|
Botnet is a jargon term for a collection of software robots, or bots, which run autonomously, and can be remotely controlled as a group, usually through a means such as IRC, and usually for nefarious purposes.
A botnet can be collection of cracked machines running programs (usually referred to as worms, Trojan horses, or backdoors) under a common command and control infrastructure. Individual programs are manifested as IRC "bots". Often the command and control is via an IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the RFC 1459 standard. Generally, botnets are made up of systems compromised using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots are able to automatically scan and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot is able to scan and propagate through, the more valuable it is to a botnet owner community.
Botnets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, owners must now find their own servers. Oftentimes, a botnet will include a variety of connections, ranging from dial-up, DSL, cable, educational, and corporate. Sometimes, a hidden IRC server will be installed on the latter two, as the high-speed connections can support a large number of other bots. This method of using a bot to host other bots has only recently been taken advantage of, as most script kiddies are not knowledgeable enough to do so.
Purpose Botnets are used for various reasons, including Denial of Service attacks, creation or misuse of SMTP mail relays for spam, click fraud, and the theft of application serial numbers, login IDs, and financial information such as credit card numbers. In the botnet owner community, there is a constant and continuous struggle over who has the most bots, the highest overall bandwidth, and the largest amount of "high-quality" infected machines (commonly university, corporate, and even government machines).
Server & Command Structure Botnet servers will often be linked, and may contain 20 or more individual cracked high-speed connected machines as servers, linked together, for purposes of greater redundancy. Actual botnet communities usually consist of one or several owners that consider themselves as having legitimate access (note the irony) to a group of bots. Command hierarchies between the owners are rarely highly developed, and rely on individual friend-to-friend relationships. Oftentimes conflicts will occur between the owners as to who owns the individual rights to which machines, and what sorts of actions may or may not be done to them.
Types of Attacks Main article: Denial of Service Attacks
Preventive Measures If a machine receives a Denial of Service attack from a botnet, there are not many choices as to what can be done. Because botnets are so geographically widespread, there is rarely an identifiable pattern as to the offending machines, and the sheer volume of individual IP addresses are not susceptible to individual filtering. Attacks originating from a botnet can be identified by Passive OS Fingerprinting. Newer firewall equipment can be configured to take action on a botnet attack by using information obtained from Passive OS Fingerprinting.
Botnets typically use free DNS hosting services such as DynDns.Org, No-IP.Com, and Afraid.Org to point a subdomain towards an IRC server that will harbor the bots. While these free DNS services are not the servers that are used to host them, they are references that are often hard-coded into the botnet executable. If they are removed, the entire botnet will be severed. Recently, these companies have undergone an effort to purge their domains of these subdomains. This is collectively referred in the botnet community as "nullrouting", because offending subdomains will usually be pointed to an inaccessible IP address.
The botnet server structure mentioned above has inherent vulnerabilities and problems. For example, if one was to find one server with one botnet channel, often all other servers, as well as other bots themselves, will be revealed. If a botnet server structure is not redundant, the disconnection of one server will cause the entire botnet to collapse (at least until the owner(s) decides on a new hosting space). However, more recent IRC server software includes features to mask other connected servers and bots, so that a discovery of one channel will not lead to much harm.
See Also
External Links
|
Feeds |
Contact