May
12
The Anatomy of a Botnet
May 12, 2008 | 2 Comments
There’s been a lot of news lately about botnets. But what exactly is one?
A botnet is a collection of computers that are under remote control. These compromised computers are typically called “zombies.” Zombie computers connect to a command-and-control system created by the owner of the botnet, and listen for commands. These commands can direct them to scan the zombie computer for personal information (such as bank account numbers, credit card numbers and passwords), search for other computers that have known security vulnerabilities that haven’t been patched and infect them as well, or to perform pretty much any action the botnet creator wants. In fact, many botnets have the ability to update the botnet software itself at the direction of the controller, adding new functions as needed. The largest botnets can have hundreds of thousands or even millions of computers under the control of a single individual or group.
Botnets have been used to extort money from internet gambling sites, by establishing so many connections from computers scattered across the internet that real, legitimate users can’t get through. Experts estimate that about 80% of the unsolicited commercial email, or spam, that you receive in your email box comes from 6 botnets.
But how does a computer become a zombie?
It can happen in a number of ways. As I already mentioned, if you don’t keep your computer up to date with patches, another zombie can find your computer and infect it. Another way your computer can become a zombie is if you visit a web site that installs software on your computer without your knowledge. Don’t think that only pornography or “warez” sites are dangerous: malicious software has been discovered on prominent companies web sites as well, as a result of a hacker compromising their security.
Programs such as Yahoo messenger and AOL instant messenger can also be used to compromise your computer. In fact any flaw in a program could potentially infect your computer causing it to become a zombie.
Wouldn’t you notice if your computer was doing things without you telling it to? Not at all. Botnet zombie programs are carefully designed to avoid detection, and anti-virus and anti-spyware programs are typically only as good as their signature creators can make them. They come with no user interface, so it’s likely you wouldn’t notice them.
So what can you do? You should always run your computers behind a firewall, particularly if you’re a home user. Internet sites are available to help you determine how secure your firewall makes you, but don’t rely on just one: try as many as you can find.
The same applies to anti-virus and anti-spyware programs: don’t rely on just one. If you suspect that your computer has been compromised, such as unexplained crashes and strange files, get your hands on three or four of these programs and run them in turn. That way you stand a better chance of finding and fixing the problem.
What are the authorities doing about botnets? Unfortunately, usually precious little. Internet crime is hard to investigate, and since it’s frequently trans-national, even harder to prosecute. There have been some successes.
Ironically enough, sometimes the botnet owner’s worst enemy is another botnet owner. Since these networks can download new programs, it’s possible for one botnet owner to steal another’s network by compromising his or her command-and-control servers, and directing the network to download different software, adding the new network to their existing one.
There has been some research in the last couple of years working on understanding, detecting and fighting botnets, but as of now, the fight is long from over. Be careful out there.
Blogroll
- Ars Technica
- Dark Reading - IT Security
- Help Net Security
- InformIT
- SANS Internet Storm Center
- Schneier on Security - Dr. Bruce Schieier’s blog
- Security Info Watch
- What to Fix - Daniel Markham, fellow consultant
- Wired Gadget Lab
- Wordpress Documentation
- WordPress Planet
- Wordpress Support Forum