Editing Botnet

== Definitions ==

A '''botnet''' (a contraction of the term "Ro'''BOT''' '''NET'''work") is 

{{Quote|[a] [[network]] of [[remote control|remotely controlled]] [[system]]s used to coordinate [[attack]]s and distribute [[malware]], [[spam]], and [[phishing]] scams.<ref>[[Defense Department Cyber Efforts: DOD Faces Challenges In Its Cyber Activities]], at 14.</ref>}}

{{Quote|[a] [[network]][] of [[Internet]]-connected [[end-user]] [[computing device]]s [[infect]]ed with [[bot]] [[malware]], which are [[remotely controlled]] by [[third parties]] for nefarious purposes. A botnet is under the control of a given "[[botherder]]" or "[[botmaster]]." A botnet might have just a handful of botted hosts, or millions.<ref>[[U.S. Anti-Bot Code of Conduct (ABCs) for Internet Service Providers (ISPs)]], at 21.</ref>}}

{{Quote|[a] collection[] of [[computer]]s [[infect]]ed with [[malicious code]] that can be controlled remotely through a [[command and control]] [[infrastructure]].<ref>[[Botnets as a Vehicle for Online Crime]], at 2.</ref>}}

{{Quote|[a] network[] of [[compromised]] [[computer]]s that are [[remotely controlled]] by [[malicious agent]]s. They are used to send massive quantities of [[spam]] [[e-mail  message]]s, co-ordinate [[distributed denial-of-service attack]]s ([[DDOS]]) and facilitate financial and [[identity fraud]], among other economically and socially harmful activities. They therefore represent a major problem for [[security]] and [[trust]] in [[online]] environments.<ref>[[Proactive Policy Measures by Internet Service Providers against Botnets]], at 6.</ref>}}

== Overview ==

{{Quote|Botnets are not necessarily [[malicious]]. The [[computer code]] botnets use also enables desirable [[communication]] across the [[Internet]], such as the [[chat room]]s that were popular in the 1990s. However, [[programmer]]s have figured out how to [[exploit]] [[vulnerabilities]] in widely used Microsoft Windows operating platforms to degrade, destroy, and manipulate computer networks—often without the knowledge of the machine's owner or local operator. Because they are automated programs, when released, bots lurk on the Internet and take over computers, turning them into a network of 'zombies' that can be operated remotely. The majority of email spam is generated by botnets without the host computer's knowledge. In fact, owners are often not aware that their computers are part of a botnet, the only indication of which is sluggish response time.}}

A 2006 industry report indicated that nearly 12 million [[computer]]s around the world were [[compromise]]d by [[bot]]s.<ref>''See'' [http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_virtual_criminology_report_2007.pdf McAfee Virtual Criminology Report: Organised Crime and the Internet] (Dec. 2006).</ref> Researchers suggest an average of about 4 million new botnet [[infection]]s occur every month.<ref>''See'' McAfee Quarterly Threat Report 2nd Quarter 2011 ([http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q2–2011.pdf full-text]).</ref> Typically, [[user]]s whose [[computer]]s have been conscripted into a botnet are unaware that their [[computer]]s have been [[compromise]]d.

Hundreds or thousands of these [[infect]]ed [[computer]]s can operate in concert to [[disrupt]] or [[block]] [[Internet traffic]] for targeted victims, [[harvest]] [[information]], or to [[distribute]] [[spam]], [[virus]]es, or other [[malicious code]] (called collectively "[[Botnet code]]"). The attack value of a botnet arises from the sheer number of [[computer]]s that an [[attacker]] can control.

