Botnet

Definition


A botnet (a contraction of the term “RoBOT NETwork”) is a computer network made up of a vast number of compromised computers that have been infected with malicious code, and can be remotely-controlled through commands sent via the Internet. Typically, users whose computers have been conscripted into a botnet are unaware that their computers have been compromised.

Hundreds or thousands of these infected computers can operate in concert to disrupt or block Internet traffic for targeted victims, harvest information, or to distribute spam, viruses, or other malicious code (called collectively "Botnet code"). The attack value of a botnet arises from the sheer number of computers that an attacker can control.

Botnets are becoming a major tool for cybercrime, partly because they can be designed to very effectively disrupt targeted computer systems in different ways, and because a malicious user, without possessing strong technical skills, can initiate these disruptive effects in cyberspace by simply renting botnet services from a cybercriminal. Botnets have been described as the “Swiss Army knives of the underground economy” because they are so versatile.

How they work
Traditionally, botnets organized themselves in an hierarchical manner, with a central command and control (C&C) location (sometimes dynamic) for the botmaster. Upon being compromised by malicious code, infected computers are instructed to communicate with the command and control server and follow whatever instructions are received. By relaying commands through the C&C, the bot herder is able to remotely control a vast network of compromised computers, and use those computers for a variety of nefarious purposes, including the sending of spam, the distribution of malicious software, click fraud, and denial of service attacks.

However, in the near future, security experts believe that attackers may use new botnet architectures that are more sophisticated, and more difficult to detect and trace. One class of botnet architecture that is beginning to emerge uses peer-to-peer protocol, which, because of its decentralized control design, is expected to be more resistant to strategies for countering its disruptive effects. A well-designed peer-to-peer botnet may be nearly impossible to shut down as a whole because it may provide anonymity to the controller, who can appear as just another node in the bot network.

Some botnet owners reportedly rent their huge networks for US$200 to $300 an hour, and botnets are becoming the weapon of choice for fraud and extortion. Newer methods are evolving for distributing “bot” software that may make it even more difficult in the future for law enforcement to identify and locate the originating “botmaster.” Some studies show that authors of software for botnets are increasingly using modern, open-source techniques for software development, including the collaboration of multiple authors for the initial design, new releases to fix bugs in the malicious code, and development of software modules that make portions of the code reusable for newer versions of malicious software designed for different purposes. This increase in collaboration among hackers mirrors the professional code development techniques now used to create commercial software products, and is expected to make future botnets even more robust and reliable. This, in turn, is expected to help increase the demand for malware services in future years.

Criminal conduct
The rise of botnets has been recognized as the most serious security threat facing the Internet. Among other harms, experts estimate that botnets are responsible for approximately 85% of spam sent worldwide. Operating a botnet is illegal, and in many cases, punishable as a felony.

Click fraud is one of the many illegal uses for a botnet. Click fraud is a crime in many jurisdictions, including California, where it is a felony.

An OECD report identified the following as typical criminal uses of a botnet:


 * 1) Locate and infect other information systems with bot programmes (and other malware). This functionality in particular allows attackers to maintain and build their supply of new bots to enable them to undertake the functions below, inter alia.
 * 2) Conduct distributed denial of service attacks (DDoS).
 * 3) As a service that can be bought, sold or rented out.
 * 4) Rotate IP addresses under one or more domain names for the purpose of increasing the longevity of fraudulent web sites, in which for example host phishing and/or malware sites.
 * 5) Send spam which in turn can distribute more malware.
 * 6) Steal sensitive information from each compromised computer that belongs to the botnet.
 * 7) Hosting the malicious phishing site itself, often in conjunction with other members of the botnet to provide redundancy.
 * 8) Many botnet clients allow the attacker to run any additional code of their choosing, making the botnet client very flexible to adding new attacks.