August 8, 2010

Botnet: A Automated Software Robot used to Attack the Sites

(1): Spammer's web site (2): Spammer (3): Spam...
Botnet is a jargon term for a collection of software robots, or bots, that run autonomously and automatically. The term is often associated with malicious software but it can also refer to the network of computers using distributed computing software. While botnets are often named after their malicious software name, there are typically multiple botnets in operation using the same malicious software families, but operated by different criminal entities.

While the term "botnet" can be used to refer to any group of bots, such as IRC bots, this word is generally used to refer to a collection of compromised computers (called Zombie computers) running software, usually installed via drive-by downloads exploiting Web browser vulnerabilities, worms, Trojan horses, or backdoors, under a common command-and-control infrastructure.

A botnet's originator (aka "bot herder" or "bot master") can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command-and-control takes place via an IRC server or a specific channel on a public IRC network. This server is known as the command-and-control server ("C&C"). Though rare, more experienced botnet operators program their own commanding protocols from scratch. The constituents of these protocols include a server program, client program for operation, and the program that embeds itself on the victim's machine (bot). All three of these usually communicate with each other over a network using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet network.

A bot typically runs hidden and uses a covert channel (e.g. the RFC 1459 (IRC) standard, twitter or IM) to communicate with its C&C server. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping."

Botnets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Often, a botnet will include a variety of connections and network types. Sometimes a controller will hide an IRC server installation on an educational or corporate site where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently as most script kiddies do not have the knowledge to take advantage of it.

Several botnets have been found and removed from the Internet. The Dutch police found a 1.4 million node botnet and the Norwegian ISP Telenor disbanded a 10,000-node botnet. Large coordinated international efforts to shut down botnets have also been initiated. It has been estimated that up to one quarter of all personal computers connected to the internet may be part of a botnet.

Types of attacks

  • Denial-of-service attacks where multiple systems autonomously access a single Internet system or service in a way that appears legitimate, but much more frequently than normal use and cause the system to become busy.

  • Adware exists to advertise some commercial entity actively and without the user's permission or awareness.

  • Spyware is software which sends information to its creators about a user's activities.

  • E-mail spam are e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious in nature.

  • Click fraud is the user's computer visiting websites without the user's awareness to create false web traffic for the purpose of personal or commercial gain.

  • Access number replacements are where the botnet operator replaces the access numbers of a group of dial-up bots to that of a victim's phone number. Given enough bots partake in this attack, the victim is consistently bombarded with phone calls attempting to connect to the internet. Having very little to defend against this attack, most are forced into changing their phone numbers (land line, cell phone, etc).

  • Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.
Botnet servers will often liaise with other botnet servers, such that a group may contain 20 or more individual cracked high-speed connected machines as servers, linked together for purposes of greater redundancy. Actual botnet communities usually consist of one or several controllers that rarely have highly-developed command hierarchies between themselves; they rely on individual friend-to-friend relationships.[citation needed]

The architecture of botnets has evolved over time, and not all botnets exhibit the same topology for command and control. Depending upon the topology implemented by the botnet, it may make it more resilient to shutdown, enumeration, Command and control location discovery. However, some of these topologies limit the saleability and rental potential of the botnet to other third-party operators[5]. Typical botnet topologies are:

  • Star

  • Multi-server

  • Hierarchical

  • Random
To thwart detection, some botnets were scaling back in size. As of 2006, the average size of a network was estimated at 20,000 computers, although larger networks continued to operate.

Preventive measures
If a machine receives a denial-of-service attack from a botnet, few choices exist. Given the general geographic dispersal of botnets, it becomes difficult to identify a pattern of offending machines, and the sheer volume of IP addresses does not lend itself to the filtering of individual cases. Passive OS fingerprinting can identify attacks originating from a botnet: network administrators can configure newer firewall equipment to take action on a botnet attack by using information obtained from passive OS fingerprinting. The most serious preventive measures utilize rate-based intrusion prevention systems implemented with specialized hardware.

Some botnets use free DNS hosting services such as,, and to point a subdomain towards an IRC server that will harbor the bots. While these free DNS services do not themselves host attacks, they provide reference points (often hard-coded into the botnet executable). Removing such services can cripple an entire botnet. Recently, these companies have undertaken efforts to purge their domains of these subdomains. The botnet community refers to such efforts as "nullrouting", because the DNS hosting services usually re-direct the offending subdomains to an inaccessible IP address.

The botnet server structure mentioned above has inherent vulnerabilities and problems. For example, if one was to find one server with one botnet channel, often all other servers, as well as other bots themselves, will be revealed. If a botnet server structure lacks redundancy, the disconnection of one server will cause the entire botnet to collapse, at least until the controller(s) decides on a new hosting space. However, more recent IRC server software includes features to mask other connected servers and bots, so that a discovery of one channel will not lead to disruption of the botnet.

