Botnet
Encyclopedia
A botnet is a collection of compromised computers connected to the Internet
. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet. Botnets are usually controlled via standards based network protocols such as IRC
and http.
individual that could sit in an IRC channel and perform tasks while the user was too occupied to do so. Soon after the release of the first IRC bot, a few worms which exploited vulnerabilities in IRC clients began to appear. Infected computers, or newly formed "bots", were then used to steal passwords, log keystrokes, and act as a proxy server to conceal the attackers identity.
Botnets were used for both recognition and financial gain -- indeed, the larger the botnet, the more ‘kudos’ the person ('bot herder') orchestrating the botnet could claim in underground online communities. The bot herder
can also ‘rent out’ the services of the botnet to third parties, usually for sending out spam messages or performing a denial of service attack against a remote target. Due to the large numbers of compromised machines within the botnet, huge volumes of traffic (either email or denial of service) can be generated. However, in recent times, the volume of spam originating from a single compromised host has dropped in order to thwart anti-spam detection algorithms – a larger number of compromised hosts send a smaller number of messages in order to evade detection by anti-spam techniques.
Botnets have become a significant part of the Internet
, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Often, a botnet will include a variety of connections and network types. Sometimes a controller will hide an IRC server installation on an educational or corporate site where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently.
Several botnets have been found and removed from the Internet. The Dutch police found a 1.5 million node botnet and the Norwegian ISP Telenor
disbanded a 10,000-node botnet. In July 2010, the FBI arrested a 23-year old Slovenian said to have integrated an estimated 12 million computers into a botnet. Large coordinated international efforts to shut down botnets have also been initiated. It has been estimated that botnets control up to 15% of computers worldwide that are connected to the internet. Conficker
is one of the largest known botnets, with an estimated 1 million to 10 million infected machines. It attempts to sell fake antivirus software to its victims.
exploiting web browser vulnerabilities, or by tricking the user into running a Trojan horse
program, possibly in an email attachment. As with any malware, there is no general rule; the software controls the computer and can do anything. It will typically install modules which allow the computer to be commanded and controlled by the botnet's owner. The Trojan may delete itself, or may remain present to update and maintain the modules.
The public warez scene is used to spread malicious software for the recruitment of new bots. Some websites have the malicious software embedded in all their available downloads. There is a false belief among some users, who think that infected keygens are flagged as malicious software by anti-virus programs for only the illegal aspect of the software.
While the term "botnet" can be used to refer to any group of bots, such as IRC bot
s, this word is generally used to refer to a collection of computers (called zombie computer
s) which have been recruited by running malicious software.
A botnet's originator (aka "bot herder
" or "bot master") can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command-and-control takes place via an IRC server or a specific channel on a public IRC network. This server is known as the command-and-control server ("C&C"). Though rare, more experienced botnet operators program their own command protocols from scratch. The constituents of these protocols include a server program, a client program for operation, and the program that embeds itself on the victim's machine (bot). All three of these usually communicate with each other over a network using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet network.
A bot typically runs hidden and uses a covert channel (e.g. the RFC 1459 (IRC) standard, Twitter, or IM) to communicate with its C&C server. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC
). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping."
Botnet servers will often liaise with other botnet servers, such that a group may contain 20 or more individual cracked high-speed connected machines as servers, linked together for purposes of greater redundancy. Actual botnet communities usually consist of one or several controllers that rarely have highly-developed command hierarchies between themselves; they rely on individual friend-to-friend relationships.
The architecture of botnets has evolved over time, and not all botnets exhibit the same topology for command and control. Depending upon the topology implemented by the botnet, it may make it more resilient to shutdown, enumeration, or command and control location discovery. However, some of these topologies limit the saleability and rental potential of the botnet to other third-party operators. Typical botnet topologies are:
To thwart detection, some botnets are scaling back in size. As of 2006, the average size of a network was estimated at 20,000 computers, although larger networks continued to operate.
Botnets are exploited for various purposes, including denial-of-service attack
s, creation or misuse of SMTP mail relays for spam (see Spambot
), click fraud
, spamdexing
and the theft of application serial numbers, login IDs
, and financial information such as credit card numbers
.
