||This article needs attention from an expert in computer science. (May 2011)|
A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial Of Service Attack, steal data, send spam, and allow the attacker access to the device and its connection. The owner can control the botnet using command and control (C&C) software. The word botnet is a combination of the words robot and network. The term is usually used with a negative or malicious connotation.
Botnets sometimes compromise computers whose security defenses have been breached and control ceded to a third party. Each such compromised device, known as a "bot", is created when a computer is penetrated by software from a malware (malicious software) distribution. The controller of a botnet is able to direct the activities of these compromised computers through communication channels formed by standards-based network protocols such as IRC and Hypertext Transfer Protocol (HTTP).
Botnet architecture has evolved over time in an effort to evade detection and disruption. Traditionally, bot programs are constructed as clients which communicate via existing servers. This allows the bot herder (the person controlling the botnet) to perform all control from a remote location, which obfuscates their traffic. Many recent botnets now rely on existing peer-to-peer networks to communicate. These P2P bot programs perform the same actions as the client-server model, but they do not require a central server to communicate.
The first botnets on the internet used a client-server model to accomplish their tasks. Typically, these botnets operate through Internet Relay Chat networks, domains, or websites. Infected clients access a predetermined location and await incoming commands from the server. The bot herder sends commands to the server, which relays them to the clients. Clients execute the commands and report their results back to the bot herder.
In the case of IRC botnets, infected clients connect to an infected IRC server and join a channel pre-designated for C&C by the bot herder. The bot herder sends commands to the channel via the IRC server. Each client retrieves the commands and executes them. Clients send messages back to the IRC channel with the results of their actions.
IRC is a historically favored means of C&C because of its communication protocol. A bot herder creates an IRC channel for infected clients to join. Messages sent to the channel are broadcast to all channel members. The bot herder may set the channel's topic to command the botnet. E.g. the message
:email@example.com TOPIC #channel ddos www.victim.com from the bot herder alerts all infected clients belonging to #channel to begin a DDoS attack on the website www.victim.com. An example response
:firstname.lastname@example.org PRIVMSG #channel I am ddosing www.victim.com by a bot client alerts the bot herder that it has begun the attack.
One problem with using IRC is that each bot client must know the IRC server, port, and channel to be of any use to the botnet. Anti-malware organizations can detect and shut down these servers and channels, effectively halting the botnet attack. If this happens, clients are still infected, but they typically lie dormant since they have no way of receiving instructions. To mitigate this problem, a botnet can consist of several servers or channels. If one of the servers or channels becomes disabled, the botnet simply switches to another. It is still possible to detect and disrupt additional botnet servers or channels by sniffing IRC traffic. A botnet adversary can even potentially gain knowledge of the control scheme and imitate the bot herder by issuing commands correctly.
In response to efforts to detect and decapitate IRC botnets, bot herders have begun deploying malware on peer-to-peer networks. These bots may use digital signatures so that only someone with access to the private key can control the botnet. See e.g. Gameover ZeuS and ZeroAccess botnet.
Newer botnets fully operate over P2P networks. Rather than communicate with a centralized server, P2P bots perform as both a command distribution server and a client which receives commands. This avoids having any single point of failure, which is an issue for centralized botnets.
In order to find other infected machines, the bot discreetly probes random IP addresses until it contacts another infected machine. The contacted bot replies with information such as its software version and list of known bots. If one of the bots' version is lower than the other, they will initiate a file transfer to update. This way, each bot grows its list of infected machines and updates itself by periodically communicating to all known bots.
There are several core components in a botnet which have been used. The main ones are listed below
In the field of computer security, command and control (C&C) infrastructure consists of servers and other technical infrastructure used to control malware in general, and, in particular, botnets. Command and control servers may be either directly controlled by the malware operators, or themselves run on hardware compromised by malware. Fast-flux DNS can be used as a way to make it difficult to track down the control servers, which may change from day to day. Control servers may also hop from DNS domain to DNS domain, with domain generation algorithms being used to create new DNS names for controller servers.
In some cases, computer security experts have succeeded in destroying or subverting malware command and control networks, by, among other means, seizing servers or getting them cut off from the Internet, denying access to domains that were due to be used by malware to contact its C&C infrastructure, and, in some cases, breaking into the C&C network itself. In response to this, C&C operators have resorted to using techniques such as overlaying their C&C networks on other existing benign infrastructure such as IRC or Tor, using peer-to-peer networking systems that are not dependent on any fixed servers, and using public key encryption to defeat attempts to break into or spoof the network.
In computer science, a zombie computer is a computer connected to the Internet that has been compromised by a hacker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam and launch denial-of-service attacks. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies. A coordinated DDoS attack by multiple botnet machines also resembles a zombie horde attack.
This example illustrates how a botnet is created and used for malicious gain.
The botnet controller community features a constant and continuous struggle over who has the most bots, the highest overall bandwidth, and the most "high-quality" infected machines, like university, corporate, and even government machines.
While botnets are often named after the malware that created them, multiple botnets typically use the same malware, but are operated by different entities.
