Bots & Botnets
From Computing and Software Wiki
Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.
Contents |
Bot? What is it?? How it works???
A Bot is a type of malicious software that after successfully invading a machine through its running processes (Most likely machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS), behaves like a “worm” process capable of spreading though the infected machine and having the power to connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker(Bot Herder) full control of this machine though a remote communication.
At this point, these infected machines can work only as tool that are used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain information from uses, or also, to integrate these Bot Clients to a much greater threat and risk, such as the Botnets.
Botnet? What is it?? How it work?
A Botnet consists of a Bot server connected to one or more Bot clients. This set of Bots, which are used for invasion of the clients are also being protected by their Bot Headers, and this integrate this invasion technique into a more powerful and a sophisticated way of a mass invasion of a network.
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. On the next sections, this article will focus on what measurements are being taken to control this terrible plague that is in some SPN's(Simple Private Networks) thoughout our internet. We have to detain this threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality on a network.
- Bot
- Bot Herder
- Zombie
- Scrumping
Bot
A Bot is short for robot. In the context of this wiki page a bot is a malicious program that installs itself unbeknownest to the owner of the pc, sets up an IRC or HTTP server and is ready to perform illegal activities.
Herder
A person who controls all the bots in the botnet.
Zombie
An infected computer.
Scrumping
A bot stealing CPU cycles from the host computer. This can be used as a positive means if the botnet is configured to not automatically propagate into systems that do not want it. This is not commonly the case. This could be done on a school's network.
How it works
A Botnet basically uses a command and control schema, the same as a military. Each bot has a chain of command that is part of. It distributes orders down the line that it receives from up top. This is beneficial in the fact that it can grow exponentially. This is the opposite of the cell schema that some malware uses, which is to split apart and never communicate once they become big enough.
A bot installs itself onto a PC. It has various vectors to enter that PC that the Herder can set. It does this autonomously. It receives orders from a server that tell it what to do. An individual bot by itself is not that powerful. However an exponential number of bots performing the same action has a much more profound effect.
The bot once installed camouflages itself from the system view. It installs a hidden IRC client. It tries to mask itself by maintaining a low profile by using as little system resources as possible until it receives orders.
Due to the inherent weakness of a command and control scheme, once the higher level bots are compromised the effectiveness of the botnet can be severally reduced. If the main server is taken down, the entire botnet fails.
Attacks
- DDoS
- Spamming
- Phishing
DDoS
A Distributed denial of Service attack. The bots flood a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his botnet by taking down the website, then he/she contacts the site in question and extorts them for money.
Spamming
A Herder can sell his botnet as a service to a spammer. This is beneficial to the spammer as he can have anonymous distribution of his messages.
Due to the size of some botnets, a spammer will also be able to send much more messages via the bots then he normally could. This is another example of the exponential power of a botnet.
Phishing
Works the same way as the spamming method. However, instead of trying to sell a service such as "P3N15 3NLARGEMENT PILLS" the phisher is trying to con you out of your paypal or bank account.
Life Cycle
- Initial setup of configuration settings of the bot
- Register a Dynamic DNS
- Infect a PC with a bot
- Bot propagates according to the configuration settings
- Scans for vulnerabilities
- Idle
- Performs actions as received by other bots above it in the chain of command
- Bot dies:
- Bot may be taken over by another botnet
- The bot's owner's PC realizes the PC is a zombie, kills the bot.
- The chain of command may be compromised above the level.
Bot Management
Bots commonly have hidden removal commands, to completely clean the host computer. On the larger IRC networks such as EFnet channel activity is logged in order to learn the commands, and then automated systems are setup to prevent the owner of the botnet from accessing them and at the same time perform the removal command when a bot comes online to it's control channel.
How to Fight Botnets
Norton Anti-Bot
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.
General Tips
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications.
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.
References
See Also
"Alternative Technologies for Ethernet"
"Phishing"
External Links
"Norton AntiBot"
"Dutch Botnet Suspects Ran 1.5 Million Machines"
--SJakubowski 23:17, 13 April 2008 (EDT)