A botnet is a network of computers connected by malware and used for illegal or unethical purposes. A computer connected to a botnet is sometimes called a bot or a zombie. Botnets are controlled by a botnet herder, who uses it to conduct attacks, send spam, steal data, or transmit other malware. Very large botnets have vast computing capability and bandwidth.
Malicious botnets can be traced to as far back as the 90s, but did not really pick up until the mid-2000s. Many worms in the mid and late 2000s facilitated the creation of botnets, either accepting commands themselves or dropping a trojan for that purpose.
Botnet Components
- A Bot herder, the human operator of a botnet can be called a bot herder, botnet controller, or botmaster.
- A Command and Control Server (often abbreviated as C&C server) is a central computer from which the bot herder issues commands to the bots. Most botnets have at least one C&C server, unless it's a peer-to-peer botnet, which by nature does not require one.
- A Bot is a program that runs automated tasks over the Internet. In the case of a malicious botnet, it is the software that is installed on the victim computer and accepts commands from the C&C server. The term is sometimes also used to describe the compromised computer.
- A Zombie is a compromised system. Multiple zombies can be used to create a "zombie army" for the purpose of sending massive amounts of spam or performing a DDoS attack on a server.
- A Control protocol, usually IRC, that allows communication between different components of the botnet.
Architecture and Topologies
Botnets can be organized around a centralized command and control server or they can use a peer-to-peer architecture. A botmaster on one end controls the botnet either through a command and control server or directly to the bots in a peer-to-peer network.
Command and Control
A command and control infrastructure is the original botnet configuration. In such a configuration, the botmaster connects to one or more command and control servers, typically IRC, that control the bots on zombie machines. A major disadvantage to such a configuration is the servers are a single point of failure. Once they are taken down, the botnet is effectively neutered. C&C botnets can use one of a few different topologies each which addresses issues of speed and resilience.
Star
The star topology is the simplest. A botnet using a star topology has a single C&C server, to which a bot connects and receives commands from directly. This configuration has the advantage of speed since there is little between the server and the bot. However, the C&C server in this topology is a single point of failure, so if it is compromised, the whole botnet is effectively neutralized.
Multiserver
This topology improves on the star by adding one or more servers. It eliminates the single point of failure problem because if one is discovered and neutralized, there is at least one more still running. Strategic placing of C&C servers can also have the added benefit of speeding up communication within the botnet. It does have the disadvantage of requiring more effort to set up.
Hierarchical
A Hierarchical topology has one or more C&C servers at the center of the botnet, with bots that connect to other bots in the network. Bots closer to the C&C server can proxy instructions from the server to bots further down the line. This topology has some very big advantages over the others. No single bot agent is aware of the whole botnet, and only those connected to the C&C server can give it away. This type of botnet is also easy to part out and rent to operators for their own purposes. Operation of these botnets can be difficult and slow however since commands have to pass through multiple branches of the botnet, meaning a high degree of latency.
Peer-to-Peer
In a similar manner to other types of peer to peer networks, P2P botnets are compatible with dynamic churn, which means peers joining and leaving at a high rate has no effect on the ability of the botnet to function. All bots on the connected machines act as both the client and server. New bots may join either by having few hard-coded peers to connect to initially then getting information on others in the botnet, or it will utilize a shared web cache, such as Gnutella, saved online. Lacking a central point of failure, such botnets are much more difficult to neutralize.
Peer-to-peer botnets have some of the disadvantages of hierarchical botnets because of a high degree of latency and even unpredictability. The multiple communication links between bot agents however makes latency slightly less of a problem. than with the hierarchical ones. Passive monitoring of communication from a single host can also give away other members of the botnet.
Communication Protocols
Traditionally IRC has been the protocol of choice for most botnets and it has mostly remained this way. IRC technology is robust and has existed for a long time. Setting up an IRC server is easy and one server can be used to control several botnets. IRC is also the Achilles’ heel of the botnet as it is centralized. However, multiple servers could be set up and interlinked for redundancy, making it difficult for bot hunters to destroy the entire botnet. Some bot herders get around this by setting up a domain name and having the bots connect to that, so if the IRC server is taken down, it takes advantage of multihoming to connect to another IP address.
Aside from IRC-based solutions, the botnet herder has several other options for allowing communication between different parts of the botnet. In a connect and forget configuration, the bot connects to the server and the server must keep a record of these connections, usually by means of a log file. Similar methods may include the bot downloading file data from the server cointaining instructions for the bot.
Often the protocol is abstracted from the user in some way. A non-technically-minded criminal may opt to use a GUI-based solution in order to control the botnet.
Botnet Construction
In order to construct a botnet, a bots must infect as many machines as possible across the Internet. Viruses and worms are very common methods of spreading botnet malware, with the self-replicating malware carrying a bot agent and dropping it on the victim computer. This has the advantage of spereading the botnet malware quickly without much extra effort on the part of the herder, but in recent years the herders have gone for more targeted approaches.
Other methods can include trojans from drive by downloads exploiting vulnerable browsers or more targeted attacks where the bot herder directly targets an IP address. Malware affiliate programs specialize in distributing bot agents. Typically they charge a rate of something like $250 for every 1,000 malware installs. They use tactics including malware-infected spam, malicious links posted to forums, and malicious websites among others.
