How Botnets Are Built

A Botnet is a collection of many computers that have been compromised by an attacker and are being used surreptitiously for some purpose usually related to cybercrime.

Botnet Methodology:

  • Compromising Systems
    • Email with infected attachment or link to infection site
    • Website with infected code
    • Other protocols: IM, IRC, FTP, P2P, twitter, and more…
  • Controlling the Botnet
    • Multiple sites
    • “Flux” techniques to shift and hide sites
    • Encryption
    • Agent authentication
  • Making Money
    • Payment for delivered services (see Botnet Uses below)
    • Payment for renting or selling the botnet
  • Botnet Uses
    • Identity and financial access information – stealing information, trafficking in information and even creating identities
    • Delivering spam email – using botnet clients as email relays
    • Distributed Denial of Service (DDOS) attacks – attacking a site from thousands of different locations that change constantly can make it difficult if not impossible to defend against the attack
    • Warez, malware distribution, and advertising scams – serving illegal software, using a botnet to launch a new piece of malware, installing adware, pay for install and pay for click frauds

Becoming the six-million-dollar man – [blackhat.com]

Gunter Ollmann
Starting a life of Internet crime is easy; in fact you’ve probably already doing it as far as the RIAA is concerned. Now that you’ve chosen to embark upon a new career, how are you going to get dirty, filthy, stinking rich? How do you become a millionaire? The tool of choice has got to be botnets. Building them is just the start. How do you monetize the tens or hundreds of thousands of machines under your control? Should you harvest confidential and personal information from the victims, or would it be more prudent to become a specialist service provider to other botnet operators? Which models work best, and how can you become a six-million-dollar man within a year?

Build your own botnet with open source software – [wired.com]

Traditionally botnet’s have recked more havoc then good. By effectively controlling millions of unsuspecting user PC’s, modern botnets have demonstrated the ability to manage a global infrastructure on an unimaginable scale. By applying the same techniques and approaches used in botnets within your computing environment you’ll be capable of handling any demands placed on you or your infrastructure.

This how-to article will take a closer look at using common open source components to create your very own botnet for the purposes for securing, protecting, load testing and managing your global internet infrastructure.

Know your Enemy: Tracking Botnets – [honeynet.org]

Honeypots are a well known technique for discovering the tools, tactics, and motives of attackers. In this paper we look at a special kind of threat: the individuals and organizations who run botnets. A botnet is a network of compromised machines that can be remotely controlled by an attacker. Due to their immense size (tens of thousands of systems can be linked together), they pose a severe threat to the community. With the help of honeynets we can observe the people who run botnets – a task that is difficult using other techniques. Due to the wealth of data logged, it is possible to reconstruct the actions of attackers, the tools they use, and study them in detail. In this paper we take a closer look at botnets, common attack techniques, and the individuals involved.

We start with an introduction to botnets and how they work, with examples of their uses. We then briefly analyze the three most common bot variants used. Next we discuss a technique to observe botnets, allowing us to monitor the botnet and observe all commands issued by the attacker. We present common behavior we captured, as well as statistics on the quantitative information learned through monitoring more than one hundred botnets during the last few months. We conclude with an overview of lessons learned and point out further research topics in the area of botnet-tracking, including a tool called mwcollect2 that focuses on collecting malware in an automated fashion.

Botnets – [shadowserver.org]
What is a Botnet?

A botnet is a collection of computers, connected to the internet, that interact to accomplish some distributed task. Although such a collection of computers can be used for useful and constructive applications, the term botnet typically refers to such a system designed and used for illegal purposes. Such systems are composed of compromised machines that are assimilated without their owner’s knowlege.

The compromised machines are referred to as drones or zombies, the malicious software running on them as ‘bot’.

Comments are closed.