Introduction

Botnets have a very large potential of becoming the largest impacting Internet attack. A form of distributed computing botnets are a network of many systems on the web that can be used maliciously.  A botnet is a small application that sits unsuspected on victim’s computers that can actively collect information from the machine or wait dormant until it is issued a command to act. While one infected system does not pose such a large threat, the botnet gets its strength in numbers. A large quantity of computers, sometimes numbering in the millions provides very valuable computing power and bandwidth to their attackers, or bot herders. By botnets being spread over a large geographic area it can be very difficult, or even impossible to pinpoint the origin and shut them down.
First appearing in the late 1990s, Internet Relay Chat(IRC) bots became the first form of the botnet. They were developed in underground chat rooms by very skilled coders. Hackers of botnets target IP ranges with systems that are known to be vulnerable with have little monitoring or security. Educational institutions tend to be very large targets due to bandwidth, always being on and high storage capabilities.
Bots are usually “herded” or run on hidden IRC channels.

How Botnets Spread

Botnets usually spread via E-Mail. Unsolicited e-mail is sent from either an unknown party, or someone that you could regularly receive trusted messages who’s system is infected. Systems are usually compromised by an attachment or directing users to click a link. The links appear as pop up ads and fake windows suggesting the user download a program to repair an issue that may not even be there, such as fake utilities.
Internally there is a struggle between the bot herders. Bot herders are known to “hijack” each other’s botnets. Most botnet control applications are unencrypted and use similar protocols that the bot herders are familiar with. Botnets are criminally traded and are for sale in the underground spammer/hacker community. Rates in 2004 ranged from $.04 to $.10 per compromised system. It’s suspected that the going rate for a “good” botnet has increased since.

Functions of Botnets

Botnets contain functionality that allows for file transfer and installation to the victim’s systems. Used for installing spyware, adware, viruses, or expanding or modifying the attack. Botnets are generally controlled from secret IRC channels or some of the newer bots are controlled using web-based interfaces, which is literally a website the bot herder can logon to and select exactly what the botnet is to do.

Crimes Using Botnets

Distributed Denial of Service Attacks

(DoS) – Attacks that make Internet resources inaccessible from normal use.
Example: 2002 attack on DNS root severs, 7 of the 13 severs failed in response to the attacks. Two severs failed completely from the load. This attack made the Internet inaccessible for some users.

Denial of Service Extortion

The bot master will run a “sample attack” to show the victim what the botnet is capable of. This attack generally understood to be much smaller than what the botnet is capable of, but only the bot master will know what the actual botnet can do. The attack is followed up with some sort of communication demanding money.
Flooding attacks
Infected machines will send bogus requests to a server or website which will cause routers or Internet connectivity to fail. This will stop normal legitimate Internet traffic overwhelming by routers or server.

Click Fraud

Infected systems exploit pay per click advertising. The bot herder will instruct the systems to make fake requests as if they are clicking advertisements on specified websites. The advertisers are legitimate but the website owners will see profits as they are paid per each click of banner advertisements.

Spam

Bots can send out massive amounts of spam, sometimes spreading the bot. Others are used to spread the e-mail of the spammer that paid to use the “network.” The spam can be filled with viruses or other malicious software, or simply with unsolicited advertisements.

Investigations

Motivation

Money, following the exchange of funds will lead investigators back to the kingpins behind the botnets.

Operation Bot Roast

Operation Bot Roast was an FBI investigation of botnets. The operating identified 1 million victims June 2007. Operation Bot Roast came to be known as a good first step, but security professionals compared it to nabbing the street drug dealers instead of the kingpin distributer.

John Schiefer

In March 2009 professional security consultant John Schiefer became the first defendant in the US to be charged with wiretapping using botnets. Schiefer infected over 250,000 computers and used the compromised machines for data mining of bank account and credit card numbers. Schiefer was sentenced to 4 years in prison.

Notable Botnets

Zeus

3.6 Million Computers. – Steals sensitive data such as username and passwords, account and credit card numbers through key-loggers.

Koobface

2.9 Million Computers- Fake messages on social networking sites that really installs malware.

Prevention

Keeping your system up to date, and running notable anti-virus/anti-spyware software is the best protection from falling victim to a botnet. Understanding how botnets spread and work will help you reduce your risk. Not clicking links or opening e-mails that seem suspicious will help prevent your machines from failing victim. The FBI’s OnGuard Online even recommends you completely disconnect your PC from the Internet when not in use as a preventable measure.