Several security companies such as Afferent Security Labs, Symantec, Trend Micro, FireEye, Simplicita and Damballa have announced offerings to stop botnets. While some, like Norton AntiBot, are aimed at consumers, most are aimed to protect enterprises and/or ISPs. The host-based techniques use heuristics to try to identify bot behavior that has bypassed conventional anti-virus software. Network-based approaches tend to use the techniques described above; shutting down C&C servers, nullrouting DNS entries, or completely shutting down IRC servers.

Newer botnets are almost entirely P2P, with command-and-control embedded into the botnet itself. By being dynamically updateable and variable they can evade having any single point of failure. Commanders can be identified solely through secure keys and all data except the binary itself can be encrypted. For example a spyware program may encrypt all suspected passwords with a public key hard coded or distributed into the bot software. Only with the private key, which only the commander has, can the data that the bot has captured be read.

Newer botnets have even been capable of detecting and reacting to attempts to figure out how they work. A large botnet that can detect that its being studied can even DDoS those studying it off the internet.

There is an effort by researchers at Sandia National Laboratories to analyze the behavior of these botnets by simulatenously running one million Linux kernels as virtual machines on 4,480-node Dell high-performance computer cluster[

List of Botnets (Source Wikipedia)

  • Conficker

  • Kraken

  • Srizbi

  • Bobax

  • Rustock

  • Cutwail

  • Storm

  • Donbot

  • Grum

  • Onewordsub

  • Mega-D

  • Nucrypt

  • Wopla

  • Spamthru

  • Attack Team

  • SilverNet
Internet Crime Complaint Center - A partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). Alerts for consumers and easy-to-use reporting mechanism for fraud. Formerly the Internet Fraud Complaint Center.

List of Internet Security Resources

  • The Anatomy of Clickbot.A - Provides a detailed case study of the architecture of the Clickbot.A botnet that attempted a low-noise click fraud attack against syndicated search engines. The botnet of over 100,000 machines was controlled using a HTTP-based botmaster.

  • - Information about avoiding scams involving Eastern European women, especially Russian ones.

  • Artists Against 419 - Covering advanced fee fraud scams and fake banks.

  • The Best Scams - A guide to various scams and fraudulent operations.

  • - Fraud Guide - Consumer guide to preventing and fighting eBay, escrow, auto, internet, cashiers check, and Nigerian scams. Tips on how to spot phony escrow companies and report the scammers.

  • Cyber Criminals Most Wanted - Overview of cyber criminal activity that includes safety, security, viruses, scams, filtering, encryption, hackers and government legislation.

  • Cybercrime - Computer crime section of the Department of Justice contains links relating to internet commerce, intellectual property crimes, cybercrimes and general information.

  • Digital Age Fraud - Central source of information about the Digital Age Cyprus MasterCard/Visa fraudulent charge.

  • Easy Background Check - Modeling company background check website.

  • Federal Bureau of Investigation - Common Fraud Schemes - Describes scams to avoid, most of which are internet-related.

  • FraudWatchers.Org - An archive of various scams and fraudulent activities, plus a multilingual support forum.

  • - Identifies "Get-Paid-To" websites that don't live up to their promises.

  • Hoaxes, Scams and Rip-offs - Basics on hoaxes, scams and rip-offs on the internet. How to spot them and where to report them. Useful links

  • Hoaxkill - Lists and links identifying Internet virus hoaxes, chain letters, urban legends, parodies of hoaxes, and discussion forum.

  • How to Avoid Internet Investment Scams - Securities and Exchange Commission information about investment fraud.

  • Internet Fraud - Department of Justice site includes information defining Internet fraud, what to do about it, and where to go to get more information.

  • Internet ScamBusters - Extensive information on fraud, scams, hoaxes, urban legends and credit card fraud. Free e-zine and reports.

  • An Introduction to Internet Fraud - A introduction explaining many aspects of fraud on the internet.

  • Junk Email - Resource site for dealing with e-mail scams.

  • Money Laundering Fraud - Tracks current fraudulent "money mule" operations operated through the Internet.

  • National Fraud Information Center - Provides a page devoted to Internet fraud.

  • PhishBucket - An archive of fraudulent and suspect emails, concentrating on bogus job offers and related topics.

  • - Moderated complaints service covering consumer interests, government and politics.

  • Scam Victims United - Information on scams and support from other victims.

  • Spam: Where to Complain About Frauds & Scams on the Internet - Links to government, advocacy, and watchdog groups accepting consumer complaints about Internet fraud and scams.

  • Stop-scammers - Information on dating fraud plus an archive of emails, documents and pictures. Membership required for some features.

  • VMyths - Extensive resource for identifying and debunking computer virus hoaxes and myths.

  • Web Host Scams - Outlines things one should watch out for when signing up with a web host.

  • WebAssured - Consumer protection service site provides means to register complaints, free ShopAssured download alerts shoppers when entering e-commerce site, free reports on business's consumer performance.

    About the Author


    Author & Editor

    Has laoreet percipitur ad. Vide interesset in mei, no his legimus verterem. Et nostrum imperdiet appellantur usu, mnesarchum referrentur id vim.

    Post a Comment

    Iwebslog Blog © 2015 - Designed by