Bots & Botnets

From Computing and Software Wiki

Jump to: navigation, search

Each phase our world has its healthiness’ such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealth has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. This vast information sea has been spread through the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to increase the spread of these threats. One powerful way of this spread, has been through Bots that integrate Botnets, which are the main focus of this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.



Bot? What is it?? How it works???

A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control (C&C) infrastructure. These new installed malicious software (most likely to exist in machines that run on Windows OS - most used OS in the world -, which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behave like “worm” processes, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then, they connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker (Bot Herder) full control of this machine through a remote communication channel.
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from the infected user PC, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers; however an exponential number of Bots integrating a Botnet can be way more catastrophic turn of events.

Botnet? What is it?? How it works???

A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines (infected PC’s) are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.
Each Bot can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.
Image:Vk bb 0508 pic02.png

Life cycle of a Botnet

Schematic time line of a Botnet
  • Initial setup of configuration settings of the Bot parameters such as infection vectors, payload, stealth, C&C details
  • Register a dynamic DNS (DDNS)
  • Register a static IP
  • Bot Herder infect PC's with the Bot(s)
    • Bot propagates the infection according to the configuration settings
    • Bot scans for vulnerabilities that it may encounter
    • Idle
    • Performs actions received by other Bots above it in the chain of command
    • Bot dies:
      • Bot may be taken over by another Botnet
      • The owner of an infected PC with a Bot realizes the PC is a zombie so it kills the Bot.
      • The chain of command may be compromised above the level.

This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privacy privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What actions are being taken to control this terrible plague? On the following sections, this article will discuss how has this threat being used (mainly as one effective malicious way of breaking into data integrity, availability and confidentiality of a computer network) and ways to detain it.

Hard to exterminate...why?

A Botnet is adaptive; it can be designed to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.
Some Botnets add a layer of complexity by using a hidden “Proxys” through where the IRC commands will be sent, or through a series of "hops". These layers make the crackers hide evidences that could lead to the discovery of the Botnet.
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated with any security application. Other Bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.
This all casts doubt on the capability of anti-virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the Bot client modules is usually set to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.

History of Botnets

Like many things on the Internet today, Bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, Bots needed to be able to operate as the channel operator. This turn of events lead the Bots apps to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to the users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely.
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:

Timeline Bot technology
1988 Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland
1989 Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users
1999 Pretty Park discovered. First worm to use an IRC server as a means of remote control
1999 SubSeven Trojan/bot. A remote control Trojan added control via IRC
2000 GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections
2002 SDBot. Written in C++ where its source code is available to hacker community though a small single binary
2002 AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload
2003 SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)
2003 RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software
2004 PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection
2005 MYTOB. My Doom mass emailing worm with Bot IRC C&C

How big is this problem anyways? Why should I worry?? Who's out there for us???


On September of 2006 Symantec released an internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active Bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active Bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.


In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) Bot related. The national telecommunication company reported the following resulting problems:

  • Numerous network outages of up to six hours
  • Customer threats of lawsuits
  • Customer business disruptions
  • Lengthy outages of bank ATM service

Consider the distributed denial-of-service (DDoS) attack power in one Botnet; a small Botnet of 10,000 Bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”


Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it.


Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."

Sun Microsystems' Grid

Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into pod casts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.

International Botnet Task Force

More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI. The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.

Vint Cerf

On September 2007, the "father of the Internet", Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spy ware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.


Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks: Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned. The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.

Types of attacks and profit


A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could. On the table bellow, there is the flow of steps to a Botnet use spam to profit:

Steps Action
First A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application
Second The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server)
Third A Spammer purchases access to the Botnet from the Bot Herder
Fourth The Spammer sends command instructions via the IRC server to the infected PCs
Fifth When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers


This method works like spamming. However, instead of trying to sell a service to the spammers, the Phisher sends mass of email trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Game and software keys

Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys through "brute-force social engineering". A lot of layman users today, still write files like with name "word-key.txt", "photoshop_key.doc", etc. Through files with simple names as such, Bot Herders managed to obtain key from many software application which is a copyright crime of the software and a theft of whomever user bought the original key.

Id, password and information theft

As mentioned before, information is the most valuable resource of our century. Bots also are able to work as key loggers to record key strokes or even Screen Loggers to view the infected PC's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not Phishing).

