The Current State of Botnets
Botnets are networks of computers that work together in a distributed environment. In the context of IT security, botnets are groups of computers that do the bidding of a criminal (known as a bot herder) in charge of the botnet. The bot herder controls all the computers remotely via a command and control center and the individual computers are known as zombies. Zombies regularly check in with the command and control center and download instructions to do to the bidding of the bot herder. Botnet topics are included in many security related certifications.
Certifications that include Botnets
If you’re planning on taking the CompTIA Security+ exam, the (ISC)2 SSCP exam, or the (ISC)2 CISSP exam, you should be aware of some basic information about botnets. Each of these exams may include topics on botnets from these objectives:
- CompTIA Security+
- Differentiate among various systems security threats: Botnets
- (ISC)2 SSCP
- Malicious Code and Activity Domain
- Identify Malicious Code: Botnets
- (ISC)2 CISSP
- Operations Security Domain
- Prevent or Respond to Attacks
The primary way that zombies are recruited into a botnet is through malicious software (malware). Attackers write malicious code to infect the systems, and when run, this code joins the system to the botnet. Users commonly become infected by executing attachments sent through email, or by visiting malicious websites.
Phishing emails often include links to malicious websites. If a user is tricked into clicking a link, they may become the victim of a driveby download, where malware is automatically downloaded and installed on their system as soon as the user visits the website. Other times, the user will be prompted to download and install a Trojan horse that looks like it’s something useful but is actually code that joins them to the botnet.
Some botnet malware starts as a worm. Once the worm finds a computer to infect, it then drops the code onto the system to join it to the botnet. Additionally, some malware travels from computer to computer via removable drives such as USB flash drives. Once a system is infected, it searches for removable drives and infects them as soon as they’re found. For example, if a user inserts a USB flash drive into an infected system, the system infects the flash drive as soon as it’s inserted. Infected USB flash drives infect other systems as soon as they’re moved and inserted into another system.
A primary way to prevent infections from any type of malware is to ensure systems have antivirus (AV) software running and it is up-to-date. However, since new variants of malware are constantly being created, it’s still possible that a new version is out that is not yet detectable by AV software. Educating users about risks of following phishing links, and the dangers of downloading and installing unknown software is always a good practice.
Many botnets are huge and include millions of zombie computers. The following list shows some of these botnets and their suspected sizes.
- ConfickerEstimates range from 9 million to 15 million.
- ZeusEstimated to include 3.6 million computers in the U.S.
- TDLBotnetAEstimates are as high as 2.5 million zombies.
- Cutwail Estimated to include between 1.5 and 2 million computers.
- HamweqEstimates are as high 700,000 zombies.
- Monkif Estimates are over 520 thousand.
It’s worthwhile noting that this list only shows some of the large botnets. Many criminals operate smaller botnets of only thousands or tens of thousands of zombies. While these fly under the radar of many of the published lists of botnets, they still have the potential to cause substantial damage. For example, if a criminal empties your bank account it probably doesn’t matter much to if you were attacked as part of a large or small botnet. You’re still out of money.
Zeus botnets are intriguing, since the infected computers aren’t part of a single botnet. Instead, many bot herders run their own private botnets. However, these botnets share a common functionality of stealing passwords through a backdoor created when the system becomes infected. Microsoft published an article on the Zeus botnet, also known as ZBot. It provides some insightful information on botnets in general, and also on the inner workings of Zbot.
Some notable botnets that have been taken down recently include:
- RustockTaken down in March 2011. Estimated to include 2.4 million zombies and sent out billions of spam daily.
- BredoLabTaken down in October 2010. Estimated to include 30 million zombie computers and generated up to $139,000 a month for the bot herders.
- WaledacTaken down in March 2010. Estimated to include 90,000 zombie computers, and could send out as many as 7,000 spam emails per hour from each zombie.
- KoobfaceTaken down in November 2010. Targeted social networking Websites such as Facebook. One study estimates that the Criminals generated over $2 million between June 2009 and June 2010.
- MariposaTaken down in December 2008. Estimates indicated it had from 8 to 12 million zombies.
Of course, this is another reason for bot herders to limit the size of their botnets. As the Japanese say, the nail that sticks up gets hammered down. Big botnets are targets of law enforcement and often get hammered, while smaller botnets continue to steal money, sometimes converting thriving businesses into businesses facing bankruptcy.
Bot herders use botnets for a variety of different purposes including:
- Denial of service (DoS) attacks. Bot herders can direct each of the zombies in the botnet to launch DoS attacks against any target. When these botnet zombies attack a system, it’s a Distributed DoS (DDoS) attack.
- Send spam. Each of the individual systems in the botnet can be directed to send out spam. This spam could be anything from advertising, to phishing attempts, to emails with malicious attachments. Many botnets send out billions (yes, “billions”with a “B”) of email per day.
- Install spyware. Zombies can be directed to install spyware on their own system. This spyware can be something like a keylogger or a rootkit that can capture all of the user’s activity, and even search for usernames and passwords. The infected system will regularly encrypt the captured data and send it to the bot herder.
- Click fraud. Code can be embedded into scripts to simulate clicks on advertisements. Zombies involved in click fraud are called clickbots. If the advertisement is on the criminal’s website, the criminal receives advertising money directly for the clicks. Additionally, attackers can generate clicks on an enemy company’s advertisements to drain the company’s funds. A company pays for advertisements on a per click basis, so if the attacker can generate thousands of false clicks, it results in lost money for the company.
- Rentals. If the botnets are large enough, bot herders can rent them out to other criminals for use. These other criminals can use them for any of the same purposes.
One of the ways to detect botnets is to monitor traffic going through your network firewall to the Internet. If you have a large amount of traffic from multiple systems going to an unknown server, or your systems are sending out a large volume of email even during non-business hours, it could be they are infected with a botnet. Isolate the systems, update AV software, and run in-depth scans on them.
If you’re preparing for a security-based certification exam, you should be aware of botnets, bot herders, and zombies. They are prevalent on the Internet today, and can cause a significant amount of damage to organizations if they aren’t detected and stopped. A primary way to stop botnets is to prevent initial infections with the use of up-to-date malware, and by educating users on safe computing habits.