A botnet is a number of Internet-connected devices, each of which is running one or more Internet bot. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allows the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a combination of the words "robot" and "Computer network". The term is usually used with a negative or malicious connotation.
Botnets are increasingly rented out by Cybercrime as commodities for a variety of purposes.
In the case of IRC botnets, infected clients connect to an infected IRC server and join a channel pre-designated for C&C by the bot herder. The bot herder sends commands to the channel via the IRC server. Each client retrieves the commands and executes them. Clients send messages back to the IRC channel with the results of their actions.
Newer botnets fully operate over P2P networks. Rather than communicate with a centralized server, P2P bots perform as both a command distribution server and a client which receives commands.
In order to find other infected machines, the bot discreetly probes random IP addresses until it contacts another infected machine. The contacted bot replies with information such as its software version and list of known bots. If one of the bots' version is lower than the other, they will initiate a file transfer to update. This way, each bot grows its list of infected machines and updates itself by periodically communicating to all known bots.
Some botnets implement custom versions of well-known protocols. The implementation differences can be used for detection of botnets. For example, Mega-D features a slightly modified SMTP implementation for testing spam capability. Bringing down the Mega-D's SMTP server disables the entire pool of bots that rely upon the same SMTP server.C.Y. Cho, D. Babic, R. Shin, and D. Song. Inference and Analysis of Formal Models of Botnet Command and Control Protocols, 2010 ACM Conference on Computer and Communications Security.
One problem with using IRC is that each bot client must know the IRC server, port, and channel to be of any use to the botnet. Anti-malware organizations can detect and shut down these servers and channels, effectively halting the botnet attack. If this happens, clients are still infected, but they typically lie dormant since they have no way of receiving instructions. To mitigate this problem, a botnet can consist of several servers or channels. If one of the servers or channels becomes disabled, the botnet simply switches to another. It is still possible to detect and disrupt additional botnet servers or channels by sniffing IRC traffic. A botnet adversary can even potentially gain knowledge of the control scheme and imitate the bot herder by issuing commands correctly.
Some have also used encryption as a way to secure or lock down the botnet from others, most of the time when they use encryption it is public-key cryptography and has presented challenges in both implementing it and breaking it.
Disadvantages of using this method are that it uses a considerable amount of bandwidth at large scale, and domains can be quickly seized by government agencies without much trouble or effort. If the domains controlling the botnets are not seized, they are also easy targets to compromise with denial-of-service attacks.
Fast flux can be used as a way to make it difficult to track down the control servers, which may change from day to day. Control servers may also hop from DNS domain to DNS domain, with domain generation algorithms being used to create new DNS names for controller servers.
Some botnets use free DNS hosting services such as DynDns.org, No-IP.com, and Afraid.org to point a subdomain towards an IRC server that harbors the bots. While these free DNS services do not themselves host attacks, they provide reference points (often hard-coded into the botnet executable). Removing such services can cripple an entire botnet.
Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. Attack of the Bots at Wired
Computers can be co-opted into a botnet when they execute malicious software. This can be accomplished by luring users into making a drive-by download, exploiting browser exploit, or by tricking the user into running a Trojan horse program, which may come from an email attachment. This malware will typically install modules that allow the computer to be commanded and controlled by the botnet's operator. After the software is downloaded, it will call home (send a reconnection Network packet) to the host computer. When the re-connection is made, depending on how it is written, a Trojan may then delete itself or may remain present to update and maintain the modules.
While botnets are often named after the malware that created them, multiple botnets typically use the same malware but are operated by different entities. Many-to-Many Botnet Relationships, Damballa, 8 June 2009.
Computer security experts have succeeded in destroying or subverting malware command and control networks, by, among other means, seizing servers or getting them cut off from the Internet, denying access to domains that were due to be used by malware to contact its C&C infrastructure, and, in some cases, breaking into the C&C network itself. In response to this, C&C operators have resorted to using techniques such as overlaying their C&C networks on other existing benign infrastructure such as IRC or Tor, using peer-to-peer networking systems that are not dependent on any fixed servers, and using public key encryption to defeat attempts to break into or spoof the network.