The botnet controller community features a constant and continuous struggle over who has the most bots, the highest overall bandwidth, and the most "high-quality" infected machines, like university, corporate, and even government machines.
does not lend itself to the filtering of individual cases. Passive OS fingerprinting can identify attacks originating from a botnet: network administrators can configure newer firewall equipment to take action on a botnet attack by using information obtained from passive OS fingerprinting. The most serious preventive measures utilize rate-based intrusion prevention systems implemented with specialized hardware. A network based intrusion detection system (NIDS) will be an effective approach when detecting any activities approaching botnet attacks. NIDS monitors a network, it sees protected hosts in terms of the external interfaces to the rest of the network, rather than as a single system, and get most of its results by network packet analysis.
Some botnets use free DNS
hosting services such as DynDns.org, No-IP.com, and Afraid.org to point a subdomain
towards an IRC server that will harbor the bots. While these free DNS services do not themselves host attacks, they provide reference points (often hard-coded into the botnet executable). Removing such services can cripple an entire botnet. Recently, these companies have undertaken efforts to purge their domains of these subdomains. The botnet community refers to such efforts as "nullrouting", because the DNS hosting services usually re-direct the offending subdomains to an inaccessible IP address. Similarly, some botnets implement custom versions of well-known protocols. The implementation differences can be used for fingerprint-based detection of botnets. For example, Mega-D features a slightly modified SMTP protocol implementation for testing the spam capability. Bringing down the Mega-D's SMTP server disables the entire pool of bots that rely upon the same SMTP server.
The botnet server structure mentioned above has inherent vulnerabilities and problems. For example, if one was to find one server with one botnet channel, often all other servers, as well as other bots themselves, will be revealed. If a botnet server structure lacks redundancy
, the disconnection of one server will cause the entire botnet to collapse, at least until the controller(s) decide on a new hosting space. However, more recent IRC server software includes features to mask other connected servers and bots, so that a discovery of one channel will not lead to disruption of the botnet.
Several security companies such as Afferent Security Labs, Symantec
, Trend Micro
, FireEye
, Umbra Data and Damballa
have announced offerings to stop botnets. While some, like Norton AntiBot
(discontinued), are aimed at consumers, most are aimed to protect enterprises and/or ISPs. The host-based techniques use heuristics to try to identify bot behavior that has bypassed conventional anti-virus software. Network-based approaches tend to use the techniques described above; shutting down C&C servers, nullrouting DNS entries, or completely shutting down IRC servers.
Newer botnets are almost entirely P2P
, with command-and-control embedded into the botnet itself. By being dynamically updateable and variable they can evade having any single point of failure. Commanders can be identified solely through secure keys and all data except the binary itself can be encrypted. For example a spyware program may encrypt all suspected passwords with a public key hard coded or distributed into the bot software. Only with the private key, which only the commander has, can the data that the bot has captured be read.
Newer botnets have even been capable of detecting and reacting to attempts to figure out how they work. A large botnet that can detect that it is being studied can even DDoS those studying it off the internet.
There is an effort by researchers at Sandia National Laboratories
to analyze the behavior of these botnets by simultaneously running one million Linux kernels as virtual machines on a 4,480-node Dell high-performance computer cluster.
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet. Botnets are usually controlled via standards based network protocols such as IRC
Internet Relay Chat
Internet Relay Chat is a protocol for real-time Internet text messaging or synchronous conferencing. It is mainly designed for group communication in discussion forums, called channels, but also allows one-to-one communication via private message as well as chat and data transfer, including file...
and http.
Background
Bots originated as a useful tool without any significant malicious overtone; they were originally developed as a virtualVirtual
The term virtual is a concept applied in many fields with somewhat differing connotations, and also, differing denotations.The term has been defined in philosophy as "that which is not real" but may display the salient qualities of the real....
individual that could sit in an IRC channel and perform tasks while the user was too occupied to do so. Soon after the release of the first IRC bot, a few worms which exploited vulnerabilities in IRC clients began to appear. Infected computers, or newly formed "bots", were then used to steal passwords, log keystrokes, and act as a proxy server to conceal the attackers identity.
Botnets were used for both recognition and financial gain -- indeed, the larger the botnet, the more ‘kudos’ the person ('bot herder') orchestrating the botnet could claim in underground online communities. The bot herder
Bot herder
Bot herders are hackers who use automated techniques to scan specific network ranges and find vulnerable systems, such as machines without current security patches, on which to install their bot program...
can also ‘rent out’ the services of the botnet to third parties, usually for sending out spam messages or performing a denial of service attack against a remote target. Due to the large numbers of compromised machines within the botnet, huge volumes of traffic (either email or denial of service) can be generated. However, in recent times, the volume of spam originating from a single compromised host has dropped in order to thwart anti-spam detection algorithms – a larger number of compromised hosts send a smaller number of messages in order to evade detection by anti-spam techniques.
