerability exploits, or other methods. - Storage Space
Zombies in a botnet may also be used is as an illicit warehouse to store all the malicious or objectionable “merchandise” the botnet operators handle. The stored data may be everything from harvested personal details to pornographic images.
Rental
Last but not least, botnet ‘owners’ can rent use of the botnet to other users, almost always for malicious purposes. This is an increasingly lucrative activity for the botnet herders. According to Yuval Ben-Itzhak, Chief Technology Officer of computer security company Finjan, the botnet controllers can “make as much as $190,000 in one day” renting out “their” computers.
Network and CyberSecurity Professional 