A botnet's originator (known as a "bot herder" or "bot master") can control the group remotely, usually through IRC or Domains, and often for criminal purposes. This is known as the command-and-control (C&C). Though rare, more experienced botnet operators program command protocols from scratch. These protocols include a server program, a client program for operation, and the program that embeds the client on the victim's machine. These communicate over a network, using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet.
A bot typically runs hidden and uses a covert channel (e.g. the RFC 1459 (IRC) standard, Twitter, or IM) to communicate with its C&C server. Generally, the perpetrator has compromised multiple systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping."
To thwart detection, some botnets are scaling back in size. As of 2006, the average size of a network was estimated at 20,000 computers.
Computers can be co-opted into a botnet when they execute malicious software. This can be accomplished by luring users into making a drive-by download, exploiting web browser vulnerabilities, or by tricking the user into running a Trojan horse program, which may come from an email attachment. This malware will typically install modules that allow the computer to be commanded and controlled by the botnet's operator. After the software is downloaded, it will call home (send a reconnection packet) to the host computer. When the re-connection is made, depending on how it is written, a Trojan may then delete itself, or may remain present to update and maintain the modules. Many computer users are unaware that their computer is infected with bots.
The first botnet was first acknowledged and exposed by Earthlink during a lawsuit with notorious spammer Khan C. Smith in 2001 for the purpose of bulk spam accounting for nearly 25% of all spam at the time.
The geographic dispersal of botnets means that each recruit must be individually identified/corralled/repaired and limits the benefits of filtering. Some botnets use free DNS hosting services such as DynDns.org, No-IP.com, and Afraid.org to point a subdomain towards an IRC server that harbors the bots. While these free DNS services do not themselves host attacks, they provide reference points (often hard-coded into the botnet executable). Removing such services can cripple an entire botnet. Some botnets implement custom versions of well-known protocols. The implementation differences can be used for detection of botnets. For example, Mega-D features a slightly modified SMTP protocol implementation for testing spam capability. Bringing down the Mega-D's SMTP server disables the entire pool of bots that rely upon the same SMTP server.
Computer and network security companies have released software to counter botnets. Norton AntiBot was aimed at consumers, but most target enterprises and/or ISPs. Host-based techniques use heuristics to identify bot behavior that has bypassed conventional anti-virus software. Network-based approaches tend to use the techniques described above; shutting down C&C servers, nullrouting DNS entries, or completely shutting down IRC servers. BotHunter is software, developed with support from the U.S. Army Research Office, that detects botnet activity within a network by analysing network traffic and comparing it to patterns characteristic of malicious processes.
Some botnets are capable of detecting and reacting to attempts to investigate them, reacting perhaps with a DDoS attack on the IP address of the investigator.
Researchers at Sandia National Laboratories are analyzing botnets' behavior by simultaneously running one million Linux kernels--a similar scale to a botnet--as virtual machines on a 4,480-node high-performance computer cluster to emulate a very large network, allowing them to watch how botnets work and experiment with ways to stop them.
|Date created||Date dismantled||Name||Estimated no. of bots||Spam capacity (bn/day)||Aliases|
|2004 (Early)||Bagle||230,000||5.7||Beagle, Mitglieder, Lodeight|
|Marina Botnet||6,215,000||92||Damon Briant, BOB.dc, Cotmonger, Hacktool.Spammer, Kraken|
|Storm||160,000||3||Nuwar, Peacomm, Zhelatin|
|2006 (around)||2011 (March)||Rustock||150,000||30||RKRustok, Costrat|
|2007 (around)||Cutwail||1,500,000||74||Pandex, Mutant (related to: Wigon, Pushdo)|
|2007 (March)||2008 (November)||Srizbi||450,000||60||Cbeplay, Exchanger|
|2008 (around)||Sality||1,000,000||Sector, Kuku|
|2008 (November)||Conficker||10,500,000+||10||DownUp, DownAndUp, DownAdUp, Kido|
|2008 (November)||2010 (March)||Waledac||80,000||1.5||Waled, Waledpak|
|Wopla||20,000||0.6||Pokier, Slogger, Cryptic|
|2008 (around)||Asprox||15,000||Danmec, Hydraflux|
|Spamthru||12,000||0.35||Spam-DComServ, Covesmer, Xmiler|
|2009 (May)||November 2010 (not complete)||BredoLab||30,000,000||3.6||Oficla|
|2010 (January)||LowSec||11,000+||0.5||LowSecurity, FreeMoney, Ring0.Tools|
|2010 (around)||TDL4||4,500,000||TDSS, Alureon|
|Zeus||3,600,000 (US only)||Zbot, PRG, Wsnpoem, Gorhax, Kneber|
|2010||(Several: 2011, 2012)||Kelihos||300,000+||4||Hlux|
|2011 or earlier||2015-02||Ramnit||3,000,000|
|2016 (August)||Mirai (malware)||380,000||None|
The size of bot networks peaked in mid-2004, with many using more than 100,000 infected machines, according to Mark Sunner, chief technology officer at MessageLabs.The average botnet size is now about 20,000 computers, he said.
Manage research, learning and skills at defaultLogic. Create an account using LinkedIn or facebook to manage and organize your IT knowledge. defaultLogic works like a shopping cart for information -- helping you to save, discuss and share.