Botnets

The legality of botnets is very difficult to establish since each country has its own laws and botnets perform a large number of actions. Moreover, there are still a large number of benign botnets that do have the authorization to control remote computers but do not perform attacks. Some examples of these benign botnets are the network of IRC bots, the SETI@HOME initiative, and the Folding@Home initiative. In contrast, a malicious botnet obtains new computers (bots) without authorization and performs attacks for the gain of its owner (the botmaster). Since 1999, the term botnet has been mainly applied to malicious botnets.

This entry focuses on malicious botnets that pose security issues. It describes the structure and operation of botnets, discusses protecting against botnets, and presents information on several of the most well-known botnets.

Structure and Operation

It is very difficult to classify malicious botnets into categories because their infrastructures are a complex, layered, and interwoven mixture of components. Botnets are usually composed of bots (victim computers that were attacked to be part of the botnet), command-and-control (C&C) servers (computers that control the bots), intermediate servers (computers that hide the owners), C&C channels (communication channels using different protocols), encryption algorithms, and the people controlling the botnet. These components are highly interrelated and interdependent. There are three common classification criteria. The first one is based on their main protocol for communication: hyphertext transfer protocol (http), https (secured http), peer-to-peer (P2P) protocol, IRC protocol, or custom protocol. The second is based on their topology: hierarchical, centralized, or P2P. The third is based on the attacks performed: sending spam emails, doing click fraud, or stealing users and passwords, among others. Most of the work done by a botnet relies on malicious actions to operate. This is why the software used by botnets is called malware (from “malicious software”). Botnets typically use different malware to perform each of their actions.

Botnets are highly dynamic, resilient, and adapting structures. Depending on the importance and size of the botnet, botmasters continually add new bots and C&C servers, change how bots are obtained, and change the protocols, the attacks, and the encryption algorithms. All these changes have mainly two goals, to avoid disruption and increase profit. Disruption is avoided because it is more difficult to detect something that is changing. The profit is increased because the botnet is adapted to have more bots. The operation life cycle of a botnet depends on many factors, and it can be summarized in the following five phases: (1) set up a support infrastructure, (2) obtain new bots, (3) control the bots using a C&C channel, (4) use the bots to attack, and (5) profit from the information and resources stolen. Each phase is highly complex and can have several variants.

Depending on the type of botnet, the first phase (setting up the infrastructure) starts with the design of the botnet to decide the topology and protocols to be used. Then a group of servers is obtained for the C&C channel (perhaps buying them from another botmaster), and some domain names are registered for the C&C servers (although it is possible not to use domain names). This first phase can involve more complex tasks such as designing a DGA (domain generation algorithm) for creating domain names or implementing a DNS (domain name system) fast-flux infrastructure. However, the most important part of the first phase is obtaining the new malware to be used by the botnet. Depending on the complexity of the botnet, this may involve buying a malware variant from other attackers, modifying the source code of a known malware, or developing a new type of malware.

Once the bots are infected with the malware, the third phase involves the control of the bots using C&C channels and servers. A C&C channel is any way to remotely control and coordinate the actions of a group of bots. It is usually implemented as a network connection. The most common C&C channels use http protocols (even social networks such as Twitter and Facebook), unknown custom protocols, P2P protocols, or IRC protocols. The goal of any C&C channel is to keep the bots connected and to transmit orders and data. A C&C channel shared by all the bots makes it easier to send orders to all of them at the same time.

To keep the bots connected for a longer time, it is better if the C&C channel is not easily detected. Therefore, C&C protocols have been changing and adapting to mimic the network traffic of normal users. Since the normal traffic of users is mostly http traffic due to the restrictions imposed by most organizations, in 2003 botnets started to migrate their C&C channels to the http protocol.

The C&C channel connects the bot with the C&C server. C&C servers are usually computers that had been attacked and forcefully converted into part of the botnet infrastructure. Usually, C&C servers are not the computers of normal users but unattended computers. They are the computers used by botmasters to control the botnet and therefore are an important part of the botnet. To maximize the chances of survival, C&C servers are usually arranged in a layered structure that hides the botmaster from the defenders. In this way, every communication is routed through several intermediate C&C servers before reaching the botmaster.

The fourth phase is to use the bots to perform different attacks. Botnets have different attack goals and attack methods. Some of the goals are to attack computers and convert them into C&C servers, to attack computers to convert them into bots, to send spam emails to victims, to steal information from the victim computers (e.g., credit card information, cookies, credentials, emails, contacts), or to mimic actions from the victim user to forge access to advertising websites. These attacks can be done in different ways depending on the circumstances and are not exclusive to botnets. Typical attacks from bots are to brute force access credentials in other computers, exploit vulnerabilities in other computers, inject HTML (hypertext markup language) code into websites by attacking them using SQL (structured query language) injection attacks, find information on the victim computer, and abuse the resources of the victim computer to mine crypto currencies.

The fifth phase is to profit from the information and resources stolen. Among the ways of profiting, botnets are known for selling the stolen credentials in the black market, selling the bots to other botmasters, selling the access to different C&C servers, selling credit card information, selling victims’ identities, obtaining money from encrypting the hard disk of the victim, selling email addresses so others can send spam, and selling the process capacity of the bots. However, the most profitable use of botnets seems to be the renting of a subset of bots to a client for a limited amount of time. The rent of bots usually works by giving the client access to a webpage where the bots can be ordered and controlled. In this way, the botmaster does not lose control of the bots, and the client has a very simple access interface to perform the attacks.

Protection Strategies

Protection from botnet actions is done by a distributed effort of many companies, organizations, individuals, researchers, and universities. The defending strategies include detecting the malware files on computers (e.g., by using antivirus tools); detecting the indicators of compromise used by the botnet, such as IP (Internet protocol) addresses and domains names; shutting down the domain names; and detecting the malicious behaviors of the botnet by using machine learning techniques. The vast amount of information to analyze, the amount of botnets and malware to detect, the continuous updates of the malware, and the behavioral changes make the detection of botnets a very difficult task.

Known Botnets

Since their appearance around the year 2000, there have emerged a large number of botnets. The following is a nonexhaustive list of known botnets, with a short description of each:

Sebastian Garcia

See also Cookies ; Cybertheft ; Information Security ; Machine Learning ; Network Security

Further Readings

Abu Rajab, M., et al. “A Multifaceted Approach to Understanding the Botnet Phenomenon.” In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, Rio de Janeiro, Brazil, October 25– 27, 2006.

Cooke, Evan, et al. “The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets.” SRUTI, v.5 (2005).

Honeynet Project. (2004). Know Your Enemy: Learning About Security Threats (2nd ed.). Ann Arbor, MI: Author, 2004.

Schiller, Craig and James R. Binkley. Botnets: The Killer Web Applications. Rockland, MA: Syngress, 2011.