![](themes/icicle/images/spacer.gif) |
Botnet
Online Advertising
Botnet
Botnet is a jargon term for a collection of software robots, or
bots, which run autonomously.
While the term "botnet" can be used to refer to any group of bots, such as
IRC bots, the word is generally used to refer to a collection of compromised
machines running programs (usually referred to as worms, Trojan horses, or
backdoors) under a common command and control infrastructure. A botnet's
originator can control the group remotely, usually through a means such as IRC,
and usually for nefarious purposes. Individual programs manifest as IRC "bots".
Often the command and control takes place via an IRC server or a
specific channel on a public IRC network. A bot typically runs hidden, and
complies with the
RFC 1459 (IRC) standard. Generally, the perpetrator of the botnet has
compromised a series of systems using various tools (exploits, buffer overflows,
as well as others; see also
RPC). Newer bots can automatically scan their environment and propagate
themselves using vulnerabilities and weak passwords. Generally, the more
vulnerabilities a bot can scan and propagate through, the more valuable it
becomes to a botnet owner community.
Botnets have become a significant part of the Internet, albeit increasingly
hidden. Due to most conventional IRC networks taking measures and blocking
access to previously-hosted botnets, owners must now find their own servers.
Often, a botnet will include a variety of connections, ranging from dial-up,
DSL, cable, educational, and corporate. Sometimes, an owner will hide an IRC
server installation on an educational or corporate site, where high-speed
connections can support a large number of other bots. Exploitation of this
method of using a bot to host other bots has proliferated only recently, as most
script kiddies do not have the knowledge to take advantage of it.
Several botnets have been found and removed from the Internet. The Dutch
police found and dismantled a
100,000 node botnet and the Norwegian ISP Telenor disbanded a
10,000 node botnet. Large
coordinated international efforts to shutdown botnets have also been
initiated.
Purpose
Using a botnet to send spam.
- A botnet operator sends out viruses or worms, infecting ordinary users'
Windows PCs.
- The PCs log into an IRC server or other communications medium.
- A spammer purchases access to the botnet from the operator.
- The spammer sends instructions via the IRC server to the infected
PCs....
- ... causing them to send out spam messages to mail servers.
Botnets serve various purposes, including denial-of-service attacks, creation
or misuse of SMTP mail relays
for
spam,
click fraud, and the theft of application serial numbers, login IDs, and
financial information such as credit card numbers. The botnet owner community
features a constant and continuous struggle over who has the most bots, the
highest overall bandwidth, and the largest amount of "high-quality" infected
machines (commonly university, corporate, and even government machines).
Organization
Botnet servers will often liaise with other botnet servers, such that a group
may contain 20 or more individual cracked high-speed connected machines as
servers, linked together for purposes of greater redundancy. Actual botnet
communities usually consist of one or several owners who consider themselves as
having legitimate access (note the irony) to a group of bots. Such owners rarely
have highly-developed command hierarchies between themselves; they rely on
individual friend-to-friend relationships. Often conflicts will occur between
the owners as to who owns the individual rights to which machines, and what
sorts of actions they may or may not permit.
Preventive measures
If a machine receives a
Distributed Denial of Service attack from a botnet, few choices exist. Given the
general geographic dispersal of botnets, it becomes difficult to identify a
pattern of offending machines, and the sheer volume of IP addresses does not
lend itself to the filtering of individual cases. Passive OS Fingerprinting can identify attacks originating from a botnet:
network administrators can configure newer firewall equipment to take action on
a botnet attack by using information obtained from Passive OS Fingerprinting.
Botnets typically use free
DNS hosting services such as
DynDns.org,
No-IP.com, &
Afraid.org to point a
subdomain towards an IRC server that will harbor the bots. While these free DNS
services do not themselves host attacks, they provide reference points, often
hard-coded into the botnet executable. Removing such services can cripple an
entire botnet. Recently, these companies have undertaken efforts to purge their
domains of these subdomains. The botnet community refer to such efforts as "nullrouting", because the DNS hosting services usually direct the offending subdomains to an
inaccessible IP address.
The botnet server structure mentioned above has inherent vulnerabilities and
problems. For example, if one was to find one server with one botnet channel,
often all other servers, as well as other bots themselves, will be revealed. If
a botnet server structure lacks redundancy, the disconnection of one server will
cause the entire botnet to collapse (at least until the owner(s) decides on a
new hosting space). However, more recent IRC server software includes features to mask other connected servers and bots, so that a discovery
of one channel will not lead to much harm.
See also
External links
Home | Up | Botnet | Spambot | Address munging
Online Advertising, made by MultiMedia | Free content and software
This guide is licensed under the GNU
Free Documentation License. It uses material from the Wikipedia.
| ![](themes/icicle/images/spacer.gif) |