For those of you who are maybe living in a cave (and if so, what ISP services you?), of the millions of computers in the world, a good portion of them are not controlled completely by the person who is paying for their Internet service. These computers, hijacked by a successful hacking campaign, and controlled by another person, we call bots, or zombies. One bot is less useful than a collection of bots, called a botnet. A botnet could range in size from 10,000 to 1.5 million hijacked computers.
I've been observing, and writing about, botnets for some time.
- In November 2004, some bad guys very deviously hijacked a German advertising server, and 4 other servers, and delivered the Bofra / IFrame exploit to 5,000 - 10,000 computers. These computers became part of a botnet.
- In May 2005, we saw a practical application of a botnet, as the Sober worm was used to distribute spam relevant to a German political battle.
- Last year, we had botnets being used to hijack Blogger blogs, and create networks of blogs serving spam.
- This year, we can see a demonstration of a script used to manage a botnet, and in this case, to place spam posts on hundreds of online forums, simultaneously.
Most people don't realise that botnets are both the origination vehicle, the medium, and the payload of a successful attack. And the smarter botnet managers use botnets to manage the botnets used in an attack, using commercial and very shiny scripts.
Botnets are used to originate an attack. If any of you owns a server, and you review the server access logs (and if you do, and don't, you better remove your head from the place where the sun don't shine, and start), you'll notice anomalies.
- Password attempts
has to be observed - it's an obvious attack!
- Any persistent, but seemingly random series
Abracadabracoming from the same computer, is pretty obvious too.
- You probably won't notice
Abracadabra coming from a computer in Russiaas an attack. That might be one, but how can you tell? Botnets are distributed widely, and are perfect for distributed, throttled attacks.
MyDogHasFleas coming from a computer in Brazil
NowIsTheTime coming from a computer in USA
Botnets are used to transmit an attack. A lot of spam consists of links to websites, and the business of the spammer will be conducted from a website. This requires 3 highly specialised servers.
- An email distribution server. This will typically be a server running Simple Mail Transfer Protocol (aka SMTP).
- A website. This will typically be a server running HTTP (and if you use the web, you know about HTTP).
- A DNS server, providing the IP address of the HTTP server.
You can generally consider email validity, and filter your email, based upon the servers involved. Any time you get commercial email that includes a link to a product website, and that email / web site uses the same server for DNS, HTTP, and SMTP, it's possibly bogus. If 3 different servers are used, but they are on different subnets, or even in different countries, it's probably bogus.
Modern spammers, though, can easily use 3 separate computers. All the spammer has to do is find 3 computers (legally owned and operated by one, two, or three different individuals) on the same subnet. So open are many ISP address spaces (customers) to being botted, this is not at all difficult.
Botnets are the payload of an attack. A lot of websites linked from the spam (using components described above), which you have gotten used to as simply containing advertisements for products of varying legitimacy, may instead carry trojans. If you fall victim, and infect your computer, it becomes part of the botnet.
To understand botnet management, and how sophisticated it has become, let's look at the history of botnet use.
- Originally, the trojans distributed would contain the IP address of the attacker. Each botted computer would load the bot, contact the computer owned by the botnet master, and await instructions. That was a major exposure to the botnet managers. So, they cloaked their identity.
- Each botted computer would attach to the Internet, frequently into an IRC forum, and await instructions. The botnet manager would login to the same forum, and provide instructions. That was a slight amount of exposure to the botnet managers, so, they further cloaked their identity.
- With botnets being so easy to use, the botnet managers will now proxy their access to the IRC forums thru another botnet. That botnet is never used in an attack, it's only used to hide the identity of the botnet master.
- And now, we see commercial products designed and marketed explicitly to provide GUI controlled manipulation of botnets.
This is why I have described all of this - the attack attempt, the medium, the payload, and attack management, all involve hacking. That's all it is. And botnets are at the center of the hacking.
And that's what botnets have to do with you.
For more information about botnets, see the University Of Maryland Botnet Blog, with a very intense white paper.