A Botnet is a collection of software agents In computer science, a software agent is a piece of software that acts for a user or other program in a relationship of agency. Such "action on behalf of" implies the authority to decide which action is appropriate.[citation needed] The idea is that agents are not strictly invoked for a task, but activate themselves, or robots Internet bots, also known as web robots, WWW robots or simply bots, are software applications that run automated tasks over the Internet. Typically, bots perform tasks that are both simple and structurally repetitive, at a much higher rate than would be possible for a human alone. The largest use of bots is in web spidering, in which an automated, that run autonomously and automatically. The term is most commonly associated with malicious software Malware, short for malicious software, is software designed to infiltrate a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. The term "computer virus" is sometimes used as a catch-, but it can also refer to a network of computers using distributed computing Distributed computing is a field of computer science that studies distributed systems. A distributed system consists of multiple autonomous computers that communicate through a computer network. The computers interact with each other in order to achieve a common goal. A computer program that runs in a distributed system is called a distributed software.^{[citation needed]}

Background

The main drivers for botnets are for recognition and financial gain. The larger the botnet, the more ‘kudos’ the herder can claim to have among the underground community. The bot herder will also ‘rent’ the services of the botnet out to third parties, usually for sending out spam messages, or for performing a denial of service attack against a remote target. Due to the large numbers of compromised machines within the botnet huge volumes of traffic (either email or denial of service) can be generated. However, in recent times the volumes of spam originating from a single compromised host have dropped in order to thwart anti-spam detection algorithms – a larger number of compromised hosts send a smaller amount of messages in order to evade detection by anti-spam techniques.

Botnets have become a significant part of the Internet The Internet is a global system of interconnected computer networks that use the standard Internet Protocol Suite to serve billions of users worldwide. It is a network of networks that consists of millions of private, public, academic, business, and government networks of local to global scope that are linked by a broad array of electronic and, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Often, a botnet will include a variety of connections and network types. Sometimes a controller will hide an IRC server installation on an educational or corporate site where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently as most script kiddies A script kiddie, or skiddie, occasionally script bunny, script kitty, script-running juvenile or similar, is a derogatory term used to describe those who use scripts or programs developed by others to attack computer systems and networks do not have the knowledge to take advantage of it.

Several botnets have been found and removed from the Internet. The Dutch police found a 1.5 million node botnet^[1] and the Norwegian ISP Telenor Telenor Group is the incumbent telecommunications company in Norway, with headquarters located at Fornebu, close to Oslo. Today, Telenor Group is mostly an international wireless carrier with operations in Scandinavia, Eastern Europe and Asia, working predominantly under the Telenor brand. It is currently[update] ranked as the sixth largest mobile disbanded a 10,000-node botnet.^[2]. In july 2010, the FBI arrested a 23-year old Slovenian held responsible for the malicious software that integrated an estimated 12 million computers into a botnet.^[3]Large coordinated international efforts to shut down botnets have also been initiated.^[4] It has been estimated that up to one quarter of all personal computers connected to the internet may be part of a botnet.^[5]

Organization

While botnets are often named after their malicious software Malware, short for malicious software, is software designed to infiltrate a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. The term "computer virus" is sometimes used as a catch- name, there are typically multiple botnets in operation using the same malicious software Malware, short for malicious software, is software designed to infiltrate a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. The term "computer virus" is sometimes used as a catch- families, but operated by different criminal entities.^[6]