History
Bots were originally tools for legitimate purposes in IRC channels. Hackers soon began to exploit vulnerabilities and created bots for stealing passwords and logging keystrokes. By the mid-2000s, they had become the prefered tool for organized crime in identity theft, spam, and phishing. An industry developed around building botnets and renting them out.
Worms were once a very popular method of spreading botnets. Prettypark was the first self-replicating program to function as a botnet, appearing in May of 1999. It opened security holes and listened for commands to give information on the victim such as email addresses, passwords, and software versions. Around the same time, the Sub7 trojan appeared, but it was not self-replicating.
The Global Threat Botnet or GTBot, appeared in 2000. It used mIRC, and could therefore run custom scripts in response to IRC events. It also had close access to TCP and UDP sockets, making it useful for denial of service attacks. It would even scan for Sub7 and "update" it with a copy of itself.
2002 saw the first commercialized bot when the creator of SDBot made his source code available. That same year, Agobot introduced the concept of modular, staged attacks with payloads delivered sequentially. The initial attack installed a back door, the next attempted to disable antivirus software and the final attack blocked access to security product websites.
By 2003, botnets had become tools for distributing spam and other malware. Shortly after they had become tools for mining bitcoin. The ever-growing power of CPUs and GPUs made it easier for botnets to go unnoticed. Peer-to-peer architecture, which appeared in this year with Sinit and Agobot, made it easy to control a botnet without the need for a command and control server.
Botnet Impact
In 2016 and a few years before that, bots accounted for a majority of all web traffic. This includes both legitimate bots such as commercial web crawlers and search engine bots along with malicious bots, such as hacker tools, spammers, and impersonators. Impersonators, commonly used in DDoS attacks, accounted for 24.3% of all web traffic. Allegedly 94.2% of sites fell victim to a bot attack.
As with many viruses and worms, the impact is often exaggerated. Differences in counting methods can result in radically different counts for the number of infected machines, with the higher number often touted for media attention or funding. The Torpig botnet for example was thought to have as many as 1,200,000 hosts based on analysis of IP addresses, but only 180,000 based on unique bot identifiers. Botnet expert Giles Hogben said that the size of a botnet doesn't really matter since other aspects can determine how damaging a botnet is.
Viruses and Worms Acting as/Dropping Bots
This list is far from exhaustive and doesn't list all botnets because those that aren't self-replicating are currently beyond the scope of this wiki.
- Prettypark
- Beagle
- Fizzer
- Spybot
- Zhelatin (the Storm botnet)
- Nuwar (also the Storm botnet)
- Conficker
- Sality
Legitimate Bots and Botnets
Search engines often use bots to crawl the web and find and index websites. Entire botnets have legitimate uses too. Stanford University's Folding@Home allows users to "donate" bandwidth and processor idle time to simulate protein folding, which has applications in the fight against several diseases. Berkeley has a similar botnet for SETI@home to assist in the search for extraterrestrial life. The Universitat Pompeu Fabra in Barcelona has a program called GPUGRID, using the graphics cards on host systems for biomolecular simulations.
Other Uses of the Term
The term Botnet can be (mis)applied to software that a user perceives as a potential privacy issue. The software is almost always proprietary, and connected to the Internet. The software may also come bundled with questionable software, communicate with something while online, log the users actions, or use system resources in a way the user does not intend or for purposes different from the reason the software is used. In some cases, someone will describe a particular service or software ad a botnet simply because they don't like it or are trolling for an argument.
In most cases these claims have not proven to be more than FUD (fear, uncertainty, doubt) but there have been many cases, such as the NSA backdoor for some versions of Windows or uTorrent bundling its software with a remote bitcoin miner, where objectionable behavior on the part of software developers does exist. In addition to being violations of user privacy, such actions have been shown to create other security risks as well as degrade system performance.
Sources
Techopedia, What is a Botnet.
Cyren, Botnet Anatomy.
Tamer Sameeh. Deep Dot Web, An Overview of Peer-to-peer (P2P) Botnets. 2017.06.16
Gunter Ollmann. Damballa Inc., Botnet Communication Topologies. 2009
Trend Micro. CounterMeasures, The history of the botnet – Part I.
Trend Micro. SimplySecurity, The state of botnets in late 2015 and early 2016. 2015.12.17
Andy O'Donnell. Lifewire, What is a Bot Net? 2018.01.23
Igal Zeifman. Imperva Incapsula, Bot Traffic Report 2016. 2017.01.24
Ofer Gayer. -, What is an Internet Bot. 2016.02.02
M. K. Low. Symantec Official Blog, Botnets: not just for spamming anymore. 2007.09.20
Botnet Wiki, Good Uses for Botnets.
Jeff Stone. IBTimes, Slow Computer? uTorrent 'Epic Scale' Bitcoin Mining Software Is Slowing Down Computers Everywhere. 2015.03.09
Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross,
Botnets: The Killer Web App. pp. 78-85 Syngress Media, 2007 ISBN-13: 978-1-59749-135-8
Andrew Fernandes. Cryptonym Corporation Press Release, Microsoft, the NSA, and You. 1999.08.31
Tom Espiner. ZDNet, Botnet size may be exaggerated, says Enisa. 2011.03.08
Thomas C. Greene. The Register, Fizzer worm more interesting than harmful. 2003.05.20