Introduction to Bots
In the beginning, bots, short for "robots," were neutral entities and non-malicious. Windows Internet worms entered the wild in the late 1990s, leading to the automation of malicious code. Bots emerged from this landscape. The term "botnets" itself actually appears to have been coined from "robot networks." The word "robot" has a Czech derivation from the word "robotovat," which means "to work." This is also very similar to the Russian word "rabotat," which has the same meaning. When formed into groupings of bots, or botnets (networks or groupings of bot-infected computers), the aggregate resources are quite powerful. Botnet, therefore, is an apt definition: bots are highly adaptable worker bees that do their master's bidding over a broad "net"-in the case of bots, scattered throughout the global Internet.
Thus, there are both "good bots" and "bad bots"--it simply depends on how the bots are being used. Good bots are employed for various legitimate functions but have generally been completely overshadowed by their bad bot counterparts. This book is about the latter, which is to say that a bot is not "bad" or "illegal" in and of itself, only in how it is used.
In many respects, Trojan horse programs (or Trojans), which are malicious computer programs that do not replicate, marked the dawn of criminal operations using malicious code. In the late 1990s Trojans became increasingly popular amongst multiple actors. Many Trojans gave malicious actors complete control over a computer and often included a control panel called "fun stuff" to open the CD-ROM tray, flash the keyboard lights, change the desktop, produce customized error windows, and more. More importantly, Trojans included file management and keylogging capabilities leading to the theft of credit card numbers, online account information, software license keys, and more. Trojans, as opposed to most "viruses," provided attackers with a wealth of information necessary for financial gain.
Malicious bots marked the next major step in the criminalization of malicious code, a significant step up from Trojans. Malicious bots are often thought of as a combination of a remote access Trojan (RA T) and a worm, able to provide an attacker with remote access and the ability to spread like a worm.
Early bots started as a series of simple projects within a small community. Some were done privately, like Ago's (an early programmer of bots) AgoBot creation. Others were open source, like the infamous SDBot family. Over time, each matured with new functionality and improvement of code. At the same time, malicious actors began to monetize stolen information.
Bots always stood out from traditional Trojans in several ways:
- Bots are more automated and scalable than one-off Trojan attacks.
- Bots typically had a much more committed and involved community of members.
- Most botherders (malicious actors controlling a collection of bot-infected computers) were more technical than the average Trojan actor.
- Botherders were more calculating, precise, and controlled in how they spread their creations and leveraged stolen data for illicit gain.
- Botherders were more progressive in their development of new exploit codes and improvement of brute force attacks upon computers.
Automation of attacks is a key differentiation between Trojans and bots. Early bots reaped great success, relative to their day, with thousands of computers infected.
With so much information at their hands, botherders had a new challenge: how to efficiently manage and monetize stolen information. This led to the development of improved keylogging capabilities, back-end databases, and more focused botnet attacks upon specific subnets or regions. Over time, the community changed from grabbing "chick flicks" of girls caught on a webcam of an infected computer to monetizing stolen credit card numbers and stolen license keys, and leveraging compromised online accounts. Botherders continue to be largely male, teenage but increasingly older, and seeking financial gain.
Once criminalization became a reality within the botnet world, "hacker-for-hire" opportunities abounded. Botherders started advertising their services in the underground, such as the rental of bots for distributed denial of service (DDoS) attacks, amongst other services. Figure 1.1 shows an example of a DDoS attack, likely against an enemy group online.
Today bots are highly prevalent in the wild. Sadly for some networks, bots are an unwanted auditing tool, quickly compromising noncompliant or outdated computers. There are public reports of botnets that contain 1 million or more zombies (infected computers). Bots today are no longer simple Internet Relay Chat (IRC)-controlled networks but also include private peer-to-peer (P2P) networks and Web-based command and control (C&C) versions.
We have compiled information that shows significant differences between many public reports and analyzed hacker log files, with actual infections 4000 percent greater than that publicly reported in some cases. Sizing up the scope of infection today has become even more difficult, because many bots are now split up by attackers into smaller botherds. This allows for greater redundancy and resiliency against being shut down by others. Newer bots, like the Storm or Peacomm worm family, have public estimates of zombies in the millions. The integration of bots, exploits, social engineering, and automation of many aspects of criminalization lends itself to the increased success of attacks through multiple successful attack vectors.
How many botnets are out there today? Symantec has estimated that there were 5 million distinct bot-infected computers in the period between January 1 and June 30, 2007. This was a 17 percent decrease from what was observed during the last six months of 2006, according to Symantec. Symantec posits a possible change in attack methods as one key reason for the overall decrease. Symantec also estimated the life span of an average bot during the first six months of 2007 to be four days.