Botnet 101: Don't Get Own3d!
You wouldn't want to be at someone's beck and call, especially if they wanted you to perform illegal acts for them. What about your computer? It could easily be turned into a robot, or bot, and go over to the “Dark Side”, taking and giving away important information about you, and you might never have a clue that it is happening.
This short primer covers bots and botnets, and how you can protect yourself from them. The few minutes you take to review it could keep you and your computer out of someone's evil clutches. Read on.
What's a botnet?
A botnet is a network of compromised computers, each acting as a robot (or bot) under the control of a remote user. The botnet communicates with its owner via an external control mechanism, usually an Internet Relay Chat (IRC) channel1. Unfortunately, the programmer generally creates these botnets for disreputable but very lucrative reasons, such as identity theft.
Individual bots are often carefully hidden and run various programs in the background (trojans), scanning for information, vulnerabilities and the opportunity to propagate itself. Hackers often seek out prime breeding grounds for their botnets, such as servers with high-speed connections, which can easily support a large group of bots. Using the computers of others helps hackers to stay anonymous and harder to catch, plus they can use these systems for free!
Botnets with thousands of connected bots are no longer uncommon. The combined capacity of the large number of bots make it possible to disrupt networks through Distributed Denial of Service (DDoS) attacks2 anywhere and anytime the hacker specifies. You could be a “member” of one of these botnets and not even know it!
Why are botnets such bad news?
Attackers can use botnets to carry out an assortment of nasty tasks, such as: keystroke logging3, sniffing traffic, sharing pornography, spewing spam and launching phishing attacks, using your computer to infect other systems, installing just about anything available on the Internet onto your computer, stealing passwords, scanning local area networks for vulnerabilities, distributing pirated media, exploiting vulnerabilities including “backdoors” left open by other worms and Trojans, supporting extortion by threatening DDoS attacks, and encrypting then holding your data hostage (called “ransomware”).
Law enforcement authorities have noted that the driving force behind the spread of botnets is pure and simple: money. There are now big bucks available for little work (most botnet scripts can be easily located and purchased on the Internet) attracting organized crime to the growing potential for profit. Whether collecting $1,000 an attack for temporary access to a botnet that could launch a DDoS, or extorting much larger sums from big businesses (such as online casinos) to cease an attack, easy money can be made sending spam or selling personal information. Here are a couple of figures from 2012 provided in Symantec's Internet Security Threat Report (Volume 18):
- Average number of identities exposed per breach in 2012: 604,826.
- Symantec reported 3.4 million bot zombies during 2012 (up from 3.1 in 2011).
- 42 percent increase in targeted attacks during 2012.
- Web-based attacks up by 30 percent.
- Mobile malware increased by 58 percent, and 32 percent of all mobile threats attempted to steal information, such as e-mail addresses and phone numbers.
- 61 percent of malicious websites are actually legitimate websites that have been compromised and infected with malicious code.
- See the 2013 in Numbers Infographic for a one-page visual breakdown of the stats.
Botnets in the News
- Spam botnet-for-hire used to deliver Android malware: Development marks a new post-startup phase in the Android malware business, on par with that of malicious tech targeting Windows
- Attackers turning to legit cloud services firms to plant malware: Researchers see significant growth in number of malware writers using services like Google Code, Dropbox to distribute their malicious wares (ComputerWorld, Aug 2013)
- Microsoft, US feds disrupt Citadel botnet network: More than 1,400 Citadel botnets, responsible for over $500 million in losses, were disrupted
How easy is it to get “Own3d” (i.e., assimilated into a botnet)?
The most common way to become the home of a bot—also known as being "own3d"—is being tricked into inviting it into your computer. The clever bot master lures you into clicking on a link in email or on the Internet, which then runs a script that will load the malicious software onto your computer, installing the bot or fetching it for installation. Once installed, the bot dutifully calls home for further instructions.
You can also become "0wn3d" by connecting to the Internet with an un-patched vulnerability on your computer or with a weak or non-existent password for your Administrator account. Eventually, some botnet will find its new candidate for assimilation.
If it's so bad, what's Brown doing to protect us?
Botnets are very difficult to detect. We monitor network traffic and look for evidence of botnet activity, however this method is not fool-proof. Botnets have the ability to communicate in many different ways, and some even use encryption. We do detect the result of a botnet infection, such as a Denial Of Service attack or spam being sent from a University-owned machine. The best defense is prevention: don't get infected with a bot in the first place.
Can't I just let Brown take care of this for me?
Nope. There are some responsibilities you need to assume to complete the protection package. Here are the five most important things you can do:
- Keep your computer current and patch any vulnerabilities. Use the Automatic Update feature of your operating system as well as keeping other software current. (A tool such as “Belarc Advisor”provides a list of the patches and software installed on your system, including the latest versions.)
- Don't open unexpected attachments.
- Look before your leap. Ignore enticements to click on strange links, whether in emails, chat rooms or unknown web sites. There could be a bot catcher waiting for you at the other end.
- Use an alternate web browser such as Firefox for general web browsing.
- Set your web browser so it won't automatically run scripts. For Internet Explorer, click Tools > Internet Options > Security. Then click the Security tab and select the Internet icon and click "Default Level" button. Select "High" security level for this zone and click OK.
- Keep your anti-malware software up to date. If you don't have it installed, do so now. It's free and available from the Software Catalog.
What do I do if I'm Own3d?
If you suspect that your system has become part of a botnet, the best thing to do is contact the Help Desk (3-HELP or firstname.lastname@example.org). You can find information about the latest threats from the Information Technology home page.
- Botnet", Wikipedia
- "The Evolution of Malicious IRC Bots", John Canavan, Symantec Security Response
- "Beware the Botnet: Swiss Army Knife of Chaos!!", Missouri University of Science & Technology (article no longer available online)
- "Bots, Drones, Zombies, Worms and other things that go bump in the night", SwatIT.org (article no longer available online)
- "It's All about the Botnets", Paul Asadoorian, SANS Advisor newsletter, August 2005, vol 1, no. 2 (article no longer available online)
Author: Pat Falcon | Contributor/Editor: Paul Asadoorian, GCIA, GCIH
Originally Published: 02/09/2006 | Updated: 08/14/2013
1 - In 1993, Robey Pointer created a bot, called Eggdrop, for a legitimate and useful purpose: to watch over a chat channel. In those days, Internet Relay Chat (IRC) was used to communicate with others in disparate locations having similar interests. Eventually, scripts were written to automate several tasks, such as handling access privileges, file distribution, log stats, or run games. It also allowed IRC operators to link many instances of the bot together and leverage their collective power.
Eventually, someone discovered other, less legitimate uses for this powerful mechanism. In June 1999, PrettyPark.Worm emerged as the first worm to make use of IRC as a means of remote retrieval of a variety of information about the compromised machines. By 2003, high profile worm outbreaks such as Blaster and Sasser resulted in publicized hunts for the perpetrators and increased cooperation between law enforcement organizations and software vendors such as Microsoft. For a complete history, see “The Evolution of Malicious IRC Bots” by John Canavan, Symantec Security Response, at http://securityresponse.symantec.com/avcenter/reference/the.evolution.of.malicious.irc.bots.pdf.
2 - For a complete definition of “DDos”, see the WhatIs.com article at http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci557336,00.html
3 - A keystroke logger (or keylogger) is a program or device that once installed will collect the keystrokes of the computer's unaware user (such as user IDs and passwords). Keystroker loggers are often unknowingly downloaded as spyware.