WOTD: Botnet


Do you know how hackers gather large amount of computing power to deploy DoS (Denial-of-Service) or DDoS (Ditributed Denial-of-Service) attacks?  One word: Botnet.

A botnet is a collection of compromised computers connected to the Internet — each compromised computer is known as a “bot”. When a computer is compromised by an malware attack, there is often code within the malware that commands it to become part of a botnet.

Computers are “recruited” (more accurately, tricked) into a botnet by running malicious software.  Most common scenario is a user being tricked into running a Trojan horse program, such as opening a malicious email attachment.  That allows modules to be installed and now the computer can be commanded and controlled by the botnet’s owner.

Even if you are careful with email attachments, you could still be vulnerable to drive-by downloads exploiting web browser vulnerabilities.  And you don’t have to be surfing for porn to catch one of these viruses.  Even doing a simple search for your local happy hour hotspots could get you infected, if the legitimate site you visit has been compromised by hackers to be used to distribute viruses.  And not to mention bogus websites which are created solely for the purposes of distributing malware.

As with any malware, there is no general rule to the extend of damages a botnet Trojan might cause; the software controls the computer and can do anything.  The Trojan may delete itself after the computer is “recruited” to the botnet, or may remain present in the computer to update and maintain the modules.

Besides DoS/DDoS, a botnet can also be used for these attacks:

  • Distribution of Adware, Spyware or Scareware.
  • Email Spamming
  • Click Fraud
  • Brute-force attacking of other networks or systems
  • Access number replacements — The botnet operator replaces the access numbers of a group of dial-up bots to that of a victim’s phone number. Given enough bots partaking in this attack, the victim is consistently bombarded with phone calls attempting to connect to the internet. Having very little to defend against this attack, most are forced into changing their phone numbers (land line, cell phone, etc.).
  • Fast Flux
  • Recruiting other computers into the botnet.
  • Exploiting systems by using multiple identities such as multiple player at the same poker table and voting system such as music clip and contest.

Preventive Measures – Avoid Becoming a Bot

Make sure you have a good antivirus program or two (or even three) to defend your computer from getting recruited into a botnet.  All major AV makers offer good protections, and install multiple AVs to created layers of protection (as long as the AV do not conflict with each other).

Pay attention to what you’re downloading.  Do your research before downloading any software that you’re not familiar with.  Scareware scares you into downloading malicious software by claiming your computer is infected.  Instead of freaking out and clicking the obvious buttons, stay claim and quickly assess the screen to find the “close” icon (usually in the upper right corner of the screen).  Immediately run complete system scans to find and treat any malware.

Use common sense while surfing the web.  Avoid visiting suspicious looking websites.  Install an Internet Security suite that includes URL screening — A browser add-on that check the safety of the URLs and let you know if the website you’re about to visit is unsafe.

Preventive Measures – Avoid Attacks From Botnets

Given the general geographic dispersal of botnets, it is rather difficult to identify a pattern of offending machines, and the sheer volume of IP addresses does not lend itself to the filtering of individual cases.  Newer botnets have even been capable of detecting and reacting to attempts to figure out how they work. A large botnet that can detect that it is being studied can even DDoS those studying it off the internet.

Passive OS fingerprinting can identify attacks originating from a botnet: network administrators can configure newer firewall equipment to take action on a botnet attack by using information obtained from passive OS fingerprinting.

Removing free DNS hosting services can cripple an entire botnet because some botnets use such services to point a subdomain towards an IRC server that will harbor the bots. While these free DNS services do not themselves host attacks, they provide reference points (often hard-coded into the botnet executable).

A network based intrusion detection system (NIDS) will be an effective approach when detecting any activities approaching botnet attacks. NIDS monitors a network, it sees protected hosts in terms of the external interfaces to the rest of the network, rather than as a single system, and get most of its results by network packet analysis.

Further Reading

For more information on botnet, check out this wiki page (it’s where this post took the sources from).

Is Your PC Part of a Botnet? (a ReadWriteWeb article)

What is a Botnet? (Microsoft resources)

Bots and Botnets — A Growing Threat (Norton resources)

Source: Wikipedia