A botnet or robot network is a group of computers running a computer application controlled and manipulated only by the owner or the software source. The botnet may refer to a legitimate network of several computers that share program processing amongst them.
Usually though, when people talk about botnets, they are talking about a group of computers infected with the malicious kind of robot software, the bots, which present a security threat to the computer owner. Once the robot software (also known as malicious software or malware) has been successfully installed in a computer, this computer becomes a zombie or a drone, unable to resist the commands of the bot commander.
A botnet may be small or large depending on the complexity and sophistication of the bots used. A large botnet may be composed of ten thousand individual zombies. A small botnet, on the other hand may be composed of only a thousand drones. Usually, the owners of the zombie computers do not know that their computers and their computers' resources are being remotely controlled and exploited by an individual or a group of malware runners through Internet Relay Chat (IRC).
There are various types of malicious bots that have already infected and are continuing to infect the Internet. Some bots have their own spreaders - the script that lets them infect other computers (this is the reason why some people dub botnets as computer viruses) - while some smaller types of bots do not have such capabilities.
Malicious Uses of Botnets
A botnet can have a lot of malicious applications. Among the most popular uses of botnets are the following:
Denial of Service Attacks
A botnet can be used as a distributed denial of service weapon. A botnet attacks a network or a computer system for the purpose of disrupting service through the loss of connectivity or consumption of the victim network's bandwidth and overloading of the resources of the victim's computer system. Botnet attacks are also used to damage or take down a competitor's website.
Any Internet service can be a target by botnets. This can be done through flooding the website with recursive HTTP or bulletin-board search queries. This mode of attack in which higher level protocols are utilized to increase the effects of an attack is also termed as spidering.
Spamming and Traffic Monitoring
A botnet can also be used to take advantage of an infected computer's TCP/IP's SOCKS proxy protocol for networking applications. After compromising a computer, the botnet commander can use the infected unit (a zombie) in conjunction with other zombies in his botnet (robot network) to harvest email addresses or to send massive amounts of spam or phishing mails.
Moreover, a bot can also function as a packet sniffer to find and intercept sensitive data passing through an infected machine. Typical data that these bots look out for are usernames and passwords which the botnet commander can use for his personal gain. Data about a competitor botnet installed in the same unit is also mined so the botnet commander can hijack this other botnet.
Keylogging and Mass Identity Theft
An encryption software within the victims' units can deter most bots from harvesting any real information. Unfortunately, some bots have adapted to this by installing a keylogger program in the infected machines. With a keylogger program, the bot owner can use a filtering program to gather only the key sequence typed before or after interesting keywords like PayPal or Yahoo Mail. This is one of the reasons behind the massive PayPal accounts theft for the past several years.
Bots can also be used as agents for mass identity theft. It does this through phishing or pretending to be a legitimate company in order to convince the user to submit personal information and passwords. A link in these phishing mails can also lead to fake PayPal, eBay or other websites to trick the user into typing in the username and password. Botnet Spread
Botnets can also be used to spread other botnets in the network. It does this by convincing the user to download after which the program is executed through FTP, HTTP or email.
Pay-Per-Click Systems Abuse
Botnets can be used for financial gain by automating clicks on a pay-per-click system. Compromised units can be used to click automatically on a site upon activation of a browser. For this reason, botnets are also used to earn money from Google's Adsense and other affiliate programs by using zombies to artificially increase the click counter of an advertisement.
- What is a Botnet? TechFAQ.com]
- Wired.com How-to: Build your own botnet with open source software
- The Honeynet Project & Research Alliance, "Know your Enemy: Tracking Botnets".
- SwatIt - Bots, Drones, Zombies, Worms - A gallery of botnet structure.
- The Shadowserver Foundation - An all volunteer security watchdog group that gathers, tracks, and reports on malware, botnet activity, and electronic fraud.
- NANOG Abstract: Botnets - John Kristoff's NANOG32 Botnets presentation.
- Mobile botnets - An economic and technological assessment of mobile botnets.
- Lowkeysoft - Intrusive analysis of a web-based proxy botnet (including administration screenshots).
- EWeek.com - Is the Botnet Battle Already Lost?.
- Wired Magazine - Attack of the Bots - How one company fought the new Internet mafia – and lost.
- Dark Reading - Botnets Battle Over Turf.
- List of dynamic (dsl, cable, modem, etc) addresses - Filter SMTP mail for hosts likely to be in botnets.
- VX CHAOS File Server - Bots and Botnets - Bot and Botnet Source Codes and Snippets for IT Security and Anti-Virus Researchers.
- ATLAS Global Botnets Summary Report - Real-time database of malicious botnet command and control servers.
- FBI LAX Press Release DOJ - FBI April 16, 2008