While the term "botnet" can be used to refer to any group of bots, such as IRC bots An IRC bot is a set of scripts or an independent program that connects to Internet Relay Chat as a client, and so appears to other IRC users as another user. An IRC bot differs from a regular client in that instead of providing interactive access to IRC for a human user, it performs automated functions, this word is generally used to refer to a collection of compromised computers (called zombie computers A zombie computer is a computer connected to the Internet that has been compromised by a hacker, a computer virus, or a trojan horse. Generally, a compromised machine is only one of many in a botnet, and will be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombie computers are unaware that their) running software, usually installed via drive-by downloads The expression drive-by install is completely analogous and refers to installation rather than download (though sometimes the two are used interchangeably) exploiting web browser vulnerabilities, worms A computer worm is a self-replicating malware computer program. It uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least, Trojan horses A Trojan, sometimes referred to as a Trojan horse, is non-self-replicating malware that appears to perform a desirable function for the user but instead facilitates unauthorized access to the user's computer system. The term is derived from the Trojan Horse story in Greek mythology, or backdoors A backdoor in a computer system is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a modification to an existing program or hardware device, under a common command-and-control Command and control, or C2, can be defined as the exercise of authority and direction by a properly designated commanding officer over assigned and attached forces in the accomplishment of the mission infrastructure.

A botnet's originator (aka "bot herder Bot herders are crackers who use automated techniques to scan specific network ranges and find vulnerable systems, such as machines without current security patches, on which to install their bot program. The infected machine then has become one of many zombies in a botnet and responds to commands given by the bot herder, usually via an Internet" or "bot master") can control the group remotely, usually through a means such as IRC Internet Relay Chat is a form of real-time Internet text messaging (chat) or synchronous conferencing. It is mainly designed for group communication in discussion forums, called channels, but also allows one-to-one communication via private message as well as chat and data transfers via Direct Client-to-Client, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command-and-control takes place via an IRC server An IRCd, short for Internet Relay Chat daemon, is server software that implements the IRC protocol, enabling people to talk to each other via the Internet or a specific channel on a public IRC network Internet Relay Chat is a form of real-time Internet text messaging (chat) or synchronous conferencing. It is mainly designed for group communication in discussion forums, called channels, but also allows one-to-one communication via private message as well as chat and data transfers via Direct Client-to-Client. This server is known as the command-and-control server ("C&C"). Though rare, more experienced botnet operators program their own commanding protocols from scratch. The constituents of these protocols include a server program, client program for operation, and the program that embeds itself on the victim's machine (bot). All three of these usually communicate with each other over a network using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet network.

A bot typically runs hidden and uses a covert channel (e.g. the RFC 1459 (IRC) standard, twitter or IM) to communicate with its C&C server. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC Remote procedure call is an Inter-process communication technology that allows a computer program to cause a subroutine or procedure to execute in another address space (commonly on another computer on a shared network) without the programmer explicitly coding the details for this remote interaction. That is, the programmer would write essentially). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping."

Botnet servers will often liaise with other botnet servers, such that a group may contain 20 or more individual cracked high-speed connected machines as servers, linked together for purposes of greater redundancy. Actual botnet communities usually consist of one or several controllers that rarely have highly-developed command hierarchies between themselves; they rely on individual friend-to-friend relationships.^{[citation needed]}

The architecture of botnets has evolved over time, and not all botnets exhibit the same topology for command and control. Depending upon the topology implemented by the botnet, it may make it more resilient to shutdown, enumeration, or command and control location discovery. However, some of these topologies limit the saleability and rental potential of the botnet to other third-party operators.^[7] Typical botnet topologies are:

• Star
• Multi-server
• Hierarchical
• Random

To thwart detection, some botnets were scaling back in size. As of 2006, the average size of a network was estimated at 20,000 computers, although larger networks continued to operate.^[8]

Formation and exploitation

This example illustrates how a botnet is created and used to send email spam E-mail spam, also known as junk e-mail, is a subset of spam that involves nearly identical messages sent to numerous recipients by e-mail. A common synonym for spam is unsolicited bulk e-mail . Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. "UCE" refers specifically to unsolicited commercial e-.

1. A botnet operator sends out viruses A computer virus is a computer program that can copy itself and infect a computer. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability. A true virus can spread from one computer to another when its or worms A computer worm is a self-replicating malware computer program. It uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least, infecting ordinary users' computers, whose payload is a malicious application—the bot.
2. The bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server).
3. A spammer purchases the services of the botnet from the operator.
4. The spammer provides the spam messages to the operator, who instructs the compromised machines via the IRC server, causing them to send out spam messages.

