The botnet menace

Botnets – they’re dangerous, deceptive, and very difficult to detect and deal with.

What’s more, according to recent surveys, the botnet threat is growing…rapidly.

Experts say it’s imperative that enterprises and consumers become aware of the acute and growing dangers posed by botnets, and take decisive and effective steps to counter them before it’s too late. But that’s easier said than done as botnets are insidious, and use stealth as a key weapon.

So what’s a bot?

Botnets are networks of “bots” – short for robots. But these aren’t the mechanical humanoids of science fiction; they’re computers – large networks of captured and compromised computers.

After being commandeered, these machines may be used for a range of nefarious purposes, including scanning networks for other vulnerable systems, launching denial of service (DoS) attacks against a specified target, sending spam e-mails, and keystroke logging as a prelude to ID or password theft.

Botnets are generally created through spam e-mails or adware that leaves behind a software agent, also sometimes called a ‘bot’.

When unsuspecting users click on a link, or open the delinquent e-mail, it downloads a software agent that turns their computers into botnet clients.

Read more

Don’t miss part II of our coverage on the botnet menace: Seven smart strategies to battle botnets

Captured – or “botted” – machines can be controlled remotely by the malware creator – referred to as the bot master or bot herder.

If additional software has to be downloaded to complete the capture process, the bot would first do that, explains Jim Lippard director of information security operations at Florham Park, N.J.–based network services provider Global Crossing, in a podcast. “It may use any mechanism – FTP, TFTP, HTTP – to install the software.”

Global Crossing’s customers include more than 35 percent of the Fortune 500, as well as 700 carriers, mobile operators and ISPs.

The next thing the bot does is call home.

It would “usually do a domain name server (DNS) lookup on a particular name used by the miscreant for that botnet. Then it will find the host for that name, and connect to it using standard Internet Relay Chat (IRC) protocol,” Lippard says.

The larger a botnet, the more formidable the attack it can launch.

For instance, when a botnet containing tens of thousands of captured machines is used to launch a denial of service attack, the consequences can be serious and irreparable.

There’s the well publicized case of the botnet created by Christopher Maxwell that installed adware on vulnerable machines.

It was estimated his botnet attacked more than 400,000 computers in a two-week period. Maxwell’s attack, it was reported, crippled the network at Seattle’s Northwest Hospital in January 2005, shutting down an intensive care unit and disabling doctors pagers.

The botnet also shut down computers at the US Department of Justice, which suffered damage to hundreds of computers worldwide in 2004 and 2005.

Maxwell pleaded guilty and was sentenced to three years in jail, three years of probation and a fine of $250,000.

Big bucks from bots

The motivation of most bot herders is usually financial, say experts who follow this “market” closely. Botnets are sometimes rented out to spammers, scam artists or other criminal elements.

Lippard dubs bot software “the Swiss army knife of crime on the Internet.”

There are multiple functional roles in the botnet economy, he says.

For instance, there’s the bot herder – the person who controls the bot. Lippard talks about two common ways bot herders make money.

The first is by installing ad ware or clickware on to the systems they control.

“They then use [those programs] to show ads to the owners of the systems, or to click through advertisements for which they get credit under some sort of affiliate program.”

He said a second way bot herders profit is by renting out use of the bots to spammers. “They aren’t advertised as bots, but as proxies available for spammers to use. And the bot herder will charge a fee based on the number of proxies available in a rotating list on a daily, or even an hourly, basis.”

Lippard said he’s heard of individual bot herders making “as much as $10,000 a month between adware and clickware fraud and the selling of proxies.”

Using botnets to launch denial of service attacks is also on the rise, Lippard says.

The initial targets for these attacks used to be offshore gambling Web sites, and the credit card processors for those sites. “But it’s been tried to a lesser extent against other businesses that depend on their Web sites for their operations to run.”

Another common use of botnets is to scan captured machines for user names and passwords, software license information, contents of vital documents.

Often key stroke loggers are loaded on these machines to retrieve user names and passwords, ID information, and anything that can potentially be used to make a profit.

Some variations of a botnet known as Rinbot may be used to steal registration keys for video games.

Beguiling bots

While Christopher Maxwell’s case was widely publicized, experts estimate there are scores of botnets that go undetected.

As stealth is their stock in trade, it’s difficult to get precise statistics on the growth of this menace.

Some rather alarming numbers have been provided by the latest Symantec semi-annual Internet Threat Report (published in March 2007).

According to that report, botnet activity is up around 10 per cent over the previous period with the U.S. hosting about 40 per cent of the command and control nodes.

As the motivation of most bot herders is financial, they are keen that compromised systems stay infected and are not detected or repaired by the owners.

As many experts point out, bot nets take their time spreading in order to remain undetected, as their creators – unlike some other malicious coders – aren’t necessarily trying to take over thousands of computers in the shortest time possible.

The only way they could be detected relatively quickly is if the bot herder went overboard and installed so much malware that the system became extremely slow – to the point of being nearly unusable.

Lippard’s colleague Bob Hagen notes in his blog that methods and mechanisms used today to detect and eradicate botnet controllers are being rendered obsolete.

“Historically, most botnets utilized Internet Relay Chat (IRC) as the communications mechanism between bots and their controlle