Distributed denial of Service attack (DDoS)

The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".


A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are others distributed application, but usually they don't have inoffensive purposes like the Grid System.

How to Fight Botnets

The detection of Bots is a really difficult task. The big variety of the malicious code for these kind of application really makes its detection challenging. There are some tools that have been used against this threat, some in open source, and other for commercial purposes. Unfortunately, none of them have been sufficiently generic to detect all varieties of the most common Bots. In the mean time we should use some techniques and tools to detect and/or prevent the infection.

Some signs of infection by Bots

  • High invisible to visible user ratio
  • High user to channel ratio
  • Server display name doesn't match IP Address
  • Suspicious nicks, topics and channel names
  • Suspicious DNS name used to find server(s)
  • Suspicious ARR(s) associated with DNS name
  • Connected hosts exhibiting suspicious behavior
  • TCP port 6667 open when an IRC client is not running
  • IRC port 113 usually suggests bots. This port has being mainly used to be a data port from the Bot to the Bot Herder.

Enrolling in the Botnet War

Monitoring the network traffic, at the first instance, can look useless; although, it can be a key and effective action when executed with efficiency. For example, by knowing the ports that are most used for the Bot Herder's communication with the Bots, we can modify the flow of data through these ports or maybe even verify if they are open when they should be closed, for example.


A way to make this monitoring more reliable is the integration of these functions to a "logging" analysis of host(s). A really good open source Sniffer is the TCPDump ( This application makes the capture of packets possible in a whole network, or even from only one individual host though a specific port by using a filtering option. This is really important, because a lot of Sniffers capture "noise packets" from other hosts which implies in a harder analysis.
With this power, from the moment that we determine a host which could be used as a zombie computer in a Botnet, we use the following command to capture it's traffic, for example, from coming from it's port 6667 (common port for communication with Bot Herders):

  • # tcpdump –X –s 1500 host and tcp port 6667


The combat against Botnets has been been really intense in the latest years. Today, there are gropus dedicated to only search the Internet looking for these "Zombies" networks. There are some networks that are exclusively running only as a trap to catch these Botnets; they are called Darknets. The term Darknet is used to determine a range of IP addresses which should have not being used by any host in the network. The truth is that network on these IP addresses is considered illegal.
Darknets can be used by organizations that wish to verity if their network has any irregularity. Although they are getting more famous on the combat of Botnets, some Botnets are getting smarter and utilizing tools to monitor traffic not to fall easily into these traps.

A common weak point from a Botnet

By reaching the conclusion of infection through the packets analysis, it is possible to detect which type of C&C is being used to the communication between the Bot Client and Bot Herder and even, deactivate the Botnet by deactivating the communication channel. One of the biggest weaknesses from a Botnet is that, due to its inheritance of the C&C structure, once the higher level Bots are compromised, the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.

Norton Anti-Bot

Norton Anti-Bot

Norton Anti-Bot is a commercial software that scans your system to see if it has become a zombie. Unfortunately, its design only takes action if the Bot software actually does something; otherwise, Norton will simply leave it alone in its idle mode. Since it is a commercial software, there are the benefits such as assistance and update patches as new Bots definitions are found.


The fight is not over yet! We can't let this terrible security threat take over our Internet bandwidth for illicit traffic. There are techniques out there that can be used for prevention, but they haven't been proved to be really generic to recognize and exterminate the most common Bots and its derivatives.
Another "advantage" is that when a Bot Herder tries to infect a machine that has been compromised by other Bot, it first closes the processes, deactivate them, and finally destroys that Bot; this has been vastly called Botnet War. Once this Bot exterminating procedure can come out from the shadows, a tool can be implemented to exterminate these Botnets in a efficient way.
In conclusion, there are still a lot of aspects to be searched, discussed and studied to find ways to exterminate Botnets. We should join forces against this threat that is out there compromising our Internet day by day, or better phased, byte by byte...


  • Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. (2007) Botnet, the killer app, Syngress, ISBN-10: 1-59749-135-7

or ISBN-13: 978-1-59749-135-8

See Also

External Links

--SJakubowski 23:17, 13 April 2008 (EDT)
--Rosard 19:49, 12 April 2009 (EDT)

Personal tools