Botnets have become a significant part of the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Often, a botnet will include a variety of connections and network types. Sometimes a controller will hide an IRC server installation on an educational or corporate site where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently.
Several botnets have been found and removed from the Internet. The Dutch police found a 1.5 million node botnet and the Norwegian ISP Telenor
Telenor
Telenor Group is the incumbent telecommunications company in Norway, with headquarters located at Fornebu, close to Oslo. Today, Telenor Group is mostly an international wireless carrier with operations in Scandinavia, Eastern Europe and Asia, working predominantly under the Telenor brand...
disbanded a 10,000-node botnet. In July 2010, the FBI arrested a 23-year old Slovenian said to have integrated an estimated 12 million computers into a botnet. Large coordinated international efforts to shut down botnets have also been initiated. It has been estimated that botnets control up to 15% of computers worldwide that are connected to the internet. Conficker
Conficker
Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008...
is one of the largest known botnets, with an estimated 1 million to 10 million infected machines. It attempts to sell fake antivirus software to its victims.
Recruitment
Computers are recruited into a botnet by running malicious software. This may be achieved by a drive-by downloadDrive-by download
Drive-by download means three things, each concerning the unintended download of computer software from the Internet:# Downloads which a person authorized but without understanding the consequences Drive-by download means three things, each concerning the unintended download of computer software...
exploiting web browser vulnerabilities, or by tricking the user into running a Trojan horse
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
program, possibly in an email attachment. As with any malware, there is no general rule; the software controls the computer and can do anything. It will typically install modules which allow the computer to be commanded and controlled by the botnet's owner. The Trojan may delete itself, or may remain present to update and maintain the modules.
The public warez scene is used to spread malicious software for the recruitment of new bots. Some websites have the malicious software embedded in all their available downloads. There is a false belief among some users, who think that infected keygens are flagged as malicious software by anti-virus programs for only the illegal aspect of the software.
Organization
While botnets are often named after their malicious software name, there are typically multiple botnets in operation using the same malicious software families, but operated by different criminal entities.While the term "botnet" can be used to refer to any group of bots, such as IRC bot
IRC bot
thumb|409px|right|An IRC bot performing a simple task.An IRC bot is a set of scripts or an independent program that connects to Internet Relay Chat as a client, and so appears to other IRC users as another user...
s, this word is generally used to refer to a collection of computers (called zombie computer
Zombie computer
In computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam...
s) which have been recruited by running malicious software.
A botnet's originator (aka "bot herder
Bot herder
Bot herders are hackers who use automated techniques to scan specific network ranges and find vulnerable systems, such as machines without current security patches, on which to install their bot program...
" or "bot master") can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command-and-control takes place via an IRC server or a specific channel on a public IRC network. This server is known as the command-and-control server ("C&C"). Though rare, more experienced botnet operators program their own command protocols from scratch. The constituents of these protocols include a server program, a client program for operation, and the program that embeds itself on the victim's machine (bot). All three of these usually communicate with each other over a network using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet network.
A bot typically runs hidden and uses a covert channel (e.g. the RFC 1459 (IRC) standard, Twitter, or IM) to communicate with its C&C server. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC
Remote procedure call
In computer science, a remote procedure call is an inter-process communication that allows a computer program to cause a subroutine or procedure to execute in another address space without the programmer explicitly coding the details for this remote interaction...
). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping."
Botnet servers will often liaise with other botnet servers, such that a group may contain 20 or more individual cracked high-speed connected machines as servers, linked together for purposes of greater redundancy. Actual botnet communities usually consist of one or several controllers that rarely have highly-developed command hierarchies between themselves; they rely on individual friend-to-friend relationships.
The architecture of botnets has evolved over time, and not all botnets exhibit the same topology for command and control. Depending upon the topology implemented by the botnet, it may make it more resilient to shutdown, enumeration, or command and control location discovery. However, some of these topologies limit the saleability and rental potential of the botnet to other third-party operators. Typical botnet topologies are:
- Star
- Multi-server
- Hierarchical
- Random
To thwart detection, some botnets are scaling back in size. As of 2006, the average size of a network was estimated at 20,000 computers, although larger networks continued to operate.
