The following appeared in Samuel R. McQuade, editor, The Encyclopedia of Cybercrime (Greenwood Press, 2008), pp. 12-14.

I wrote and spoke a lot about botnets in 2004 and 2005, including giving this presentation at Arizona State University. Others can be found at my publications web page.

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.

Botnets, Zombies and Remote Control Attacks

"Bot networks," or botnets, are collections of computers under the control of a single entity, usually without the knowledge or consent of the owners of those computers. The individual infected computers are running software known as a "bot" (from "robot"), and the computers themselves are often referred to as "bots" or "zombies."

Botnets are used by the controlling entity, sometimes known as a "botherd" or "botherder," to perform some function, which may involve distributing tasks across the individual bots (such as cracking passwords) or having them work in concert (e.g., engaging in a denial of service attack).

Botnets have become one of the primary tools of criminal activity used on the Internet today, and botnet activity is driven by economic considerations--to make money for those using them. Botnets provide a technology infrastructure which, in conjunction with a creative division of labor, disperses the risks faced by online criminals, allowing them to grow their operations to a larger scale without fear of being captured and prosecuted (Abad, 2005; Berinato, 2007).

Botnet life cycle

A system can be compromised with bot software by any mechanism used for distributing malware, such through email that contains a compromised attachment or entices the user into visiting a web page that exploits vulnerabilities in a web browser, malicious code installed on compromised popular servers, peer-to-peer delivered content, or by a worm exploiting vulnerabilities in software that is accessible through the network.

When a system is compromised with bot software, it will usually perform a number of initial actions, such as download a more up-to-date version of the software, test the bandwidth of its connection, and "phone home" to a server to register itself with a "botnet controller" or command and control server (C&C). It may also install spyware or adware in order to generate advertising revenue through an affiliate program, to the benefit of the botnet owner. If a bandwidth test is performed and shows that the bot is installed on a machine with a low bandwidth connection such as a telephone dialup connection, the bot may be programmed not to connect to the botnet controller.

A bot's connection to a botnet controller, most commonly using the Internet Relay Chat (IRC) protocol, is used by the controller to issue commands to the bot and receive data in response. These commands may cause a bot to send out spam or phishing emails, disseminate worms or viruses, spread the bot software itself, launch denial of service attacks against websites for extortion, start services such as proxies or remote access ability (a backdoor) on the computer, search the computer for private information such as passwords and financial information, intercept communications and log keystrokes to find such information, or to cooperate in parallel computing efforts with other bots on tasks such as cracking passwords, manipulating online polls, or engaging in "click fraud" against online advertising programs (Bächer, Holz, Kötter, Wicherski 2005).

The bot will continue to monitor for and execute the commands it is given via the botnet controller until either the owner of the computer identifies and removes the malware or the botnet controller itself is shut down, usually by its upstream Internet Service Provider (ISP). When a botnet controller is shut down, the bot may attempt to contact a secondary server or be modified to do so via a backdoor connection used by the owner of the botnet, in which case the cycle starts over again.

Evolution of botnets

In the early 1990s, bots were created by IRC users to provide automated responses while they were away from their computers, attack and defend control of IRC channels, and other tasks. By 1999, various tools such as Trinoo, Tribal Flood Network, Stacheldraht, and Shaft were developed to engage in distributed denial of service (DDoS) attacks, often against IRC servers. In 2000, these DDoS tools were merged with worms and rootkits in order to automate the rapid compromise of systems used to launch attacks. By 2002, the IRC control functionality of the original bots was merged with these tools, and bots became a general purpose platform for compromising systems, taking control of them, and using them for a variety of tasks beyond DDoS (Dittrich, 2005; Bächer et al., 2005). The DDoS capability became less common as bots began to be used by criminals for economic gain (Abad, 2005; Berinato, 2007). Some botnets have begun to use other communications mechanisms besides IRC, including peer-to-peer protocols that eliminate dependence upon a botnet controller at the expense of losing the ability to send commands simultaneously to all bots (Grizzard, Sharma, Nunnery, Kang, Dagon 2007; Menezes 2007).

Botnets and the division of criminal labor

The criminal activity using botnets has been split into multiple roles, where different individuals and groups can participate in separate tasks. This allows both specialization in particular activities and for the dispersal of risk. Some of the common roles include writing the malware used to compromise systems; compromising popular web servers and using them to deploy that malware; collecting bots into botnets (the "botherder" role); using botnet-provided services to distribute data (such as spam or malware), collect data (such as financial account information and passwords), or process information (such as password cracking); selling captured account information; using captured account information for credit card fraud or to create forged ATM cards; using forged ATM cards to empty bank accounts; and laundering the proceeds of credit card fraud by reselling purchased items.

Botnets and the division of criminal activity into these distinct roles provide a mechanism for putting distance between the criminal and the crime. The individuals who perform the riskiest tasks, such as laundering the proceeds of credit card fraud or collecting cash from ATMs with forged cards, may be recruited over the Internet and deceived into participating by claims that they are performing a legitimate service. Those who capture financial account information and provide botnet services, on the other hand, need not come in personal contact with their victims or the customers who purchase from them (Abad, 2005; Berinato, 2007; Menezes 2007).

Defending against botnets

The main defense against botnets is proactive defense against system compromise by keeping systems patched against vulnerabilities and using layered defenses such as firewalls, intrusion prevention, and antivirus software. Most bots are installed on the Windows systems of home users rather than businesses, because home users are more likely to have unpatched and unprotected systems.

Once a system has been compromised with a bot, it or its botnet controller may be detected by network security monitoring by ISPs. ISPs often shut down botnet controllers by filtering or "blackholing" their traffic, which prevents commands from being sent to the individual bots. They may also quarantine or shut down service for customers who are infected with bots, as indicated by behavior such as the generation of spam or hosting of "phishing" websites.

One of the most effective means of tracking botnets is by allowing honeypots or systems on honeynets to become infected with malware, then reverse engineering that malware to determine how it works, and using client software that simulates a bot-infected system to collect information from a botnet controller (Bächer et al., 2005; Krebs, 2006). Some bot software tests whether it is running in a virtualized environment and includes obfuscated and encrypted code in order to make reverse engineering more difficult.

Criminal prosecutions of users of botnets have been relatively rare, but the FBI's public announcement of "Operation Bot Roast" on June 13, 2007 included the names of three individuals arrested and charged with crimes involving botnets (Federal Bureau of Investigation, 2007).

References

Jim Lippard is Director of Information Security Architecture & Engineering and was previously Director of Information Security Operations at Global Crossing, a global telecommunications provider and tier 1 Internet backbone provider. He has written and spoken about botnets to audiences of technology and law enforcement professionals in the U.S. and Europe.