The Anatomy of a Botnet

Posted by Keith McMillan

May 12, 2008 | 2 Comments

There’s been a lot of news lately about botnets. But what exactly is one?

A botnet is a collection of computers that are under remote control. These compromised computers are typically called “zombies.” Zombie computers connect to a command-and-control system created by the owner of the botnet, and listen for commands. These commands can direct them to scan the zombie computer for personal information (such as bank account numbers, credit card numbers and passwords), search for other computers that have known security vulnerabilities that haven’t been patched and infect them as well, or to perform pretty much any action the botnet creator wants. In fact, many botnets have the ability to update the botnet software itself at the direction of the controller, adding new functions as needed. The largest botnets can have hundreds of thousands or even millions of computers under the control of a single individual or group.

Botnets have been used to extort money from internet gambling sites, by establishing so many connections from computers scattered across the internet that real, legitimate users can’t get through. Experts estimate that about 80% of the unsolicited commercial email, or spam, that you receive in your email box comes from 6 botnets.

But how does a computer become a zombie?

It can happen in a number of ways. As I already mentioned, if you don’t keep your computer up to date with patches, another zombie can find your computer and infect it. Another way your computer can become a zombie is if you visit a web site that installs software on your computer without your knowledge. Don’t think that only pornography or “warez” sites are dangerous: malicious software has been discovered on prominent companies web sites as well, as a result of a hacker compromising their security.

Programs such as Yahoo messenger and AOL instant messenger can also be used to compromise your computer. In fact any flaw in a program could potentially infect your computer causing it to become a zombie.

Wouldn’t you notice if your computer was doing things without you telling it to? Not at all. Botnet zombie programs are carefully designed to avoid detection, and anti-virus and anti-spyware programs are typically only as good as their signature creators can make them. They come with no user interface, so it’s likely you wouldn’t notice them.

So what can you do? You should always run your computers behind a firewall, particularly if you’re a home user. Internet sites are available to help you determine how secure your firewall makes you, but don’t rely on just one: try as many as you can find.

The same applies to anti-virus and anti-spyware programs: don’t rely on just one. If you suspect that your computer has been compromised, such as unexplained crashes and strange files, get your hands on three or four of these programs and run them in turn. That way you stand a better chance of finding and fixing the problem.

What are the authorities doing about botnets? Unfortunately, usually precious little. Internet crime is hard to investigate, and since it’s frequently trans-national, even harder to prosecute. There have been some successes.

Ironically enough, sometimes the botnet owner’s worst enemy is another botnet owner. Since these networks can download new programs, it’s possible for one botnet owner to steal another’s network by compromising his or her command-and-control servers, and directing the network to download different software, adding the new network to their existing one.

There has been some research in the last couple of years working on understanding, detecting and fighting botnets, but as of now, the fight is long from over. Be careful out there.


RSS feed | Trackback URI


Comment by Andy Kailhofer
2008-05-13 08:53:18

What about going after the heads? Just like with zombies, getting rid of the controllers should do the trick. I’m supposing that they’re mostly set up in places like NoLawsHereIstan?

Comment by Keith McMillan
2008-05-13 20:07:25

Hi Andy,

It’s a good idea, and this is the way that some of the researchers have gone about identifying the size of the Storm botnet, for instance.

Botnet controllers do go to lengths to prevent this sort of thing, for the obvious reasons. I know a number of them use IRC as a control channel, but I don’t really know too much about the actual infrastructure of an IRC network, what kind of survivability they have. Botnets do typically have redundant command and control, though. The Storm researchers actually registered a machine with the IP address of one of the failover controllers to assume control and measure the size of the network.

Eventually, I think that attacking the command and control is the way to go, but clearly there are some technical challenges that need to be overcome first.

Name (required)
E-mail (required - never shown publicly)
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> in your comment.