It is a group of computers controlled without their owners’ knowledge and used to send spam or make denial of service attacks. Malware is used to hijack the individual computers, also known as “zombies,” and send directions through them. They are best known in terms of large spam networks, frequently based in the former Soviet Union.
It may
- Send spam emails with viruses attached.
- Spread all types of malware.
- Can use your computer as part of a denial of service attack against other systems.
An increasing number of home users have high speed connections for computers that may be inadequately protected. A zombie or bot is often created through an Internet port that has been left open and through which a small Trojan horse program can be left for future activation. At a certain time, the zombie army “controller” can unleash the effects of the army by sending a single command, possibly from an Internet Relay Channel (IRC) site.
The computers that form a botnet can be programmed to redirect transmissions to a specific computer, such as a Web site that can be closed down by having to handle too much traffic – a distributed denial-of-service (DDoS) attack – or, in the case of spam distribution, to many computers. The motivation for a zombie master who creates a DDoS attack may be to cripple a competitor. The motivation for a zombie master sending spam is in the money to be made. Both of them rely on unprotected computers that can be turned into zombies.
Types of Botnets
- Legal botnets – The term botnet is widely used when several IRC bots have been linked and may possibly set channel modes on other bots and users while keeping IRC channels free from unwanted users. This is where the term is originally from, since the first illegal botnets were similar to legal botnets. A common bot used to set up botnets on IRC is eggdrop.
- Illegal botnets – Botnets sometimes compromise computers whose security defenses have been breached and control conceded to a third party. Each such compromised device, known as a “bot”, is created when a computer is penetrated by software from a malware (malicious software) distribution. However, it could also be someone (or a spider) that hacks into a computer. The controller of a botnet is able to direct the activities of these compromised computers through communication channels formed by standards-based network protocols such as IRC and Hypertext Transfer Protocol (HTTP).
Botnets are increasingly rented out by cyber criminals as commodities for a variety of purposes, including denial-of-service attacks, creation or misuse of SMTP mail relays for spam, click fraud, mining bitcoins, spamdexing, and the theft of application serial numbers, login IDs, and financial information such as credit card numbers.
Computers can be co-opted into a botnet when they execute malicious software. This can be accomplished by luring users into making a drive-by download, exploiting web browser vulnerabilities, or by tricking the user into running a Trojan horse program, which may come from an email attachment. This malware will typically install modules that allow the computer to be commanded and controlled by the botnet’s operator. After the software is downloaded, it will call home (send a reconnection packet) to the host computer. When the re-connection is made, depending on how it is written, a Trojan may then delete itself, or may remain present to update and maintain the modules. Many computer users are unaware that their computer is infected with bots.
The first botnet was first acknowledged and exposed by Earthlink during a lawsuit with notorious spammer Khan C. Smith in 2001 for the purpose of bulk spam accounting for nearly 25% of all spam at the time.
Structure and Working
A botnet’s originator (known as a “bot herder” or “bot master”) can control the group remotely, usually through IRC, and often for criminal purposes. This server is known as the command-and-control (C&C) server. Though rare, more experienced botnet operators program command protocols from scratch. These protocols include a server program, a client program for operation, and the program that embeds the client on the victim’s machine. These communicate over a network, using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet.
A bot typically runs hidden and uses a covert channel (e.g. the RFC 1459 (IRC) standard, Twitter, or IM) to communicate with its C&C server. Generally, the perpetrator has compromised multiple systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. The process of stealing computing resources as a result of a system being joined to a “botnet” is sometimes referred to as “scrumping.”
Botnet servers are typically redundant, linked for greater redundancy so as to reduce the threat of a takedown. Actual botnet communities usually consist of one or several controllers that rarely have highly developed command hierarchies; they rely on individual peer-to-peer relationships.
Botnet architecture evolved over time, and not all botnets exhibit the same topology for command and control. Advanced topology is more resilient to shutdown, enumeration or discovery. However, some topologies limit the marketability of the botnet to third parties. Typical botnet topologies are star, multi-server, hierarchical and random.
This example illustrates how a botnet is created and used to send email spam.
- A botnet operator sends out viruses or worms, infecting ordinary users’ computers, whose payload is a malicious application—the bot.
- The bot on the infected PC logs into a particular C&C server.
- A spammer purchases the services of the botnet from the operator.
- The spammer provides the spam messages to the operator, who instructs the compromised machines via the control panel on the web server, causing them to send out spam messages.