Botnets are essentially malicious having turned into big business. In simple terms, it is a network of infected end-hosts (bots) under the command of a botmaster.

Whether we get invaded by Martians or life forms from outer space is speculative, but we are already being invaded by bots and botnets at an alarming rate. As if Sobig, Rbot, SDBot, Phatbot and Agobot with more than 500 variants were not enough, year 2010 saw massive constellations like ‘Rustok’ controlling over a million bots and ones like ‘Cutwail’ and ‘Grum’ too each controlling hundreds of thousands of bots, the common factor being that the rate of growth of these bot constellations is mesmerising. In order to spread their bots to more people and at a faster rate, bots have started to become payloads for worms. As the worms scan the Internet and infect vulnerable machines, these machines would become part of the botnets, exponentially increasing the number of bots at the attacker’s control.

Year 2010 also saw unleashing of the ‘stuxnet’ worm spearheading heightened malicious activity that affected over 6,000 computers in India and reportedly also caused malfunction in INSAT 4B besides affecting some 73,000 computers in countries of South East Asia. We are also witnessing the crusade of expanding Bot Armies of China in line with her strategic ambitions. Globally, data breaches are costing enormous amounts to individual organisations, the cumulative financial implications in a country being to the tune of perhaps lakhs of crores. In this war of cyberspace, the stakes are so high that national policy formulation for cyber security measures notwithstanding, there is no short cut to all organisations individually focusing on adequate security measures to prevent breaches.

The Botnet Phenomenon

According to Wikipedia, Botnets are essentially a collection of bots (short for robots) under a common command and control structure that run autonomously, typically controlled by one person or a group of people. They are programmes installed on different computers who perform actions for the controller (botmaster). To start with, bots originated only because of the need for automation, used mainly within Internet relay chat (IRC) and instant messaging (IM), and were not malicious in nature. Botnets were conceived for tasks like protecting a channel or deflecting a user away from a channel, plus providing entertainment in the process. However, cyber attackers eventually discovered their value in automating their attacks for controlling scores of computers through infected botnets. Today’s botnets are essentially malicious having turned into big business. Such botnet in simple terms is a network of infected end-hosts (bots) under the command of a botmaster. Year 1999 saw the advent of the publicly discovered malicious botnets created by TFN in the forms of ‘stacheldraht’ and ‘trinoo’ distributed denial of service (DDoS). Using a proprietary command and control structure, these zombie networks launched DDoS attacks against Yahoo, Microsoft, eBay, etc.

As cyber attackers looked for more and more targets and refined the speed of the attack, they started to move away from methods used for DDoS and hit public places IRC. This then became the attacker’s paradise because an attacker could use a password protected chat room to control their bots and keep it out of site from the general public. In the IRC-based botnet, the attackers first infected a computer with his bot using numerous available methods. Thereafter, the bot connected back and logged into a chat room on the IRC C&C server that are typically public IRC servers of the EFNET, Undernet variety. The botmaster, having connected to the channel, can then send commands to the bot on the infected computer and have it perform any number of tasks. Through the IRC server, the attacker keeps increasing his army of bots at incredible speed. Over a period of time, other command and control domains for malicious botnets were added in HTTP and P2P networks like KaZaa. Exploiting known vulnerabilities, social engineering became the main attack zone using spam/phishing, website downloads, instant messaging, etc. Bots became synonymous to worms, essentially being malicious code like worms or spyware that spread in similar ways. A botmaster usually uses the bots in his botnet to spread in a number of different ways scanning other computers for known vulnerabilities and exploit these vulnerabilities to install the bot. Additionally a botnet may send out spam or phishing e-mails or IM messages to try to social engineer a victim into downloading the bot software from a website.

Command and Control

The preferred choice of command and control method for botnets is through IRC servers, disadvantages with IRC being usually unencrypted, easy to get into, take over or shut down. Botnets can use either public or private IRC networks, optimising both advantages and disadvantages. Dynamic DNS Services are used frequently with botnets programmed to connect to specific IRC or HTTP servers for command and control. Using dynamic DNS servers, the botmaster aims the botnet to a dynamic DNS name and changes the location of the command and control server. However, since these servers would usually be a fixed name or IP address, the ISP provider or administrator can easily make changes to prevent the botnets from getting connected.

There are a number of different ways to control bots:

• Dynamic DNS services often used
• Most common is through IRC (public or private)
• Bots log into a specific IRC channel
• Bots are written to accept specific commands and execute them (sometimes from specific users)
• Disadvantages with IRC