Botnets are exploited for various purposes, including denial-of-service attacks A denial-of-service attack or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service, creation or misuse of SMTP mail relays Simple Mail Transfer Protocol is an Internet standard for electronic mail (e-mail) transmission across Internet Protocol (IP) networks. SMTP was first defined in RFC 821 (STD 15) (1982), and last updated by RFC 5321 (2008) which includes the extended SMTP (ESMTP) additions, and is the protocol in widespread use today. SMTP is specified for for spam (see Spambot A spambot is an automated computer program, or, more rarely, a script, designed to assist in the sending of spam), click fraud Click fraud is a type of Internet crime[citation needed] that occurs in pay per click online advertising when a person, automated script or computer program imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target of the ad's link. Click fraud is, spamdexing Spamdexing involves a number of methods, such as repeating unrelated phrases, to manipulate the relevancy or prominence of resources indexed by a search engine, in a manner inconsistent with the purpose of the indexing system. Some consider it to be a part of search engine optimization, though there are many search engine optimization methods that and the theft of application serial numbers, login IDs, and financial information such as credit card numbers.

The botnet controller community features a constant and continuous struggle over who has the most bots, the highest overall bandwidth, and the most "high-quality" infected machines, like university, corporate, and even government machines.^{[citation needed]}

Botnet lifecycle

• Bot-herder configures initial bot parameters such as infection vectors, payload, stealth, C&C details
• Register a DDNS Dynamic DNS is a method, protocol, or network service that provides the capability for a networked device, such as a router or computer system using the Internet Protocol Suite, to notify a domain name server to change, in real time the active DNS configuration of its configured hostnames, addresses or other information stored in DNS
• Register a static IP
• Bot-herder launches or seeds new bot(s)
• Bots spread
• Causes an increase of DDoS A denial-of-service attack or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service being sent to the victim
• Losing bots to rival botnets

Types of attacks

• Denial-of-service attacks A denial-of-service attack or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service where multiple systems autonomously access a single Internet system or service in a way that appears legitimate, but much more frequently than normal use and cause the system to become busy.
• Adware Adware, or advertising-supported software, is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used. Some types of adware are also spyware[citation needed] and can be classified as privacy-invasive software exists to advertise some commercial entity actively and without the user's permission or awareness, for example by replacing banner ads on web pages with those of another content provider.
• Spyware Spyware is a type of malware that is installed on computers and collects little bits of information at a time about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's personal computer. Sometimes, however, spywares such as is software which sends information to its creators about a user's activities – typically passwords, credit card numbers and other information that can be sold on the black market. Compromised machines that are located within a corporate network can be worth more to the bot herder, as they can often gain access to confidential information held within that company. There have been several targeted attacks on large corporations with the aim of stealing sensitive information, one such example is the Aurora botnet.^[9]
• E-mail spam are e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious in nature.
• Click fraud is the user's computer visiting websites without the user's awareness to create false web traffic for the purpose of personal or commercial gain.
• Access number replacements are where the botnet operator replaces the access numbers of a group of dial-up bots to that of a victim's phone number. Given enough bots partake in this attack, the victim is consistently bombarded with phone calls attempting to connect to the internet. Having very little to defend against this attack, most are forced into changing their phone numbers (land line, cell phone, etc).
• Fast flux Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.

Preventive measures

If a machine receives a denial-of-service attack from a botnet, few choices exist. Given the general geographic dispersal of botnets, it becomes difficult to identify a pattern of offending machines, and the sheer volume of IP addresses An Internet Protocol address is a numerical label that is assigned to devices participating in a computer network, that uses the Internet Protocol for communication between its nodes. An IP address serves two principal functions: host or network interface identification and location addressing. Its role has been characterized as follows: "A does not lend itself to the filtering A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices which is configured to permit or deny computer applications based upon a set of rules and other criteria of individual cases. Passive OS fingerprinting can identify attacks originating from a botnet: network administrators can configure newer firewall equipment to take action on a botnet attack by using information obtained from passive OS fingerprinting. The most serious preventive measures utilize rate-based intrusion prevention systems An Intrusion prevention system is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, may operate in-line to monitor all network traffic for malicious code or attacks . When an attack is implemented with specialized hardware.

