What is botnet and
what is it’s future
By: Serafin Sanchez 1/23/08
Botnet is a collection of software robots, which run autonomously and automatically. They run on groups of computers and network controlled remotely.
While the term botnet can be used to refer to any group of bots, such as IRC bots, the word is generally used to refer to a collection of compromised computers (called zombie computers) running programs, usually referred to as worms, Trojan horses, malware, or backdoors, under a common command and control infrastructure. A botnet's originator can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC bots. Often the command and control takes place via an IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the RFC 1459 (IRC) standard. Generally, the bad guys (I use bad guys for lack of a better word) of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerability a machine the better a bot can scan and propagate through, the more valuable it becomes to a botnet controller community.
Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Often, a botnet will include a variety of connections, ranging from dial-up, ADSL and cable, and a variety of network types, including educational, corporate, government and even military networks. Sometimes, a controller will hide an IRC server installation on an educational or corporate site, where high-speed connections can support a large number of other bots.
Several botnets have been found and removed from the Internet. The Dutch police found a 1.5 million node botnet and the Norwegian ISP Telenor disbanded a 10,000-node botnet. Large coordinated international efforts to shut down botnets have also been initiated. It has been estimated that up to one quarter of all personal computers connected to the internet are part of a botnet.
The bad guy uses a botnet to send spam. This example illustrates how a botnet is created and used to send email spam.
A botnet operator sends out viruses or worms, infecting ordinary users' computers, whose payload is a trojan application -- the bot.
The bot on the infected PC logs into a particular IRC server (or in some cases a web server). That server is known as the command-and-control server (C&C).
A spammer purchases access to the botnet from the operator.
The spammer sends instructions via the IRC server to the infected PCs, causing them to send out spam messages to mail servers.
Botnets are exploited for various purposes, including denial-of-service attacks, creation or misuse of SMTP mail relays for spam (see Spambot), click fraud, and the theft of application serial numbers, login IDs, and financial information such as credit card numbers.
Newer botnets are almost entirely P2P, with command and control embedded into the botnet itself, and the single point of failure being a domain name - often registered with obscure registrars that may lack policies, and with stolen credit cards and fake identities.
The types of attacks the bad guys use are listed below:
Denial-of-service attack where multiple systems autonomously access a single Internet system or service in a way that appears legit, but much more frequently than normal use and cause the system to become busy.
Adware exists to advertise some commercial entity actively and without the user's permission or awareness.
Spyware is software which sends information to its creators about a user's activities.
E-mail spam are e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious in nature.
Click fraud is the user's computer visiting websites without the user's awareness to create false web traffic for the purpose of personal or commercial gain.
Some preventive measures are if a machine receives a denial-of-service attack from a botnet, few choices exist. Given the general geographic dispersal of botnets, it becomes difficult to identify a pattern of offending machines, and the sheer volume of IP addresses does not lend itself to the filtering of individual cases. Passive OS Fingerprinting can identify attacks originating from a botnet: network administrators can configure newer firewall equipment to take action on a botnet attack by using information obtained from Passive OS Fingerprinting. The most serious preventive measures utilize rate-based intrusion prevention systems implemented with specialized hardware.
Some botnets use free DNS hosting services such as DynDns.org, No-IP.com, & Afraid.org to point a subdomain towards an IRC server that will harbor the bots. While these free DNS services do not themselves host attacks, they provide reference points, often hard-coded into the botnet executable. Removing such services can cripple an entire botnet. Recently, these companies have undertaken efforts to purge their domains of these sub domains. The botnet community refers to such efforts as "nullrouting", because the DNS hosting services usually direct the offending sub domains to an inaccessible IP address.
Several security companies such as Symantec, Trend Micro, FireEye, Simplicita and Damballa have announced offerings to stop botnets. While some, like Norton Anti-Bot (aka Sana Security), are aimed at consumers, most are aimed to protect enterprises and/or ISPs. The host-based techniques use heuristics to try to identify bot behavior that has bypassed conventional antivirus. Network-based approaches tend to use the techniques described above; shutting down C&C servers, null-routing (re-directing) DNS entries, or completely shutting down IRC servers.
In conclusion, botnet need to be stop because it is bad for it is bad for the internet and its users both business and personal, botnet is harmful to equipment, and our information. There are not many was to fight botnet at this time but we are working on it. In the future I will be posting more blog on botnet and welcome your feedback.