Formation and exploitation
This example illustrates how a botnet is created and used to send email spam.- A botnet operator sends out virusesComputer virusA computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
or wormsComputer wormA computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
, infecting ordinary users' computers, whose payload is a malicious application—the bot. - The bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server).
- A spammer purchases the services of the botnet from the operator.
- The spammer provides the spam messages to the operator, who instructs the compromised machines via the IRC server, causing them to send out spam messages.
Botnets are exploited for various purposes, including denial-of-service attack
Denial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
s, creation or misuse of SMTP mail relays for spam (see Spambot
Spambot
A spambot is an automated computer program designed to assist in the sending of spam. Spambots usually create fake accounts and send spam using them, although it would be obvious that a spambot is sending it...
), click fraud
Click fraud
Click fraud is a type of Internet crime that occurs in pay per click online advertising when a person, automated script or computer program imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target...
, spamdexing
Spamdexing
In computing, spamdexing is the deliberate manipulation of search engine indexes...
and the theft of application serial numbers, login IDs
Login
Login is the method whereby a user obtains access to a computer system.Login may also refer to:*Magazines:** LOGiN, published by Enterbrain** ;login:, published by USENIX* Login, Carmarthenshire, an hamlet in Carmarthenshire...
, and financial information such as credit card numbers
Bank card number
A bank card number is the primary account number found on credit cards and bank cards. It has a certain amount of internal structure and shares a common numbering scheme. Credit card numbers are a special case of ISO/IEC 7812 bank card numbers....
.
The botnet controller community features a constant and continuous struggle over who has the most bots, the highest overall bandwidth, and the most "high-quality" infected machines, like university, corporate, and even government machines.
Types of attacks
- Denial-of-service attackDenial-of-service attackA denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
s where multiple systems autonomously access a single Internet system or service in a way that appears legitimate, but much more frequently than normal use and cause the system to become busy. - AdwareAdwareAdware, or advertising-supported software, is any software package which automatically plays, displays, or downloads advertisements to a computer. These advertisements can be in the form of a pop-up. They may also be in the user interface of the software or on a screen presented to the user during...
exists to advertise some commercial entity actively and without the user's permission or awareness, for example by replacing banner ads on web pages with those of another content provider. - SpywareSpywareSpyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
is software which sends information to its creators about a user's activities – typically passwords, credit card numbers and other information that can be sold on the black market. Compromised machines that are located within a corporate network can be worth more to the bot herder, as they can often gain access to confidential information held within that company. There have been several targeted attacks on large corporations with the aim of stealing sensitive information, one such example is the Aurora botnet. - E-mail spamE-mail spamEmail spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
are e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious in nature. - Click fraudClick fraudClick fraud is a type of Internet crime that occurs in pay per click online advertising when a person, automated script or computer program imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target...
is the user's computer visiting websites without the user's awareness to create false web traffic for the purpose of personal or commercial gain. - Access number replacements are where the botnet operator replaces the access numbers of a group of dial-up bots to that of a victim's phone number. Given enough bots partake in this attack, the victim is consistently bombarded with phone calls attempting to connect to the internet. Having very little to defend against this attack, most are forced into changing their phone numbers (land line, cell phone, etc.).
- Fast fluxFast fluxFast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy...
is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. - Brute-forcing remote machines services such as FTP, SMTP and SSHSSH- In science and technology :* Saffir–Simpson Hurricane Scale* Sea surface height, the topography of the ocean surface* Secure Shell, a network protocol for remote administration of Unix computers* Social sciences and humanities, a broad field of research...
. - The worm behavior. Some botnet are designed to infect other hosts automatically.
- ScarewareScarewareScareware comprises several classes of scam software with malicious payloads, or of limited or no benefit, that are sold to consumers via certain unethical marketing practices. The selling approach uses social engineering to cause shock, anxiety, or the perception of a threat, generally directed at...
can install the virus or the virus can install a scareware. For example users can be forced to buy a rogue anti-virus to regain access to their computer. - Exploiting systems by using multiple identities such as multiple player at the same poker table and voting system such as music clip and contest.