Botnets are becoming a major tool for [[cybercrime]], partly because they can be designed to very effectively [[disrupt]] targeted [[computer system]]s in different ways, and because a [[malicious]] [[user]], without possessing strong technical skills, can initiate these [[disruptive]] effects in [[cyberspace]] by simply renting botnet services from a [[cybercriminal]]. Botnets have been described as the “Swiss Army knives of the underground economy” because they are so versatile.<ref>''See'' Joaquim P. Menezes, "Why We're Losing the Botnet Battle," ''NetworkWorld'' (July 26, 2007)[http://www.networkworld.com/news/2007/072507-why-were-losing-the-botnet.html]; Robert Lemos, “Breaking the Botnet Code,” Tech. Rev. (Nov. 11, 2009)[http://www.technologyreview.com/computing/23924/]; Gregg Keizer, "Botnets 'the Swiss Army knife of attack tools'", Computerworld  (Apr. 7, 2010)[http://www.computerworld.com/s/article/9174560/Botnets_the_Swiss_Army_knife_of_attack_tools_]; "Netherlands Home to Many Botnet Computers," dutchdailynews.com (Jan. 14, 2011)[http://www.dutchdailynews.com/botnet-computers/]; "'Botnets Are the Criminals' Swiss Army Knife'", eco, Association of the German Internet Industry (June 24, 2011) [http://en.eco.de/association/202_9230.htm].</ref>

"Key components of a large bot network includes, but not limited to:
* An [[address book]] of [[contact]]s or a collection of [[compromised]] [[server]]s (to act as [[watering hole]]s).
* An [[email]] or [[web]]‐based delivery mechanism.
* [[Socially engineered]] [[content]] for [[lure activation]].
* [[Redirection server]]s and [[redirection domain|domain]]s to mask destination.
* Hosted [[malicious]] [[content]] [[server]]s and [[domain]]s for [[exploit]]s and [[malware]].
* [[Command‐and‐control]] ([[C&C]]) [[server]]s and [[domain]]s for lateral movement within a [[targeted]] [[network]], and further [[penetration]].
* [[Data exfiltration]] [[repositories]]."<ref>[[Cybersecurity Risk Management and Best Practices (WG4): Final Report]], at 407.</ref>

== How they work ==

[[File:Linked-computers-angled.jpg|thumb]]

Traditionally, botnets organized themselves in an hierarchical manner, with a central [[command and control]] ([[C&C]]) location (sometimes [[dynamic]]) for the [[botmaster]]. [[Intruder]]s [[exploit]] [[security flaw]]s in the [[hardware]] and/or [[software]] used by individual [[consumer]]s, and they [[install]] [[malicious software]] that connects the [[consumer]]’s [[computer]] into a [[remotely controlled]] [[network]] of many [[computer]]s.

Once [[compromise]]d, the [[infected computer]]s are instructed to communicate with the [[command and control]] [[server]] and follow whatever instructions are received. By relaying commands through the [[C&C]], the [[bot herder]] is able to [[remotely control]] a vast [[network]] of [[compromise]]d [[computer]]s, and use those [[computer]]s for a variety of nefarious purposes, including the sending of [[spam]], the [[distribution]] of [[malicious software]], [[click fraud]], and [[denial of service attack]]s.<ref>''Id.''; CERT Coordination Center, Botnets as a Vehicle for Online 6 Crime, at 7-16.[http://www.cert.org/archive/pdfIBotnets.pdf]</ref> 

However, in the near future, security experts believe that [[attacker]]s may use new botnet architectures that are more sophisticated, and more difficult to [[detect]] and [[trace]]. One class of botnet architecture that is beginning to emerge uses [[peer-to-peer]] [[protocol]], which, because of its decentralized control design, is expected to be more resistant to strategies for countering its [[disruptive]] effects. A well-designed [[peer-to-peer]] botnet may be nearly impossible to shut down as a whole because it may provide [[anonymity]] to the controller, who can appear as just another [[node]] in the [[bot network]].

Some botnet owners reportedly rent their huge [[network]]s for US$200 to $300 an hour, and botnets are becoming the weapon of choice for [[fraud]] and [[extortion]].<ref>Susan MacLean, “Report warns of Organized Cyber Crime,” ItWorldCanada, Aug. 26, 2005.[http://www.itworldcanada.com/a/IT-Focus/39c78aa4-df47-4231-a083-ddd1ab8985fb.html]</ref> Newer methods are evolving for distributing “bot” [[software]] that may make it even more difficult in the future for law enforcement to identify and locate the originating [[botmaster]]. 

