Beruflich Dokumente
Kultur Dokumente
Botnets
Computers have been a part of my life for around 30 years now, going all the
way back to the late 1970s when very few people had access to them. As
such I have had to deal with a lot of computer problems over the years from
For the most part my focus has always been on computer support doing
everything working with home users and small business to setting up large
security.
It seemed like the natural thing for me to do. Computer Security has become
a major focus in the industry and I have always enjoyed tracking down and
solving problems. Plus I had already spent a lot of time dealing with virus,
worms, and the occasional hacker getting in to a system so how hard could it
be. Heck, I even wrote a Trojan of my very own designed to destroy the work
I did for a past employer who refuse to pay me for my work. By the way it
worked.
However, for the first time after making this switch and maybe even the first
really scares me. In fact working on group project on the subject, I realized
that it scared me so much that I tossed aside the case study I had already
Torbec 2
k
started because I needed to write more on the subject than I was going to be
The goal of this paper is to try and educate the reader not only on what
Botnets are, but what they are used for, how they work, and how you can
protect yourself from them. After all the only pay to break yourself from the
So what is a botnet?
and control system by a few or even just a single user. While there are
and creation of the databases used by search engines like Google and
owner.
normally used for illegal purposes by the Botnets creator known as a “Bot
The Bot Herder uses a form of Malware known as a BOT Client to take control
1
The term node can also referee to a group of Zombies.
Torbec 3
k
vulnerability that has a patch available, but the patch has not yet been
installed on the vulnerable computers. This Bot Client is not a Virus, Trojan,
After he has control the Bot Herder use a Command and Control Center
zombie computers. This C&C can use one of many or even multiple forms of
Zombies. I go in more detail on the types of C & C systems later in this paper.
In the past the creators of Botnets (Bot Herders) created the network to gain
headlines and to prove to others that they could do it. It was more about
bragging rights than anything else. However, today the Botnets are created
for financial gain for both the Bot Herder and for the people they rent or sell
computing power or Internet bandwidth. In many ways its use only depends
on the skills and motivation of the Bot Herder. However, based on research
network with the goal of denying the use of or access to a specific services
or system. While this can be done with a single computer if it has enough
Torbec 4
k
Distributed Denial-of-Service
Botnets Zombies are ordered to attack the target at a set date and time.
Because the Zombies can be located all over the world this form of attack is
Sending Spam
SPAM is Unsolicited Commercial Email. We all get it and if you are like me
you have noticed that your getting a great deal more SPAM now than ever
before. In fact according to Symantec SPAM now accounts for 90.4 percent of
Botnets are major factor in this increase. Over the last few years SPAM had
actually gone down. This was because new filtering technologies had been
spammers user their (the ISP) networks to send the SPAM. However, with the
growth of BOTNET the spammers don’t need to deal with the ISPs.
In many ways BOTNETs are an ideal medium for spammers. Similar to with a
DDoS Attack they offer a larger target that is hard to block. Because the
Torbec 5
k
spammer is using the bandwidth of the Zombies they not only don’t have an
ISP complaints to deal with, but they don’t have a large bandwidth bill either.
In fact BOTNETs can not only be used to send SPAM, but they can also be
Phishing Scams
this email is disguised to look like it is coming from a legitimate source like
the users bank. This Phishing email normally informs the user that there is a
problem that they need to take care of right away and if they click on the
links in the email it will take them where they need to go to fix the problem.
While the links may look like they are going to a legitimate source they are
actually going to a Phishing Website that like the email is made to look like a
legitimate source.
Botnets are used in Phishing Scams in multiple ways. The first is for the
sending of the Phishing emails, just like the way they are used for
Spamming. The second is that one or more of the Zombies are turned in to
Identity Theft
Phishing Scams are not the only way that BOTNETs are used for identity
Theft. They are also used to collect personal information from the victim’s
computers. This can be done in multiple ways. The Bot Herder can simple
order the Botnet Client to send back files retrieved from the victim’s
computer or they can have the client itself monitor all traffic going in and out
of the computer and send back that data. Many clients even have built in
Keylogging software. Some of the newer Botnet Clients being used can not
only make a screen capture (picture or video) of the victims computer, but
the can turn on a users webcam and send back pictures of the victims home
or office.
