This article or section seems to contain embedded lists that may require cleanup. To meet Wikipedia's style guidelines, please help improve this article by: removing items which are not notable, encyclopedic, or helpful from the list(s); incorporating appropriate items into the main body of the article; and discussing this issue on the talk page.

Botnet is a jargon term for a collection of software robots, or bots, which run autonomously and automatically. They run on groups of "zombie" computers controlled remotely by hackers. This can also refer to the network of computers using distributed computing software. Image File history File links No higher resolution available. ... Shortcut: WP:WIN Wikipedia is an online encyclopedia and, as a means to that end, also an online community. ... For the glossary of hacker slang, see Jargon File. ... Computer software (or simply software) refers to one or more computer programs and data held in the storage of a computer for some purpose. ... Internet bots, also known as web robots, WWW robots or simply bots, are software applications that run automated tasks over the internet. ... For other uses, see Black hat (disambiguation). ... Distributed computing is a method of computer processing in which different parts of a program are run simultaneously on two or more computers that are communicating with each other over a network. ...

While the term "botnet" can be used to refer to any group of bots, such as IRC bots, the word is generally used to refer to a collection of compromised computers (called zombie computers) running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. A botnet's originator (aka "bot herder") can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command and control takes place via an IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the RFC 1459 (IRC) standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping". An IRC bot performing a simple task. ... A zombie computer (often abbreviated zombie) is a computer attached to the Internet that has been compromised by a security cracker, a computer virus, or a trojan horse. ... A computer worm is a self-replicating computer program. ... In the context of computing and software, a Trojan horse, or simply trojan, is a piece of software which appears to perform a certain action, but in fact, performs another. ... A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication or securing remote access to a computer, while attempting to remain hidden from casual inspection. ... The phrase command and control is used in various fields: In telecommunications Command and control (C 2) is the exercise of authority and direction by a properly designated commander over assigned and attached forces in the accomplishment of the mission. ... IRC redirects here. ... An IRCd (Internet Relay Chat daemon) is a computer program to create an IRC server on which people can talk to each other via the Internet. ... Remote procedure call (RPC) is a protocol that allows a computer program running on one computer to cause a subroutine on another computer to be executed without the programmer explicitly coding the details for this interaction. ...

Botnets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Often, a botnet will include a variety of connections, ranging from dial-up, ADSL and cable, and a variety of network types, including educational, corporate, government and even military networks. Sometimes, a controller will hide an IRC server installation on an educational or corporate site, where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently, as most script kiddies do not have the knowledge to take advantage of it. Dial-up access is a form of Internet access via telephone line. ... Asymmetric Digital Subscriber Line (ADSL) is a form of DSL, a data communications technology that enables faster data transmission over copper telephone lines than a conventional voiceband modem can provide. ... An outdated model of the Motorola Surfboard cable modem A cable modem is a type of modem that provides access to a data signal sent over the cable television infrastructure. ... In hacker culture, a script kiddie (occasionally script bunny, skidie, script kitty, script-running juvenile (SRJ), or similar) is (sometimes) a derogatory term used for an inexperienced malicious cracker who uses programs developed by others to attack computer systems, and deface websites. ...

Several botnets have been found and removed from the Internet. The Dutch police found a 1.5 million node botnet^[1] and the Norwegian ISP Telenor disbanded a 10,000-node botnet.^[2] Large coordinated international efforts to shut down botnets have also been initiated.^[3] It has been estimated that up to one quarter of all personal computers connected to the internet are part of a botnet.^[4] This article, image, template or category should belong in one or more categories. ... Telenor (OSE: TEL, NASDAQ: TELN) is the incumbent telecommunications company in Norway, with headquarters located at Fornebu, close to Oslo. ...

Organization

Botnet servers will often liaise with other botnet servers, such that a group may contain 20 or more individual cracked high-speed connected machines as servers, linked together for purposes of greater redundancy. Actual botnet communities usually consist of one or several controllers who consider themselves as having legitimate access to a group of bots. Such controllers rarely have highly-developed command hierarchies between themselves; they rely on individual friend-to-friend relationships. Often conflicts will occur between the controllers as to who gets the individual rights to which machines, and what sorts of actions they may or may not permit.^{[citation needed]} There have been several famous botnet collections, known as VastGsm, OG (can be found on irc.bluehell.org - #bottalk), Rob-, and many others. They have infected millions of computers via the latest exploits.^{[citation needed]} Botnets are a part of social engineering hacks.

Formation and exploitation

Using a botnet to send spam

This example illustrates how a botnet is created and used to send email spam. Image File history File links Zombie-process. ... Image File history File links Zombie-process. ... A typical spam advertisement Spam by e-mail is one type of spamming that involves sending identical or nearly identical messages to thousands (or millions) of recipients. ...