Preventive measures
If a machine receives a denial-of-service attack from a botnet, few choices exist. Given the general geographic dispersal of botnets, it becomes difficult to identify a pattern of offending machines, and the sheer volume of IP addressesIP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
does not lend itself to the filtering of individual cases. Passive OS fingerprinting can identify attacks originating from a botnet: network administrators can configure newer firewall equipment to take action on a botnet attack by using information obtained from passive OS fingerprinting. The most serious preventive measures utilize rate-based intrusion prevention systems implemented with specialized hardware. A network based intrusion detection system (NIDS) will be an effective approach when detecting any activities approaching botnet attacks. NIDS monitors a network, it sees protected hosts in terms of the external interfaces to the rest of the network, rather than as a single system, and get most of its results by network packet analysis.
Some botnets use free DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
hosting services such as DynDns.org, No-IP.com, and Afraid.org to point a subdomain
Subdomain
In the Domain Name System hierarchy, a subdomain is a domain that is part of a larger domain.- Overview :The Domain Name System has a tree structure or hierarchy, with each node on the tree being a domain name. A subdomain is a domain that is part of a larger domain, the only domain that is not...
towards an IRC server that will harbor the bots. While these free DNS services do not themselves host attacks, they provide reference points (often hard-coded into the botnet executable). Removing such services can cripple an entire botnet. Recently, these companies have undertaken efforts to purge their domains of these subdomains. The botnet community refers to such efforts as "nullrouting", because the DNS hosting services usually re-direct the offending subdomains to an inaccessible IP address. Similarly, some botnets implement custom versions of well-known protocols. The implementation differences can be used for fingerprint-based detection of botnets. For example, Mega-D features a slightly modified SMTP protocol implementation for testing the spam capability. Bringing down the Mega-D's SMTP server disables the entire pool of bots that rely upon the same SMTP server.
The botnet server structure mentioned above has inherent vulnerabilities and problems. For example, if one was to find one server with one botnet channel, often all other servers, as well as other bots themselves, will be revealed. If a botnet server structure lacks redundancy
Redundancy (engineering)
In engineering, redundancy is the duplication of critical components or functions of a system with the intention of increasing reliability of the system, usually in the case of a backup or fail-safe....
, the disconnection of one server will cause the entire botnet to collapse, at least until the controller(s) decide on a new hosting space. However, more recent IRC server software includes features to mask other connected servers and bots, so that a discovery of one channel will not lead to disruption of the botnet.
Several security companies such as Afferent Security Labs, Symantec
Symantec
Symantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
, Trend Micro
Trend Micro
Trend Micro Inc. is a computer security company. It is headquartered in Tokyo, Japan and markets Trend Micro Internet Security, Trend Micro Worry-Free Business Security, OfficeScan, and other related security products and services...
, FireEye
FireEye, Inc.
FireEye is a Milpitas, California-based network security company that provides dynamic malware protection and automated threat forensics. Its main product line is the Malware Protection System with versions for Web security, Email security, and Malware Analysis researchers.-History:FireEye was...
, Umbra Data and Damballa
Damballa (company)
Damballa is a computer security company focused on advanced cyber threats such as modern malware, advanced persistent threats and botnets. Damballa was founded in Atlanta, Georgia by Merrick Furst, an associate dean in the Georgia Institute of Technology College of Computing; he was joined by two...
have announced offerings to stop botnets. While some, like Norton AntiBot
Norton AntiBot
Norton AntiBot, developed by Symantec, monitors applications for damaging behavior. The application was designed to prevent computers from being hijacked and controlled by hackers. According to Symantec, over 6 million computers have been hijacked, and the majority of users are unaware of their...
(discontinued), are aimed at consumers, most are aimed to protect enterprises and/or ISPs. The host-based techniques use heuristics to try to identify bot behavior that has bypassed conventional anti-virus software. Network-based approaches tend to use the techniques described above; shutting down C&C servers, nullrouting DNS entries, or completely shutting down IRC servers.
Newer botnets are almost entirely P2P
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
, with command-and-control embedded into the botnet itself. By being dynamically updateable and variable they can evade having any single point of failure. Commanders can be identified solely through secure keys and all data except the binary itself can be encrypted. For example a spyware program may encrypt all suspected passwords with a public key hard coded or distributed into the bot software. Only with the private key, which only the commander has, can the data that the bot has captured be read.
Newer botnets have even been capable of detecting and reacting to attempts to figure out how they work. A large botnet that can detect that it is being studied can even DDoS those studying it off the internet.
There is an effort by researchers at Sandia National Laboratories
Sandia National Laboratories
The Sandia National Laboratories, managed and operated by the Sandia Corporation , are two major United States Department of Energy research and development national laboratories....
to analyze the behavior of these botnets by simultaneously running one million Linux kernels as virtual machines on a 4,480-node Dell high-performance computer cluster.