Some botnets use free DNS The Domain Name System is a hierarchical naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participants. Most importantly, it translates domain names meaningful to humans into the numerical (binary) identifiers hosting services such as DynDns.org, No-IP.com, and Afraid.org to point a subdomain In the Domain Name System hierarchy, a subdomain is a domain that is part of a larger domain towards an IRC server that will harbor the bots. While these free DNS services do not themselves host attacks, they provide reference points (often hard-coded into the botnet executable). Removing such services can cripple an entire botnet. Recently, these companies have undertaken efforts to purge their domains of these subdomains. The botnet community refers to such efforts as "nullrouting", because the DNS hosting services usually re-direct the offending subdomains to an inaccessible IP address.

The botnet server structure mentioned above has inherent vulnerabilities and problems. For example, if one was to find one server with one botnet channel, often all other servers, as well as other bots themselves, will be revealed. If a botnet server structure lacks redundancy In engineering, redundancy is the duplication of critical components of a system with the intention of increasing reliability of the system, usually in the case of a backup or fail-safe, the disconnection of one server will cause the entire botnet to collapse, at least until the controller(s) decides on a new hosting space. However, more recent IRC server An IRCd, short for Internet Relay Chat daemon, is server software that implements the IRC protocol, enabling people to talk to each other via the Internet software includes features to mask other connected servers and bots, so that a discovery of one channel will not lead to disruption of the botnet.

Several security companies such as Afferent Security Labs, Symantec Symantec Corporation is the largest maker of personal computer security software. Founded in 1982 by Gary Hendrix with a National Science Foundation grant, Symantec was originally focused on artificial intelligence-related projects, including a database program. Hendrix hired several Stanford University natural language processing researchers as, Trend Micro Trend Micro is an antivirus software and computer security company headquartered in Tokyo. It markets Trend Micro Internet Security, Trend Micro Worry-Free Business Security, OfficeScan, and other related security products and services. Eva Chen has been CEO for the company since 2005 succeeding Steve Chang, who now is Chairman, FireEye, Simplicita and Damballa have announced offerings to stop botnets. While some, like Norton AntiBot, are aimed at consumers, most are aimed to protect enterprises and/or ISPs. The host-based techniques use heuristics to try to identify bot behavior that has bypassed conventional anti-virus software Antivirus software is used to prevent, detect, and remove malware, including computer viruses, worms, and trojan horses. Such programs may also prevent and remove adware, spyware, and other forms of malware. Network-based approaches tend to use the techniques described above; shutting down C&C servers, nullrouting DNS entries, or completely shutting down IRC servers.

Newer botnets are almost entirely P2P A peer-to-peer, commonly abbreviated to P2P, is any distributed network architecture composed of participants that make a portion of their resources directly available to other network participants, without the need for central coordination instances (such as servers or stable hosts). Peers are both suppliers and consumers of resources, in, with command-and-control embedded into the botnet itself. By being dynamically updateable and variable they can evade having any single point of failure. Commanders can be identified solely through secure keys and all data except the binary itself can be encrypted. For example a spyware program may encrypt all suspected passwords with a public key hard coded or distributed into the bot software. Only with the private key, which only the commander has, can the data that the bot has captured be read.

Newer botnets have even been capable of detecting and reacting to attempts to figure out how they work. A large botnet that can detect that it is being studied can even DDoS those studying it off the internet.