Norton AntiBot was aimed at consumers, but most target enterprises and/or ISPs. Host-based techniques use heuristics to identify bot behavior that has bypassed conventional anti-virus software. Network-based approaches tend to use the techniques described above; shutting down C&C servers, null-routing DNS entries, or completely shutting down IRC servers. BotHunter is software, developed with support from the U.S. Army Research Office, that detects botnet activity within a network by analyzing network traffic and comparing it to patterns characteristic of malicious processes.
Researchers at Sandia National Laboratories are analyzing botnets' behavior by simultaneously running one million Linux kernels—a similar scale to a botnet—as virtual machines on a 4,480-node high-performance computer cluster to emulate a very large network, allowing them to watch how botnets work and experiment with ways to stop them.
One thing that's becoming more apparent is the fact that detecting automated bot attacks is becoming more difficult each day as newer and more sophisticated generations of bots are getting launched by attackers. For example, an automated attack can deploy a large bot army and apply brute-force methods with highly accurate username and password lists to hack into accounts. The idea is to overwhelm sites with tens of thousands of requests from different IPs all over the world, but with each bot only submitting a single request every 10 minutes or so, which can result in more than 5 million attempts per day. In these cases, many tools try to leverage volumetric detection, but automated bot attacks now have ways of circumventing triggers of volumetric detection.
One of the techniques for detecting these bot attacks is what's known as "signature-based systems" in which the software will attempt to detect patterns in the request packet. But attacks are constantly evolving, so this may not be a viable option when patterns can't be discerned from thousands of requests. There's also the behavioral approach to thwarting bots, which ultimately is trying distinguish bots from humans. By identifying non-human behavior and recognizing known bot behavior, this process can be applied at the user, browser, and network levels.
|2003||MaXiTE||500-1000 servers||0||MaXiTE XDCC Bot, MaXiTE IRC TCL Script, MaxServ|
|2004 (Early)||Bagle botnet||230,000||5.7||Beagle, Mitglieder, Lodeight|
|Marina Botnet||6,215,000||92||Damon Briant, BOB.dc, Cotmonger, Hacktool.Spammer, Kraken|
|Storm botnet||160,000||3||Nuwar, Peacomm, Zhelatin|
|2006 (around)||2011 (March)||Rustock botnet||150,000||30||RKRustok, Costrat|
|Donbot botnet||125,000||0.8||Buzus, Bachsoy|
|2007 (around)||Cutwail botnet||1,500,000||74||Pandex, Mutant (related to: Wigon, Pushdo)|
|2007 (March)||2008 (November)||Srizbi botnet||450,000||60||Cbeplay, Exchanger|
|2008 (around)||Sality||1,000,000||Sector, Kuku|
|2008 (around)||2009-Dec||Mariposa botnet||12,000,000|
|2008 (November)||Conficker||10,500,000+||10||DownUp, DownAndUp, DownAdUp, Kido|
|2008 (November)||2010 (March)||Waledac botnet||80,000||1.5||Waled, Waledpak|
|Wopla||20,000||0.6||Pokier, Slogger, Cryptic|
|2008 (around)||Asprox botnet||15,000||Danmec, Hydraflux|
|Spamthru||12,000||0.35||Spam-DComServ, Covesmer, Xmiler|
|2009 (May)||November 2010 (not complete)||BredoLab botnet||30,000,000||3.6||Oficla|
|2009 (Around)||2012-07-19||Grum botnet||560,000||39.9||Tedroo|
|2009 (August)||Festi botnet||250,000||2.25||Spamnost|
|2010 (January)||LowSec||11,000+||0.5||LowSecurity, FreeMoney, Ring0.Tools|
|2010 (around)||TDL4||4,500,000||TDSS, Alureon|
|Zeus||3,600,000 (US only)||Zbot, PRG, Wsnpoem, Gorhax, Kneber|
|2010||(Several: 2011, 2012)||Kelihos botnet||300,000+||4||Hlux|
|2011 or earlier||2015-02||Ramnit||3,000,000|
|2013 (early)||2013||Zer0n3t||200+ server computers||4||Fib3rl0g1c, Zer0n3t, Zer0Log1x|
|2012 (Around)||Chameleon botnet||120,000||None|
|2016 (August)||Mirai (malware)||380,000||None|