In many ways Identity Theft is what scares me the most about Botnets. A
great example of why it scares me is the resent story (May 2009) in which
the University of California Santa Barbara Hijacked the “Torpig” Botnet. In the
ten days the school had control of this relatively small Botnet (around
Pay-Per-Click Abuse
Many internet sites including Google provide away for other websites to
Google and its Affiliates make money based on the number of times that the
Botnet to, sets up a fake website. They then join the affiliate program like
AdSense and place ads on the fake website and order the Zombies to start
clicking on the advertisements. Some Zombies will even intercept the web
code that identifies the affiliate from every site a user visits and replace it
While this is one of the newest forms of BOTNET attacks Google claims it is
growing and they expect to lose millions to this form of attack over the next
few years.
ability to connect to a network from a remote location and interact with the
network as if the remote computer is the host computer. Many of the Botnet
Clients have Rlogin built in to them giving the Bot Herder the ability bypass
much of the victim’s network security and gain access to the network
undetected.
Competition can be both a good thing right? Not in the world of Bot Herders.
According to the FBI there is currently a major turf war going on between the
major botnet. Using their Zombies the Bot Herders are not only performing
Torbec 8
k
DDoS attacks on each other’s Command & Control computers, but they are
Online polls are getting more and more attention now days. In fact many of
the most popular reality shows use them as an option for users who don’t
want to make repeated attempts to phone over the phone to vote for their
let votes only vote a set number of times. This is normally done by
monitoring the IP address of the computer the vote is coming from. BOTNETS
make it rather easy to beat this because they can send votes in from tens of
happened in the most recent running of the reality show Dances with Stars.
Reports are that one of the contestants, Steve Wozniak Cofounder of Apple
Computer Corp, received a much larger percentage of web votes than he did
phone votes. In fact report millions more making him and his partner the
receiver of the most votes in total. This continued for several weeks until the
producers of the show reduce the value of the points that could be earned
Stealing Software
Not only can many of the Botnet Clients download files from a victim’s
computer, they can also retrieve serial numbers and activations codes for
Torbec 9
k
the applications found on the victim’s computer. Botnets are also used in the
The final common use for BOTNETs is to infect more Zombies. This normally
starts right from the start after a Zombie is under the control of the Bot
Herder orders it to search for and infect more vulnerable computers. I will go
the most part the answer to this question is for financial gain for both the Bot
Herders and the Botnet Renters. Together BOTNET have enormous amounts
of both computing power and bandwidth. In fact the larger networks can
Another reason for using a BOTNET is that they make it very difficult to track
the users of the BOTNET. This is because not only are the attacks coming
from multiple locations around the world; it is a moving target because the
BOTNET is expanding.
Before going in to details on how to build and use a BOTNET I need to spend
a little time introducing the cast of characters involved. Each of which plays
○ C&C: Command and Control Center used for two way communication
with Zombies
The first stage in building a BOTNET is the setup stage. During this stage
the BOT Herder needs to both setup the Command and Control Center
(C&C) and create the Malware “Bot Client” that is going to be used to
The C&C is the Bot Herders way of communicating with the Zombies. Not
responses back from them. The responses can be everything from “Hello I
infected a new computer”, to files and data retrieved from the infected
computers. Sometimes the Herder will setup the C&C on a rented server
There are a lot of options in how C&C will communicate with the Zombies.
each other using and available TCP/IP port. Direct Connection was used a
○ Internet Relay Chat (IRC): IRC is a chat protocol which allows servers
worldwide to link and allow for users to access them with special software
and chat (via text) in real time. This is the most common way of handling
the communication between the Zombies and the C&C because it is both
easy to setup and allows for real time communications. However, the
and ISPs has force Herders to start looking for other options.
instructs the Herder to send an email. That email goes to only a few of the
Zombies who in turn forward the email to more of the Zombies. While this
option may sound a little strange it kind of makes sense. After all many of
the Zombies are already setup mail servers so they can send SPAM.