There is an effort by researchers at Sandia National Laboratories The Sandia National Laboratories, which are managed and operated by the Sandia Corporation , are two major United States Department of Energy research and development national laboratories to analyze the behavior of these botnets by simultaneously running one million Linux kernels as virtual machines In computer science, a virtual machine is a software implementation of a machine (computer) that executes programs like a real machine on a 4,480-node Dell high-performance computer cluster.^[10]

Historical list of botnets

See also

• Anti-spam techniques (e-mail)
• Bot
• Buffer overflow
• Clickbot.A
• Computer worm
• Denial-of-service attack
• Dosnet
• E-mail address harvesting
• E-mail spam
• Kraken botnet
• List poisoning
• Spambot
• Spamtrap
• Srizbi botnet
• Storm botnet
• Timeline of notable computer viruses and worms
• Trojan horse (computing)
• Zombie computer

References

1. ^ Botnet operation controlled 1.5m PCs by Tom Sanders, vnunet.com.
2. ^ Telenor takes down 'massive' botnet by John Leyden, The Register.
3. ^ http://news.yahoo.com/s/ap/20100728/ap_on_go_ca_st_pe/us_cyber_bust
4. ^ ISPs urged to throttle spam zombies by John Leyden, The Register.
5. ^ Criminals 'may overwhelm the web', BBC, 25 January 2007.
6. ^ Many-to-Many Botnet Relationships, Damballa, 8 June 2009.
7. ^ Botnet Communication Topologies, Damballa, 10 June 2009.
8. ^ http://csdl2.computer.org/comp/mags/co/2006/04/r4017.pdf
9. ^ http://www.damballa.com/research/aurora/
10. ^ http://www.eweek.com/c/a/Security/Researchers-Boot-Million-Linux-Kernels-to-Help-Botnet-Research-550216/?kc=EWKNLLIN08182009STR2
11. ^ "Calculating the Size of the Downadup Outbreak - F-Secure Weblog : News from the Lab". F-secure.com. 2009-01-16. http://www.f-secure.com/weblog/archives/00001584.html. Retrieved 2010-04-24.
12. ^ "Technology | Spam on rise after brief reprieve". BBC News. 2008-11-26. http://news.bbc.co.uk/2/hi/technology/7749835.stm. Retrieved 2010-04-24.

External links

• Wired.com How-to: Build your own botnet with open source software
• The Honeynet Project & Research Alliance, "Know your Enemy: Tracking Botnets".
• The Shadowserver Foundation - An all volunteer security watchdog group that gathers, tracks, and reports on malware, botnet activity, and electronic fraud.
• NANOG Abstract: Botnets - John Kristoff's NANOG32 Botnets presentation.
• Mobile botnets - An economic and technological assessment of mobile botnets.
• Lowkeysoft - Intrusive analysis of a web-based proxy botnet (including administration screenshots).
• EWeek.com - Is the Botnet Battle Already Lost?.
• Wired Magazine - Attack of the Bots - How one company fought the new Internet mafia – and lost.
• Dark Reading - Botnets Battle Over Turf.
• List of dynamic (dsl, cable, modem, etc) addresses - Filter SMTP mail for hosts likely to be in botnets.
• ATLAS Global Botnets Summary Report - Real-time database of malicious botnet command and control servers.
• FBI LAX Press Release DOJ - FBI April 16, 2008
• Milcord Botnet Defense - DHS-sponsored R&D project that uses machine learning to adaptively detect botnet behavior at the network-level
• A Botnet by Any Other Name - SecurityFocus column by Gunter Ollmann on botnet naming.

Categories: Computer network security | Spamming | Multi-agent systems | Botnets

See Also:

• Botnet: Encyclopedia

What Links Here:

Recently Viewed Pages:

• Home
• Computers: Internet: E-mail: Spam: Humor: Directory
• Blogs
• Sitemap
• Postage Due: Blogs
• Forum Spam: Blogs
• Forum Spam: Images
• E-mail Spam: Answers
• E-mail Spam: News
• Domain Details

Most Popular Pages:

• Category:Abbreviations, Acronyms and Initialisms: Blogs
• Computers: Internet: E-mail: Spam: Humor: Directory
• Domain Details
• Forum Spam: Images
• Botnets: Web Search
• Blogs
• Radical Index
• Spambot
• Sitemap
• Answers

Related 'Botnets' Searches: