Command-and-control Server
   HOME

TheInfoList



OR:

A botnet is a group of
Internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
-connected devices, each of which runs one or more
bots The British Overseas Territories (BOTs), also known as the United Kingdom Overseas Territories (UKOTs), are fourteen territories with a constitutional and historical link with the United Kingdom. They are the last remnants of the former Bri ...
. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send
spam Spam may refer to: * Spam (food), a canned pork meat product * Spamming, unsolicited or undesired electronic messages ** Email spam, unsolicited, undesired, or illegal email messages ** Messaging spam, spam targeting users of instant messaging ( ...
, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a
portmanteau A portmanteau word, or portmanteau (, ) is a blend of wordsrobot A robot is a machine—especially one programmable by a computer—capable of carrying out a complex series of actions automatically. A robot can be guided by an external control device, or the control may be embedded within. Robots may be c ...
" and "
network Network, networking and networked may refer to: Science and technology * Network theory, the study of graphs as a representation of relations between discrete objects * Network science, an academic field that studies complex networks Mathematics ...
". The term is usually used with a negative or malicious connotation.


Overview

A botnet is a logical collection of
Internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
-connected devices, such as computers,
smartphone A smartphone is a portable computer device that combines mobile telephone and computing functions into one unit. They are distinguished from feature phones by their stronger hardware capabilities and extensive mobile operating systems, whic ...
s or
Internet of things The Internet of things (IoT) describes physical objects (or groups of such objects) with sensors, processing ability, software and other technologies that connect and exchange data with other devices and systems over the Internet or other comm ...
(IoT) devices whose
security Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...
have been breached and control ceded to a third party. Each compromised device, known as a "bot," is created when a device is penetrated by software from a ''
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
'' (malicious software) distribution. The controller of a botnet is able to direct the activities of these compromised computers through communication channels formed by standards-based
network protocol A communication protocol is a system of rules that allows two or more entities of a communications system to transmit information via any kind of variation of a physical quantity. The protocol defines the rules, syntax, semantics and synchroniza ...
s, such as
IRC Internet Relay Chat (IRC) is a text-based chat system for instant messaging. IRC is designed for group communication in discussion forums, called ''channels'', but also allows one-on-one communication via private messages as well as chat and ...
and
Hypertext Transfer Protocol The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...
(HTTP). Botnets are increasingly rented out by
cyber criminals A cybercrime is a crime that involves a computer or a computer network.Moore, R. (2005) "Cyber crime: Investigating High-Technology Computer Crime," Cleveland, Mississippi: Anderson Publishing. The computer may have been used in committing the ...
as commodities for a variety of purposes.


Architecture

Botnet architecture has evolved over time in an effort to evade detection and disruption. Traditionally, bot programs are constructed as clients which communicate via existing servers. This allows the bot herder (the controller of the botnet) to perform all control from a remote location, which obfuscates the traffic. Many recent botnets now rely on existing
peer-to-peer networks Peer-to-peer (P2P) computing or networking is a distributed application architecture that partitions tasks or workloads between peers. Peers are equally privileged, equipotent participants in the network. They are said to form a peer-to-peer n ...
to communicate. These P2P bot programs perform the same actions as the client–server model, but they do not require a central server to communicate.


Client–server model

The first botnets on the Internet used a client–server model to accomplish their tasks. Typically, these botnets operate through
Internet Relay Chat Internet Relay Chat (IRC) is a text-based chat system for instant messaging. IRC is designed for group communication in discussion forums, called ''channels'', but also allows one-on-one communication via private messages as well as chat and ...
networks, domains, or
website A website (also written as a web site) is a collection of web pages and related content that is identified by a common domain name and published on at least one web server. Examples of notable websites are Google Search, Google, Facebook, Amaz ...
s. Infected clients access a predetermined location and await incoming commands from the server. The bot herder sends commands to the server, which relays them to the clients. Clients execute the commands and report their results back to the bot herder. In the case of IRC botnets, infected clients connect to an infected IRC server and join a channel pre-designated for C&C by the bot herder. The bot herder sends commands to the channel via the IRC server. Each client retrieves the commands and executes them. Clients send messages back to the IRC channel with the results of their actions.


Peer-to-peer

In response to efforts to detect and decapitate IRC botnets, bot herders have begun deploying malware on
peer-to-peer Peer-to-peer (P2P) computing or networking is a distributed application architecture that partitions tasks or workloads between peers. Peers are equally privileged, equipotent participants in the network. They are said to form a peer-to-peer n ...
networks. These bots may use
digital signature A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created b ...
s so that only someone with access to the private key can control the botnet, such as in
Gameover ZeuS GameOverZeus is a peer-to-peer botnet based on components from the earlier ZeuS trojan. The malware was created by Russian hacker Evgeniy Mikhailovich Bogachev. It is believed to have been spread through use of the Cutwail botnet. Unlike its pr ...
and the
ZeroAccess botnet ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques. History and propagation Th ...
. Newer botnets fully operate over P2P networks. Rather than communicate with a centralized server, P2P bots perform as both a command distribution server and a client which receives commands. This avoids having any single point of failure, which is an issue for centralized botnets. In order to find other infected machines, P2P bots discreetly probe random
IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
es until they identify another infected machine. The contacted bot replies with information such as its software version and list of known bots. If one of the bots' version is lower than the other, they will initiate a file transfer to update. This way, each bot grows its list of infected machines and updates itself by periodically communicating to all known bots.


Core components

A botnet's originator (known as a "
bot herder Bot herders are hackers who use automated techniques to scan specific network ranges and find vulnerable systems, such as machines without current security patches, on which to install their bot program. The infected machine then has become one of ...
" or "bot master") controls the botnet remotely. This is known as the command-and-control (C&C). The program for the operation must communicate via a
covert channel In computer security, a covert channel is a type of attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy. The term, originated in 197 ...
to the client on the victim's machine (zombie computer).


Control protocols

IRC is a historically favored means of C&C because of its
communication protocol A communication protocol is a system of rules that allows two or more entities of a communications system to transmit information via any kind of variation of a physical quantity. The protocol defines the rules, syntax, semantics (computer scien ...
. A bot herder creates an IRC channel for infected clients to join. Messages sent to the channel are broadcast to all channel members. The bot herder may set the channel's topic to command the botnet. For example, the message :herder!herder@example.com TOPIC #channel DDoS www.victim.com from the bot herder alerts all infected clients belonging to #channel to begin a DDoS attack on the website www.victim.com. An example response :bot1!bot1@compromised.net PRIVMSG #channel I am DDoSing www.victim.com by a bot client alerts the bot herder that it has begun the attack. Some botnets implement custom versions of well-known protocols. The implementation differences can be used for detection of botnets. For example,
Mega-D The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide. On October 14, 2008, the U.S Federal Trade Commission, in cooperation with Marshal Software, tracked down the owners of ...
features a slightly modified
Simple Mail Transfer Protocol The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typica ...
(SMTP) implementation for testing spam capability. Bringing down the
Mega-D The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide. On October 14, 2008, the U.S Federal Trade Commission, in cooperation with Marshal Software, tracked down the owners of ...
's SMTP server disables the entire pool of bots that rely upon the same SMTP server.


Zombie computer

In
computer science Computer science is the study of computation, automation, and information. Computer science spans theoretical disciplines (such as algorithms, theory of computation, information theory, and automation) to Applied science, practical discipli ...
, a
zombie computer In computing, a zombie is a computer connected to the Internet that has been compromised by a hacker via a computer virus, computer worm, or trojan horse program and can be used to perform malicious tasks under the remote direction of the hac ...
is a computer connected to the Internet that has been compromised by a
hacker A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term ''hacker'' has become associated in popu ...
,
computer virus A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a compu ...
or
trojan horse The Trojan Horse was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending before the war is concluded, ...
and can be used to perform malicious tasks under remote direction. Botnets of zombie computers are often used to spread
e-mail spam Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoida ...
and launch
denial-of-service attack In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...
s (DDoS). Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to
zombie A zombie (Haitian French: , ht, zonbi) is a mythological undead corporeal revenant created through the reanimation of a corpse. Zombies are most commonly found in horror and fantasy genre works. The term comes from Haitian folklore, in whic ...
s. A coordinated DDoS attack by multiple botnet machines also resembles a zombie horde attack. The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping".


Command and control

Botnet command and control (C&C) protocols have been implemented in a number of ways, from traditional IRC approaches to more sophisticated versions.


Telnet

Telnet Telnet is an application protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. User data is interspersed in-band with Telnet control i ...
botnets use a simple C&C botnet protocol in which bots connect to the main command server to host the botnet. Bots are added to the botnet by using a scanning
script Script may refer to: Writing systems * Script, a distinctive writing system, based on a repertoire of specific elements or symbols, or that repertoire * Script (styles of handwriting) ** Script typeface, a typeface with characteristics of handw ...
, which runs on an external server and scans IP ranges for telnet and
SSH The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution. SSH applications are based on a ...
server default logins. Once a login is found, the scanning server can infect it through SSH with malware, which pings the control server.


IRC

IRC networks use simple, low bandwidth communication methods, making them widely used to host botnets. They tend to be relatively simple in construction and have been used with moderate success for coordinating DDoS attacks and spam campaigns while being able to continually switch channels to avoid being taken down. However, in some cases, merely blocking of certain keywords has proven effective in stopping IRC-based botnets. The RFC 1459 (
IRC Internet Relay Chat (IRC) is a text-based chat system for instant messaging. IRC is designed for group communication in discussion forums, called ''channels'', but also allows one-on-one communication via private messages as well as chat and ...
) standard is popular with botnets. The first known popular botnet controller script, "MaXiTE Bot" was using IRC XDCC protocol for private control commands. One problem with using IRC is that each bot client must know the IRC server, port, and channel to be of any use to the botnet. Anti-malware organizations can detect and shut down these servers and channels, effectively halting the botnet attack. If this happens, clients are still infected, but they typically lie dormant since they have no way of receiving instructions. To mitigate this problem, a botnet can consist of several servers or channels. If one of the servers or channels becomes disabled, the botnet simply switches to another. It is still possible to detect and disrupt additional botnet servers or channels by sniffing IRC traffic. A botnet adversary can even potentially gain knowledge of the control scheme and imitate the bot herder by issuing commands correctly.


P2P

Since most botnets using IRC networks and domains can be taken down with time, hackers have moved to P2P botnets with C&C to make the botnet more resilient and resistant to termination. Some have also used
encryption In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
as a way to secure or lock down the botnet from others, most of the time when they use encryption it is
public-key cryptography Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
and has presented challenges in both implementing it and breaking it.


Domains

Many large botnets tend to use domains rather than IRC in their construction (see
Rustock botnet The Rustock botnet was a botnet that operated from around 2006 until March 2011. It consisted of computers running Microsoft Windows, and was capable of sending up to 25,000 spam messages per hour from an infected PC. At the height of its activiti ...
and
Srizbi botnet Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sen ...
). They are usually hosted with
bulletproof hosting Bulletproof hosting (BPH) is technical infrastructure service provided by an Internet hosting service that is resilient to complaints of illicit activities, which serves criminal actors as a basic building block for streamlining various cybera ...
services. This is one of the earliest types of C&C. A zombie computer accesses a specially-designed webpage or domain(s) which serves the list of controlling commands. The advantages of using web pages or domains as C&C is that a large botnet can be effectively controlled and maintained with very simple code that can be readily updated. Disadvantages of using this method are that it uses a considerable amount of bandwidth at large scale, and domains can be quickly seized by government agencies with little effort. If the domains controlling the botnets are not seized, they are also easy targets to compromise with
denial-of-service attack In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...
s.
Fast-flux DNS Fast flux is a domain name system (DNS) based evasion technique used by cyber criminals to hide phishing and malware delivery websites behind an ever-changing network of compromised hosts acting as reverse proxies to the backend botnet mas ...
can be used to make it difficult to track down the control servers, which may change from day to day. Control servers may also hop from DNS domain to DNS domain, with
domain generation algorithm Domain generation algorithms (DGA) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers. The large numb ...
s being used to create new DNS names for controller servers. Some botnets use free
DNS The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...
hosting services such as DynDns.org, No-IP.com, and Afraid.org to point a
subdomain In the Domain Name System (DNS) hierarchy, a subdomain is a domain that is a part of another (main) domain. For example, if a domain offered an online store as part of their website example.com, it might use the subdomain shop.example.com . Ov ...
towards an IRC server that harbors the bots. While these free DNS services do not themselves host attacks, they provide reference points (often hard-coded into the botnet executable). Removing such services can cripple an entire botnet.


Others

Calling back to large social media sites such as
GitHub GitHub, Inc. () is an Internet hosting service for software development and version control using Git. It provides the distributed version control of Git plus access control, bug tracking, software feature requests, task management, continuous ...
,
Twitter Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...
,
Reddit Reddit (; stylized in all lowercase as reddit) is an American social news aggregation, content rating, and discussion website. Registered users (commonly referred to as "Redditors") submit content to the site such as links, text posts, images ...
,
Instagram Instagram is a photo and video sharing social networking service owned by American company Meta Platforms. The app allows users to upload media that can be edited with filters and organized by hashtags and geographical tagging. Posts can ...
, the
XMPP Extensible Messaging and Presence Protocol (XMPP, originally named Jabber) is an open communication protocol designed for instant messaging (IM), presence information, and contact list maintenance. Based on XML (Extensible Markup Language), it ...
open source instant message protocol and
Tor Tor, TOR or ToR may refer to: Places * Tor, Pallars, a village in Spain * Tor, former name of Sloviansk, Ukraine, a city * Mount Tor, Tasmania, Australia, an extinct volcano * Tor Bay, Devon, England * Tor River, Western New Guinea, Indonesia Sc ...
hidden services are popular ways of avoiding
egress filtering In computer networking, egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically, it is information from a private TCP/IP computer network to the Internet tha ...
to communicate with a C&C server.


Construction


Traditional

This example illustrates how a botnet is created and used for malicious gain. # A hacker purchases or builds a Trojan and/or exploit kit and uses it to start infecting users' computers, whose payload is a malicious application—the ''bot''. # The ''bot'' instructs the infected PC to connect to a particular command-and-control (C&C) server. (This allows the botmaster to keep logs of how many bots are active and online.) # The botmaster may then use the bots to gather keystrokes or use form grabbing to steal online credentials and may rent out the botnet as DDoS and/or spam as a service or sell the credentials online for a profit. # Depending on the quality and capability of the bots, the value is increased or decreased. Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. Computers can be co-opted into a botnet when they execute malicious software. This can be accomplished by luring users into making a
drive-by download Drive-by download is of two types, each concerning the unintended download of computer software from the Internet: # Authorized drive-by downloads are downloads which a person has authorized but without understanding the consequences (e.g. down ...
, exploiting web browser vulnerabilities, or by tricking the user into running a
Trojan horse The Trojan Horse was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending before the war is concluded, ...
program, which may come from an email attachment. This malware will typically install modules that allow the computer to be commanded and controlled by the botnet's operator. After the software is downloaded, it will call home (send a reconnection
packet Packet may refer to: * A small container or pouch ** Packet (container), a small single use container ** Cigarette packet ** Sugar packet * Network packet, a formatted unit of data carried by a packet-mode computer network * Packet radio, a form ...
) to the host computer. When the re-connection is made, depending on how it is written, a Trojan may then delete itself or may remain present to update and maintain the modules.


Others

In some cases, a botnet may be temporarily created by volunteer
hacktivist In Internet activism, hacktivism, or hactivism (a portmanteau of '' hack'' and '' activism''), is the use of computer-based techniques such as hacking as a form of civil disobedience to promote a political agenda or social change. With roots in h ...
s, such as with implementations of the
Low Orbit Ion Cannon Low Orbit Ion Cannon (LOIC) is an open-source network stress testing and denial-of-service attack application written in C#. LOIC was initially developed by Praetox Technologies, however it was later released into the public domain and is cur ...
as used by
4chan 4chan is an anonymous English-language imageboard website. Launched by Christopher "moot" Poole in October 2003, the site hosts boards dedicated to a wide variety of topics, from anime and manga to video games, cooking, weapons, television, ...
members during
Project Chanology Project Chanology (also called Operation Chanology) was a protest movement against the practices of the Church of Scientology by members of Anonymous, a leaderless Internet-based group. "Chanology" is a combination of "4chan" and "Scientology" ...
in 2010. China's
Great Cannon of China The Great Cannon of China is an Internet attack tool that is used by the Chinese government to launch distributed denial-of-service attacks on websites by performing a man-in-the-middle attack on large amounts of web traffic and injecting code ...
allows the modification of legitimate web browsing traffic at
internet backbone The Internet backbone may be defined by the principal data routes between large, strategically interconnected computer networks and core routers of the Internet. These data routes are hosted by commercial, government, academic and other high-ca ...
s into China to create a large ephemeral botnet to attack large targets such as
GitHub GitHub, Inc. () is an Internet hosting service for software development and version control using Git. It provides the distributed version control of Git plus access control, bug tracking, software feature requests, task management, continuous ...
in 2015.


Common uses

* Distributed denial-of-service attacks are one of the most common uses for botnets, in which multiple systems submit as many requests as possible to a single Internet computer or service, overloading it and preventing it from servicing legitimate requests. An example is an attack on a victim's server. The victim's server is bombarded with requests by the bots, attempting to connect to the server, therefore, overloading it.
Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...
fraud czar
Shuman Ghosemajumder Shuman Ghosemajumder (born 1974) is a Canadian technologist, entrepreneur, and author. He is the former click fraud czar at Google, the author of works on technology and business including the Open Music Model, and co-founder of TeachAids. He was ...
has said that these types of attacks causing outages on major websites will continue to occur regularly due the use of botnets as a service. *
Spyware Spyware (a portmanteau for spying software) is software with malicious behaviour that aims to gather information about a person or organization and send it to another entity in a way that harms the user—for example, by violating their privac ...
is software which sends information to its creators about a user's activities – typically passwords, credit card numbers and other information that can be sold on the black market. Compromised machines that are located within a corporate network can be worth more to the bot herder, as they can often gain access to confidential corporate information. Several targeted attacks on large corporations aimed to steal sensitive information, such as the Aurora botnet. *
E-mail spam Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoida ...
are e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious. *
Click fraud Click, Klick and Klik may refer to: Airlines * Click Airways, a UAE airline * Clickair, a Spanish airline * MexicanaClick, a Mexican airline Art, entertainment, and media Fictional characters * Klick (fictional species), an alien race in the g ...
occurs when the user's computer visits websites without the user's awareness to create false web traffic for personal or commercial gain. *
Ad fraud Ad fraud (also referred to as ''Click Fraud or PPC Fraud)'' is concerned with the practice of fraudulently representing online advertisement impressions, clicks, conversion or data events in order to generate revenue. Ad-frauds are particularly po ...
is often a consequence of malicious bot activity, according to CHEQ, Ad Fraud 2019, The Economic Cost of Bad Actors on the Internet. Commercial purposes of bots include influencers using them to boost their supposed popularity, and online publishers using bots to increase the number of clicks an ad receives, allowing sites to earn more commission from advertisers. *
Credential stuffing Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach), and then uses t ...
attacks use botnets to log in to many user accounts with stolen passwords, such as in the attack against General Motors in 2022. *
Bitcoin Bitcoin ( abbreviation: BTC; sign: ₿) is a decentralized digital currency that can be transferred on the peer-to-peer bitcoin network. Bitcoin transactions are verified by network nodes through cryptography and recorded in a public distr ...
mining was used in some of the more recent botnets have which include bitcoin mining as a feature in order to generate profits for the operator of the botnet. * Self-spreading functionality, to seek for pre-configured command-and-control (CNC) pushed instruction contains targeted devices or network, to aim for more infection, is also spotted in several botnets. Some of the botnets are utilizing this function to automate their infections.


Market

The botnet controller community constantly competes over who has the most bots, the highest overall bandwidth, and the most "high-quality" infected machines, like university, corporate, and even government machines. While botnets are often named after the malware that created them, multiple botnets typically use the same malware but are operated by different entities.


Phishing

Botnets can be used for many electronic scams. These botnets can be used to distribute malware such as viruses to take control of a regular users computer/software By taking control of someone's personal computer they have unlimited access to their personal information, including passwords and login information to accounts. This is called
phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
. Phishing is the acquiring of login information to the "victim's" accounts with a link the "victim" clicks on that is sent through an email or text. A survey by
Verizon Verizon Communications Inc., commonly known as Verizon, is an American multinational telecommunications conglomerate and a corporate component of the Dow Jones Industrial Average. The company is headquartered at 1095 Avenue of the Americas in ...
found that around two-thirds of electronic "espionage" cases come from phishing.


Countermeasures

The geographic dispersal of botnets means that each recruit must be individually identified/corralled/repaired and limits the benefits of
filtering Filter, filtering or filters may refer to: Science and technology Computing * Filter (higher-order function), in functional programming * Filter (software), a computer program to process a data stream * Filter (video), a software component tha ...
. Computer security experts have succeeded in destroying or subverting malware command and control networks, by, among other means, seizing servers or getting them cut off from the Internet, denying access to domains that were due to be used by malware to contact its C&C infrastructure, and, in some cases, breaking into the C&C network itself. In response to this, C&C operators have resorted to using techniques such as overlaying their C&C networks on other existing benign infrastructure such as
IRC Internet Relay Chat (IRC) is a text-based chat system for instant messaging. IRC is designed for group communication in discussion forums, called ''channels'', but also allows one-on-one communication via private messages as well as chat and ...
or
Tor Tor, TOR or ToR may refer to: Places * Tor, Pallars, a village in Spain * Tor, former name of Sloviansk, Ukraine, a city * Mount Tor, Tasmania, Australia, an extinct volcano * Tor Bay, Devon, England * Tor River, Western New Guinea, Indonesia Sc ...
, using
peer-to-peer networking Peer-to-peer (P2P) computing or networking is a distributed application architecture that partitions tasks or workloads between peers. Peers are equally privileged, equipotent participants in the network. They are said to form a peer-to-peer n ...
systems that are not dependent on any fixed servers, and using
public key encryption Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic al ...
to defeat attempts to break into or spoof the network.
Norton AntiBot Norton AntiBot, developed by Symantec, monitored applications for damaging behavior. The application was designed to prevent computers from being hijacked and controlled by hackers. According to Symantec, over 6 million computers have been hijac ...
was aimed at consumers, but most target enterprises and/or ISPs. Host-based techniques use heuristics to identify bot behavior that has bypassed conventional
anti-virus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...
. Network-based approaches tend to use the techniques described above; shutting down C&C servers, null-routing DNS entries, or completely shutting down IRC servers.
BotHunter BotHunter is a free utility for Unix, which aims at detecting botnet activity within a network. It does so by analyzing network traffic and comparing it to patterns characteristic of malicious processes. Version 1.7.2 was current . An earlier vers ...
is software, developed with support from the
U.S. Army Research Office The U.S. Army Combat Capabilities Development Command Army Research Laboratory (DEVCOM ARL) is the U.S. Army's foundational research laboratory. ARL is headquartered at the Adelphi Laboratory Center (ALC) in Adelphi, Maryland. Its largest singl ...
, that detects botnet activity within a network by analyzing network traffic and comparing it to patterns characteristic of malicious processes. Researchers at
Sandia National Laboratories Sandia National Laboratories (SNL), also known as Sandia, is one of three research and development laboratories of the United States Department of Energy's National Nuclear Security Administration (NNSA). Headquartered in Kirtland Air Force Ba ...
are analyzing botnets' behavior by simultaneously running one million Linux kernels—a similar scale to a botnet—as
virtual machines In computing, a virtual machine (VM) is the virtualization/emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized hardw ...
on a 4,480-node high-performance
computer cluster A computer cluster is a set of computers that work together so that they can be viewed as a single system. Unlike grid computers, computer clusters have each node set to perform the same task, controlled and scheduled by software. The comp ...
to emulate a very large network, allowing them to watch how botnets work and experiment with ways to stop them. Detecting automated bot attacks is becoming more difficult each day as newer and more sophisticated generations of bots are getting launched by attackers. For example, an automated attack can deploy a large bot army and apply brute-force methods with highly accurate username and password lists to hack into accounts. The idea is to overwhelm sites with tens of thousands of requests from different IPs all over the world, but with each bot only submitting a single request every 10 minutes or so, which can result in more than 5 million attempts per day. In these cases, many tools try to leverage volumetric detection, but automated bot attacks now have ways of circumventing triggers of volumetric detection. One of the techniques for detecting these bot attacks is what's known as "signature-based systems" in which the software will attempt to detect patterns in the request packet. However, attacks are constantly evolving, so this may not be a viable option when patterns cannot be discerned from thousands of requests. There is also the behavioral approach to thwarting bots, which ultimately tries to distinguish bots from humans. By identifying non-human behavior and recognizing known bot behavior, this process can be applied at the user, browser, and network levels. The most capable method of using software to combat against a virus has been to utilize honeypot software in order to convince the malware that a system is vulnerable. The malicious files are then analyzed using forensic software. On 15 July 2014, the Subcommittee on Crime and Terrorism of the Committee on the Judiciary,
United States Senate The United States Senate is the upper chamber of the United States Congress, with the House of Representatives being the lower chamber. Together they compose the national bicameral legislature of the United States. The composition and pow ...
, held a hearing on the threats posed by botnets and the public and private efforts to disrupt and dismantle them.