However, the biggest problem with this option is that it is a lot slower.
to a WEB or FTP Server that has been pre programmed in to the Zombies.
At a set time and day the Zombie checks the server for it orders. While
Attacks.
Torbec 12
k
WEB/FTP Retrieval except that the encrypted orders are placed on a Peer-
to-Peer Network (like Kazaa). The one advantage with this option over
is quickly on its way to catching up with IRC, but it is still not real time.
Bot Client which has the Zombie just sit and wait for a set time and date
to activate the orders. Preset is normally only used for DDoS Attacks.
○ Social Networks: I could not find anything that directly talked about the
Now that the Bot Herder has the C&C online they need to turn their
turning computer in to Zombie. The Bot Herder really has two options
The first is to write a Botnet Client from scratch. This option takes a real
expert because they need to not only write the client to handle the control
of the Zombie, but they need to understand and know how to take
many Bot Clients available on the internet. This option is really the better
option for most Bot Herders because they are already designed to take
Herder and had modules for the features they want to include.
Infection Stage
Now that the Setup Stage is done it is time to start creating Zombies. The
first thing the Bot Herder does is to create the first Zombie by infecting a
single computer on the internet with the Botnet Client. Once infected the
Zombie reports back to the C & C telling it that it has infected a computer
and asks what it should do next. The Bot Herder monitors the C & C
looking for the new Zombie to report back, once it has he orders the
Zombie (using the C & C) to look for and infect additional computers. As
each new Zombie reports back it receives the same order to search and
the Herder can start using the Botnet and making money from it.
The first step in using the BOTNET is todivide it in to two groups. The details
of how the divided up the network really depends on what they plan on doing
with Botnet. Are they going to keep the network and us it themselves, rent
out its use, or sell it outright? However, most of the time the network is
broking up in to two groups, the Zombies with the fastest connections are
reserved for attacks (sending SPAM, Phishing, etc) while the Zombies with
Torbec 14
k
slower connections are used to continue to build the network or for DDoS
Attacks.
Once the BOTNET is divided it is time to start using the network. To do so the
up the orders.
you already should be following to protect yourself from Virus, Works, and
Trojans and using a little Common Sense. Below is a list of steps that both
○ Install a Firewall
resources.
Conclusion
While I do fear them, I am not the type to sit back and hide from my fears. So
BOTNETs and I am even going to try to write my own so I can gain even more
I hope that by reading my paper you have gained a little insight on the
danger of BOTNETS and maybe understand why I have a general fear of what
they can do. It is not the DDoS attacks or even the SPAM that I fear, but the
Works Cited
Botnets - Wikipedia. (n.d.). Retrieved June 15, 2009, from Wikipedia:
http://en.wikipedia.org/wiki/Botnet
Dunham, K., & Melnick, J. (2008). Malicious Bots: An Inside Look into the Cyber-
Criminal Underground of the Internet. Auerbach Publications.
Gage, D., & Nash, K. S. (2006, April 6). Security Alert: When Bots Attack. Baseline
Magazine .
Roddel, V. (2009, April 13). Computer Infectors and Spam. Retrieved June 14, 2009,
from Bright Hub: http://www.brighthub.com/internet/security-
privacy/articles/4276.aspx
Schiller, C., & Binkley, J. (2007). Botnets: The Killer Web App. Syngress.
Whitney, L. (2009, May 26). Report: Spam now 90 percent of all e-mail. Retrieved
June 14, 2009, from CNET: http://news.cnet.com/8301-1009_3-10249172-83.html