Some studies show that authors of [[software]] for botnets are increasingly using modern, [[open-source]] techniques for [[software development]], including the collaboration of  multiple authors for the initial design, new releases to fix [[bug]]s in the [[malicious code]], and development of [[software module]]s that make portions of the [[code]] reusable for newer versions of [[malicious software]] designed for different purposes. This increase in collaboration among [[hacker]]s mirrors the professional [[code development]] techniques now used to create commercial [[software]] products, and is expected to make future botnets even more robust and reliable. This, in turn, is expected to help increase the demand for [[malware]] services in future years.<ref>McAfee Virtual Criminology Report: Organized Crime and the Internet (Dec. 2006).[http://www.sigma.com.pl/pliki/albums/userpics/10007/Virtual_Criminology_Report_2006.pdf]</ref>

== Vulnerabilities ==

[[Computer]]s may be [[vulnerable]] to [[bot]]s for a variety of reasons, including:

{{Quote|un-[[patch]]ed [[operating system]]s, [[software]] [[vulnerabilities]] (which include so-called [[zero-day vulnerabilities]] where no [[patch]] yet exists), weak/non-existent [[password]]s, [[malicious]] [[website]]s, un-[[patch]]ed [[browser]]s, [[malware]], [[vulnerable]] [[helper application]]s, inherently [[insecure]] [[protocol]]s, [[protocol]]s [[implement]]ed without [[security]] features switched on and [[social engineering]] techniques to gain [[access]] to the [[user]]'s [[computer]]."<ref>[[Recommendations for the Remediation of Bots in ISP Networks]].</ref>}}

== Criminal conduct ==

The rise of botnets has been recognized as the most serious [[security threat]] facing the Internet.<ref>''See, e.g.,'' Tim Ferguson, Security Experts: Botnets Biggest Threat on Net, ZDNet UK, Apr. 11, 2008.[http://news.zdnet.co.uk/security/0,1000000189,39384066,00.htm]</ref> Among other harms, experts estimate that botnets are responsible for approximately 85% of [[spam]] sent worldwide.<ref>''See, e.g.,'' Marshall8e6, Are Bots About to Bring Down Your Business? at 2.[http://www.marshal8e6.com/documents/pdfs/white_papers/business/WP_BotsBringDownBusiness.pdf]</ref> Operating a botnet is illegal, and in many cases, punishable as a [[felony]].<ref>''See'' 18 U.S.C. §1030.</ref>

Once [[compromise]]d, the owners of these [[computer]]s are put at risk. Criminals have the ability to [[access]] [[personal information]] [[stored]] on the [[computer]] and [[communications]] made with the [[computer]]. Criminals can [[exploit]] this [[information]] for [[identity theft]], [[privacy]] violations, and other crimes, as well as utilize the impacted [[user]]s’ computing power and [[Internet access]]. Networks of these [[compromise]]d [[computer]]s can be used to [[store]] and [[transfer]] illegal [[content]], and [[attack]] the [[server]]s of government and private entities with [[distributed denial-of-service]] [[attack]]s.

[[Click fraud]] is another potential illegal use for a botnet.<ref>''See, e.g.,'' Stefanie Olsen, Exposing Click Fraud, CNET News.[http://news.cnet.comlExposing-click-fraud/2100-1024_3-5273078.html]</ref> [[Click fraud]] is a crime in many jurisdictions, including California, where it is a [[felony]].<ref>''See'' Cal. Penal Code §502.</ref>

An [[OECD]] report<ref>[[Malicious Software (Malware): A Security Threat to the Internet Economy]], at 23.</ref> identified the following as typical criminal uses of a botnet:

