Yes, I know that this is an old topic and almost everyone knows about them by now. Or do they? In my tech support activities, I run into all different levels of PC savvy (and lack thereof). The other day, I was explaining in detail a phishing attack that a client had fallen for. I pointed out all of the obvious hints that the email was bogus and gave her some great tips on how to spot them. She was insistent that the email “came from [a family member]” and that’s why she opened it. I told her that it likely came from one of the spam botnets, not a family member and that the address was spoofed. I was greeted with one of the blankest blank stares I think I’ve ever seen, followed by “What the heck is a botnet?”
So, for those of you who may not know, here’s a rundown of what botnets are and where you can go for even more in depth information.
Botnets are networks of computers that criminal hackers (Crackers) have infected and grouped together under their control to propagate viruses, send illegal spam, and carry out attacks that cause web sites to crash. Most phishing emails like my client received are sent through spam botnets.
You can think of them in this way: “A botnet is comparable to compulsory military service for windows boxes” – Stromberg (http://project.honeynet.org/papers/bots/). The users often have no choice in the matter; their machines are surreptitiously infected when they click on a link or visit an infected website.
What makes botnets exceedingly bad is the difficulty in tracing them back to their creators as well as the ever-increasing use of them in extortion schemes. How are they used in extortion schemes? Imagine someone sending you messages to either pay up or see your web site crash.
Botnets can consist of tens, or hundreds of thousands of compromised machines. With such a large network, botnets can use Distributed denial-of-service (DDoS) as a method to cause mayhem and chaos. For example a small botnet with only 500 bots can bring corporate web sites to their knees. They do this by using the combined bandwidth of all the computers to send a continuous stream of requests to corporate systems and thereby cause their web site to appear offline.
One well-known technique to combat botnets is a honeypot. Honeypots help discover how attackers infiltrate systems. A Honeypot is essentially a decoy machine that one intends to be compromised in order to study how the hackers break the system. Unpatched Windows 2000 or XP machines make great honeypots given the ease with which one can take over such systems.
If you’re interested in finding out more about honeypots, a great site to visit is The Honeynet Project which describes its own site’s objective as “To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.”
Know your Enemy: Tracking Botnets is an in-depth paper written by several members of The Honeynet Project. Here’s what they say about it: “In this paper we look at a special kind of threat: the individuals and organizations who run botnets.”
Botnets are, after all, run by criminals for criminal purposes. It’s a fascinating study.