Non-malicious use

Non-malicious botnets, also known as
volunteer computing Volunteer computing is a type of distributed computing in which people donate their computers' unused resources to a research-oriented project, and sometimes in exchange for credit points. The fundamental idea behind it is that a modern desktop co ...
, such as the ones part of
BOINC The Berkeley Open Infrastructure for Network Computing (BOINC, pronounced – rhymes with "oink") is an open-source middleware system for volunteer computing (a type of distributed computing). Developed originally to support SETI@home, it beca ...
are often used for scientific purposes. For example, there is
Rosetta@home Rosetta@home is a volunteer computing project researching protein structure prediction on the Berkeley Open Infrastructure for Network Computing (BOINC) platform, run by the Baker laboratory at the University of Washington. Rosetta@home aims to ...
, which aims to predict protein–protein docking and design new proteins;
LHC@home LHC@home is a volunteer computing project researching particle physics that uses the Berkeley Open Infrastructure for Network Computing (BOINC) platform. The project's computing power is utilized by physicists at CERN in support of the Large Ha ...
, which aims to simulate various different experiments relating to the
Large Hadron Collider The Large Hadron Collider (LHC) is the world's largest and highest-energy particle collider. It was built by the European Organization for Nuclear Research (CERN) between 1998 and 2008 in collaboration with over 10,000 scientists and hundred ...
; SETI@home, which helps analyzing data related to search for
extraterrestrial intelligence Extraterrestrial intelligence (often abbreviated ETI) refers to hypothetical intelligent extraterrestrial life. The question of whether other inhabited worlds might exist has been debated since ancient times. The modern form of the concept emerged ...
and
Einstein@Home Einstein@Home is a volunteer computing project that searches for signals from spinning neutron stars in data from gravitational-wave detectors, from large radio telescopes, and from a gamma-ray telescope. Neutron stars are detected by their pulse ...
, which searches for signals from spinning neutron stars. These botnets are voluntary, requiring user consent to add a computer (and therefore having no self-spreading capability) and allowing much simpler removal from the botnet than a malicious one. Because of the user being aware, lack of self-spreading capability, and less risk of harm, computers in these botnets are often just referred to as "nodes" rather than "zombies". These botnets provides large computational capabilities to researchers at near zero cost. The risk of an unintentional DDoS attack on a website remains a possibility, as a poorly-"teamed" botnet could delegate too many, if not all, of its computers to a website, for example to collect data. However, because the nodes send as ''few'' requests as possible, the botnet will often cease access to a website when work in that website is done, like the completed collection of data in this case. No new nodes will attempt to connect to the website, causing the "attack" to dissolve just as suddenly as it started. The limitation of requests by the botnet itself further weakens the "attack".


Historical list of botnets

The first botnet was first acknowledged and exposed by
EarthLink EarthLink is an American Internet service provider. It went public on NASDAQ in January 1997. Much of the company's growth was via acquisition; by 2000, ''The New York Times'' described Earthlink as the "second largest Internet service provider ...
during a lawsuit with notorious spammer Khan C. Smith in 2001. The botnet was constructed for the purpose of bulk spam, and accounted for nearly 25% of all spam at the time. Around 2006, to thwart detection, some botnets were scaling back in size. *Researchers at the University of California, Santa Barbara took control of a botnet that was six times smaller than expected. In some countries, it is common that users change their IP address a few times in one day. Estimating the size of the botnet by the number of IP addresses is often used by researchers, possibly leading to inaccurate assessments.


See also

*
Computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...
*
Spambot A spambot is a computer program designed to assist in the sending of spam. Spambots usually create accounts and send spam messages with them. Web hosts and website operators have responded by banning spammers, leading to an ongoing struggle betwe ...
*
Timeline of computer viruses and worms A timeline is a display of a list of events in chronological order. It is typically a graphic design showing a long bar labelled with dates paralleling it, and usually contemporaneous events. Timelines can use any suitable scale representin ...
*
Advanced Persistent Threat An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may ...


References


External links


The Honeynet Project & Research Alliance
– "Know your Enemy: Tracking Botnets"
The Shadowserver Foundation
– an all-volunteer security watchdog group that gathers, tracks, and reports on malware, botnet activity, and electronic fraud
EWeek.com – "Is the Botnet Battle Already Lost?"

Botnet Bust – "SpyEye Malware Mastermind Pleads Guilty"
FBI The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and its principal Federal law enforcement in the United States, federal law enforcement age ...
{{malware Command and control Internet security Spamming Multi-agent systems Distributed computing Cyberwarfare Security breaches Internet bots