# Locate and [[infect]] other [[information system]]s with [[bot programme]]s (and other [[malware]]). This functionality in particular allows [[attacker]]s to maintain and build their supply of new [[bot]]s to enable them to undertake the functions below. . . .
# Conduct [[distributed denial of service]] [[attack]]s ([[DDoS]]).
# As a service that can be bought, sold or rented out.
# Rotate [[IP address]]es under one or more [[domain name]]s for the purpose of increasing the longevity of [[fraud]]ulent [[web site]]s, . . . for example [[host]] [[phishing]] and/or [[malware]] [[site]]s.
# Send [[spam]] which in turn can [[distribute]] more [[malware]].
# Steal [[sensitive information]] from each [[compromised]] [[computer]] that belongs to the botnet.
# [[Host]]ing the [[malicious]] [[phishing]] [[site]] itself, often in conjunction with other members of the botnet to provide [[redundancy]].
# Many [[botnet client]]s allow the [[attacker]] to run any additional [[code]] of their choosing, making the botnet client very flexible to adding new [[attack]]s.

== References ==
<references />

== Source ==

* [[Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress]].

== External resources ==

* Zheng Bu, Pedro Bueno, Rahul Kashyap, et al., "The New Era of Botnets" (McAfee 2010) ([http://www.mcafee.com/us/resources/white-papers/wp-new-era-of-botnets.pdf full-text]).
* [[CERT]] Coordination Center, "Botnets as a Vehicle for Online Crime," at 11, 20 ([http://www.cert.org/archive/pdf/Botnets.pdf full-text]).
* Tim Cranton, "Cracking Down on Botnets," Microsoft on the Issues Blog (Feb. 24, 2010) ([http://blogs.technet.com/b/microsoft_on_the_issues/archive/2010/02/24/cracking-down-on-botnets.aspx full-text]).
* Jaideep Chandrashekar, Carl Livadas, Steve Orrin & Eve Schooler, "The Dark Cloud: Understanding and Defending Against Botnets and Stealthy Malware" (Aug. 4, 2009) ([http://www.infoq.com/articles/intel-botnets-malware-security full-text]).
* [[Online Trust Alliance]], "Combatting Botnets Through User Notification Across the Ecosystem" ([http://www.otalliance.org/docs/OTA%20Botnet%20Notification%20Whitepaper2012.pdf full-text]).

== See also ==

<div style="{{column-count|3}}">

* [[A Road Map Toward Resilience Against Botnets]]
* [[Anti-Botnet Advisory Center]]
* [[Benign bot]]
* [[Bot]]
* [[Bot program]]
* [[Bot-herder]]
* [[Botmaster]]
* [[Botnets as a Vehicle for Online Crime]]
* [[Botnet code]]
* [[Botnet infiltration]]
* [[Botnet management]]
* [[Botnet operator]]
* [[Botnets as a Vehicle for Online Crime]]
* [[Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress]]
* [[Botnets: Measurement, Detection, Disinfection and Defence]]
* [[Butterfly botnet]]
* [[Guide on Policy and Technical Approaches Against Botnet]]
* [[Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime]]
* [[Industry Botnet Group]]
* [[ITU Botnet Mitigation Toolkit]]
* [[Malicious bot]]
* [[Malware & Botnet Initiative]]
* [[Models To Advance Voluntary Corporate Notification to Consumers Regarding the Illicit Use of Computer Equipment by Botnets and Related Malware]]
* [[Proactive Policy Measures by Internet Service Providers against Botnets]]
* [[Recommendations for the Remediation of Bots in ISP Networks]]
* [[The Fight Against the Threat from Botnets]]
* [[The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Bases on Spam Data]]
* [[Understanding Hidden Threats: Rootkits and Botnets]]
* [[U.S. Anti-Bot Code of Conduct (ABCs) for Internet Service Providers (ISPs)]]
* [[Working Group 7 Botnet Remediation]]

</div>
[[Category:Technology]]
[[Category:Computer crime]]
[[Category:Internet]]