Historical list of botnets
| Date created | Date dismantled | Name | Estimated no. of bots | Spam capacity | Aliases |
|---|---|---|---|---|---|
| 2009 (May) | BredoLab | 30,000,000 | 3.6 billion/day | Oficla | |
| 2008 (around) | Mariposa Mariposa botnet The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial of service attacks. Before the botnet itself was dismantled on December 23, 2009, it consisted of 8 to 12 million individual zombie computers infected with the "Butterfly Bot", making it one... |
12,000,000 | ? | ||
| ? | Conficker Conficker Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008... |
10,500,000+ | 10 billion/day | DownUp, DownAndUp, DownAdUp, Kido | |
| 2010 (around) | TDL4 | 4,500,000 | ? | TDSS, Alureon | |
| ? | Zeus Zeus (trojan horse) Zeus is a Trojan horse that steals banking information by keystroke logging and Form Grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became... |
3,600,000 (US Only) | n/a | Zbot, PRG, Wsnpoem, Gorhax, Kneber | |
| 2007 (Around) | Cutwail | 1,500,000 | 74 billion/day | Pandex, Mutant (related to: Wigon, Pushdo) | |
| ? | Grum Grum botnet The Grum botnet, also known by its alias Tedroo, is a botnet mostly involved in sending pharmaceutical spam e-mails. The Grum botnet consists of an estimated 560,000-840,000 computers infected with the Grum rootkit... |
560,000 | 39.9 billion/day | Tedroo | |
| ? | Mega-D Mega-D botnet The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending between 30% and 35% of spam worldwide.... |
509,000 | 10 billion/day | Ozdok | |
| ? | Kraken Kraken botnet The Kraken botnet was the world's largest botnet . Researchers say that Kraken infected machines in at least 50 of the Fortune 500 companies and grew to over 400,000 bots. It was estimated to send 9 billion spam messages per day... |
495,000 | 9 billion/day | Kracken | |
| 2007 (March) | Srizbi Srizbi botnet The Srizbi botnet, also known by its aliases of Cbeplay and Exchanger, is the world's largest or second-largest botnet depending on expert reports, and is responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers... |
450,000 | 60 billion/day | Cbeplay, Exchanger | |
| ? | Lethic Lethic botnet The Lethic Botnet is a botnet consisting of an estimated 210 000 - 310 000 individual machines which are mainly involved in pharmaceutical and replica spam. . At the peak of its existence the botnet was responsible for 8-10% of all the spam sent worldwide... |
260,000 | 2 billion/day | none | |
| 2004 (Early) | Bagle | 230,000 | 5.7 billion/day | Beagle, Mitglieder, Lodeight | |
| ? | Bobax | 185,000 | 9 billion/day | Bobic, Oderoor, Cotmonger, Hacktool.Spammer, Kraken | |
| ? | Torpig Torpig Torpig, also known as Sinowal or Anserin , is a type of botnet spread by a variety of trojan horses which can affect computers that use Microsoft Windows... |
180,000 | n/a | Sinowal, Anserin | |
| ? | Storm Storm botnet The Storm botnet or Storm worm botnet is a remotely controlled network of "zombie" computers that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam... |
160,000 | 3 billion/day | Nuwar, Peacomm, Zhelatin | |
| 2006 (Around) | Rustock Rustock botnet The Rustock botnet was a botnet that operated from around 2006 until March 2011.It consisted of computers running Microsoft Windows, and was capable of sending up to 25,000 spam messages per hour from an infected PC. At the height of its activities, it sent an average of 192 spam messages per... |
150,000 | 30 billion/day | RKRustok, Costrat | |
| ? | Donbot Donbot botnet Donbot, also known by its aliases Buzus and Bachsoy, is a botnet mostly involved in sending pharmaceutical and stock-based e-mail spam.... |
125,000 | 0.8 billion/day | Buzus, Bachsoy | |
| 2008 (November) | Waledac Waledac botnet Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam. In March 2010 the botnet was taken down by Microsoft.- Operations :... |
80,000 | 1.5 billion/day | Waled, Waledpak | |
| ? | Maazben | 50,000 | 0.5 billion/day | None | |
| ? | Onewordsub | 40,000 | 1.8 billion/day | ? | |
| ? | Gheg | 30,000 | 0.24 billion/day | Tofsee, Mondera | |
| ? | ?? | 20,000 | 5 billion/day | Loosky, Locksky | |
| ? | Wopla | 20,000 | 0.6 billion/day | Pokier, Slogger, Cryptic | |
| 2008 (Around) | Asprox Asprox botnet The Asprox botnet , also known by its aliases Badsrc and Aseljo, is a botnet mostly involved in phishing scams and performing SQL Injections into websites in order to spread Malware.- Operations :... |