1. (1) A botnet operator sends out viruses or worms, infecting ordinary users' computers, whose payload is a trojan application -- the bot.
2. (2) The bot on the infected PC logs into a particular IRC server (or in some cases a web server). That server is known as the command-and-control server (C&C).
3. (3) A spammer purchases access to the botnet from the operator.
4. (4) The spammer sends instructions via the IRC server to the infected PCs, causing them to (5) send out spam messages to mail servers.

Botnets are exploited for various purposes, including denial-of-service attacks, creation or misuse of SMTP mail relays for spam (see Spambot), click fraud, and the theft of application serial numbers, login IDs, and financial information such as credit card numbers. A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. ... A computer worm is a self-replicating computer program. ... DoS redirects here. ... Simple Mail Transfer Protocol (SMTP) is the de facto standard for email transmission across the Internet. ... This article is about electronic spam. ... A spambot is a program designed to collect, or harvest, e-mail addresses from the Internet in order to build mailing lists for sending unsolicited e-mail, also known as spam. ... Click fraud is a type of internet crime that occurs in pay per click online advertising when a person, automated script, or computer program imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in...

The botnet controller community features a constant and continuous struggle over who has the most bots, the highest overall bandwidth, and the largest amount of "high-quality" infected machines, like university, corporate, and even government machines.^{[citation needed]}

Botnet lifecycle

• Bot-herder configures initial bot parameters such as infection vectors, payload, stealth, C&C details
• Register DDNS
• Bot-herder launches or seeds new bot(s)
• Bots spreading -- growing
• Losing bots to other botnets
• Stasis -- not growing
• Abandon botnet and sever traces
• Unregister DDNS

• Single bot's lifecycle
  • Establish C&C
  • Scanning for vulnerable targets to install bots
  • Take-down
  • Recovery from take-down
  • Upgrade with new bot code
  • Idle

A vector in computing, specifically when talking about malicious code such as viruses or worms, is the method that this code uses to propagate itself or infect the computer and this sense is similar to, and derived from, its meaning in biology. ...

Types of attacks

• Denial-of-service attack where multiple systems autonomously access a single Internet system or service in a way that appears legit, but much more frequently than normal use and cause the system to become busy.
• Adware exists to advertise some commercial entity actively and without the user's permission or awareness.
• Spyware is software which sends information to its creators about a user's activities.
• E-mail spam are e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious in nature.
• Click fraud is the user's computer visiting websites without the user's awareness to create false web traffic for the purpose of personal or commercial gain.

DoS redirects here. ... This article is about advertising-supported software. ... A large number of toolbars, some added by spyware, overwhelm an Internet Explorer session. ... E-mail spam, also known as bulk e-mail or junk e-mail is a subset of spam that involves sending nearly identical messages to numerous recipients by e-mail. ... Click fraud is a type of internet crime that occurs in pay per click online advertising when a person, automated script, or computer program imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in...

Preventive measures

If a machine receives a denial-of-service attack from a botnet, few choices exist. Given the general geographic dispersal of botnets, it becomes difficult to identify a pattern of offending machines, and the sheer volume of IP addresses does not lend itself to the filtering of individual cases. Passive OS Fingerprinting can identify attacks originating from a botnet: network administrators can configure newer firewall equipment to take action on a botnet attack by using information obtained from Passive OS Fingerprinting. The most serious preventive measures utilize rate-based intrusion prevention systems implemented with specialized hardware. DoS redirects here. ... An IP address (Internet Protocol address) is a unique address that certain electronic devices use in order to identify and communicate with each other on a computer network utilizing the Internet Protocol standard (IP)—in simpler terms, a computer address. ... This article is about the network security device. ... Modern TCP stacks are complex beasts. ... An intrusion prevention system (a computer security term) is any device which exercises access control to protect computers from exploitation. ...

Botnets typically use free DNS hosting services such as DynDns.org, No-IP.com, & Afraid.org to point a subdomain towards an IRC server that will harbor the bots. While these free DNS services do not themselves host attacks, they provide reference points, often hard-coded into the botnet executable. Removing such services can cripple an entire botnet. Recently, these companies have undertaken efforts to purge their domains of these subdomains. The botnet community refers to such efforts as "nullrouting", because the DNS hosting services usually direct the offending subdomains to an inaccessible IP address. On the Internet, the Domain Name Server (DNS) associates various sorts of information with so-called domain names; most importantly, it serves as the phone book for the Internet by translating human-readable computer hostnames, e. ... In the Domain Name System (DNS) hierarchy, a subdomain is a domain that is part of a larger domain. ... In computer networking, a nullroute is a route that goes nowhere. ...