15,000 | ? | Danmec, Hydraflux | |
| Spamthru | 12,000 | 0.35 billion/day | Spam-DComServ, Covesmer, Xmiler | ||
| ? | Xarvester | 10,000 | 0.15 billion/day | Rlsloup, Pixoliz | |
| 2009 (August) | Festi | ? | 2.25 billion/day | none | |
| 2008 (Around) | Gumblar Gumblar Known as Gumblar by ScanSafe and Troj/JSRedir-R by Sophos, this botnet first appeared in 2009. It is characterized by re-directing user's Google searches and installing rogue security software.-Windows Personal Computers:... |
? | ? | None | |
| 2007 | Akbot Akbot Akbot is the name of a computer virus that added about 1.3 million computers to a botnet network.-Infection:Akbot is an IRC controlled backdoor program. It allows an outside user to take control of the infected computer. Akbot operates by joining IRC servers and the waiting for further instructions... |
1,300,000 | ? | None | |
| z! |
- Researcher of University of California, Santa Barbara, took control of a botnet and the size was six times smaller than expected. In some countries, it is common that users change their IP address a few times in one day. Estimating the size of the botnet by the number of IP addresses is often used by researchers.
See also
- Anti-spam techniques (e-mail)
- BotInternet botInternet bots, also known as web robots, WWW robots or simply bots, are software applications that run automated tasks over the Internet. Typically, bots perform tasks that are both simple and structurally repetitive, at a much higher rate than would be possible for a human alone...
- Computer wormComputer wormA computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
- DosnetDosnetA DoSnet is a type of botnet/malware and mostly used as a term for malicious botnets while benevolent botnets often simply are referred to as botnets...
- E-mail address harvestingE-mail address harvestingEmail harvesting is the process of obtaining lists of email addresses using various methods for use in bulk email or other purposes usually grouped as spam.-Methods:...
- E-mail spamE-mail spamEmail spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
- List poisoning
- SpambotSpambotA spambot is an automated computer program designed to assist in the sending of spam. Spambots usually create fake accounts and send spam using them, although it would be obvious that a spambot is sending it...
- SpamtrapSpamtrapA spamtrap is a honeypot used to collect spam.Spamtraps are usually e-mail addresses that are created not for communication, but rather to lure spam...
- Timeline of notable computer viruses and wormsTimeline of notable computer viruses and wormsThis is a timeline of noteworthy computer viruses, worms and Trojan horses.- 1966 :* The work of John von Neumann on the "Theory of self-reproducing automata" is published...
- Zombie computerZombie computerIn computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam...
External links
- Wired.com How-to: Build your own botnet with open source software
- The Honeynet Project & Research Alliance, "Know your Enemy: Tracking Botnets".
- The Shadowserver Foundation - An all volunteer security watchdog group that gathers, tracks, and reports on malware, botnet activity, and electronic fraud.
- NANOG Abstract: Botnets - John Kristoff's NANOG32 Botnets presentation.
- Mobile botnets - An economic and technological assessment of mobile botnets.
- Lowkeysoft - Intrusive analysis of a web-based proxy botnet (including administration screenshots).
- EWeek.com - Is the Botnet Battle Already Lost?.
- Attack of the Bots at WiredWired (magazine)Wired is a full-color monthly American magazine and on-line periodical, published since January 1993, that reports on how new and developing technology affects culture, the economy, and politics...
- Dark Reading - Botnets Battle Over Turf.
- List of dynamic (dsl, cable, modem, etc) addresses - Filter SMTP mail for hosts likely to be in botnets.
- ATLAS Global Botnets Summary Report - Real-time database of malicious botnet command and control servers.
- FBI LAX Press Release DOJ - FBI April 16, 2008
- Milcord Botnet Defense - DHS-sponsored R&D project that uses machine learning to adaptively detect botnet behavior at the network-level
- A Botnet by Any Other Name - SecurityFocus column by Gunter Ollmann on botnet naming.