The botnet server structure mentioned above has inherent vulnerabilities and problems. For example, if one was to find one server with one botnet channel, often all other servers, as well as other bots themselves, will be revealed. If a botnet server structure lacks redundancy, the disconnection of one server will cause the entire botnet to collapse, at least until the controller(s) decides on a new hosting space. However, more recent IRC server software includes features to mask other connected servers and bots, so that a discovery of one channel will not lead to disruption of the botnet. In engineering, the duplication of critical components of a system with the intention of increasing reliability of the system, usually in the case of a backup or fail-safe, is called redundancy. ... An IRCd (Internet Relay Chat daemon) is a computer program to create an IRC server on which people can talk to each other via the Internet. ...

Several security companies such as Symantec, Trend Micro, FireEye, Simplicita and Damballa have announced offerings to stop botnets. While some, like Norton Anti-Bot (aka Sana Security), are aimed at consumers, most are aimed to protect enterprises and/or ISPs. The host-based techniques use heuristics to try to identify bot behavior that has bypassed conventional antivirus. Network-based approaches tend to use the techniques described above; shutting down C&C servers, null-routing (re-directing) DNS entries, or completely shutting down IRC servers. Symantec Corporation NASDAQ: SYMC, founded in 1982, is an international corporation which sells computer software, particularly in the realms of security and information management. ... Trend Micro (TYO: 4704 , NASDAQ: TMIC) is a Taiwanese company that develops software to protect against computer viruses. ...

See also

• Storm botnet
• Buffer overflow
• Computer worms
• Denial of Service attacks
• Dosnet
• Bot
• Malbot
  • Clickbot.A
• Script kiddie
• E-mail spam
• Spambot
• Timeline of notable computer viruses and worms
• Trojan horse
• Zombie computer

The Storm botnet, or Storm worm botnet, is a massive network of computers linked by the Storm worm. ... In computer security and programming, a buffer overflow, or buffer overrun, is a programming error which may result in a memory access exception and program termination, or in the event of the user being malicious, a possible breach of system security. ... A computer worm is a self-replicating computer program. ... A denial-of-service attack (also, DoS attack) is an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services by consuming the bandwidth of the victim network or overloading the computational resources of the victim system. ... Fuck ... Internet bots, also known as web robots, WWW robots or simply bots, are software applications that run automated tasks over the internet. ... A malbot is a robot or Internet bot designed or used for malicious intentions such as gaining unauthorised access to a computer system, or participation in a Botnet. ... Clickbot. ... In hacker culture, a script kiddie (occasionally script bunny, skidie, script kitty, script-running juvenile (SRJ), or similar) is (sometimes) a derogatory term used for an inexperienced malicious cracker who uses programs developed by others to attack computer systems, and deface websites. ... E-mail spam, also known as bulk e-mail or junk e-mail is a subset of spam that involves sending nearly identical messages to numerous recipients by e-mail. ... A spambot is a program designed to collect, or harvest, e-mail addresses from the Internet in order to build mailing lists for sending unsolicited e-mail, also known as spam. ... This is a list of noteworthy computer viruses and worms. ... In the context of computing and software, a Trojan horse, or simply trojan, is a piece of software which appears to perform a certain action, but in fact, performs another. ... A zombie computer (often abbreviated zombie) is a computer attached to the Internet that has been compromised by a security cracker, a computer virus, or a trojan horse. ...

References

1. ^ Dutch Botnet Suspects Ran 1.5 Million Machines by Gregg Keizer, TechWeb Technology News.
2. ^ Telenor takes down 'massive' botnet by John Leyden, The Register.
3. ^ ISPs urged to throttle spam zombies by John Leyden, The Register.
4. ^ Criminals 'may overwhelm the web', BBC, 25 January 2007.

External links

• The Honeynet Project & Research Alliance, "Know your Enemy: Tracking Botnets".
• SwatIt - Bots, Drones, Zombies, Worms - A gallery of botnet structure.
• The Shadowserver Foundation - An all volunteer security watchdog group that gathers, tracks, and reports on malware, botnet activity, and electronic fraud.
• NANOG Abstract: Botnets - John Kristoff's NANOG32 Botnets presentation.
• Mobile botnets - An economic and technological assessment of mobile botnets.
• Lowkeysoft - Intrusive analysis of a web-based proxy botnet (including administration screenshots).
• Honeynet - Know Your Enemy: Tracking Botnets - German research paper.
• WhiteStar - Botnets discussion mailing list.
• EWeek.com - Is the Botnet Battle Already Lost?.
• Wired Magazine - Attack of the Bots - How one company fought the new Internet mafia – and lost.
• Dark Reading - Botnets Battle Over Turf.
• List of dynamic (dsl, cable, modem, etc) addresses - Filter SMTP mail for hosts likely to be in botnets.