The botnet business
4 stars based on
This article discusses zombie networks or botnets: Readers who are already familiar with the subject will find the information on the latest trends in botnet development of interest. Botnets have been in existence for about 10 years; experts have been warning the public about the threat posed by botnets for more or less the same period. Nevertheless, the scale of the problem caused by botnets is still underrated and many users have little understanding of the real threat posed by zombie networks that is, until their ISP disconnects them from the Internet, or money is stolen from their credit cards, or their email or IM account is hijacked.
A botnet is a network of computers made up of machines infected with storm bot net detection tools malicious backdoor program. The backdoor enables cybercriminals to remotely control the infected computers which may mean controlling an individual machine, some of the computers making up the network or the entire network.
Malicious backdoor programs that are specifically designed for use in creating botnets are called bots. Botnets have vast computing power. They are used as a powerful cyber weapon and are an effective tool for making money illegally. The owner of a botnet can control the computers which form the network from anywhere in the world — from another city, country or even another continent. Importantly, the Internet is structured in such a way that a botnet can be controlled anonymously.
Computers infected with a bot can be controlled either directly or indirectly. When bots are controlled directly, the cybercriminal establishes a connection with an infected computer and manages it by using commands built into the bot program. In the case of indirect control, the bot connects to the control center or other machines on the network, sends a request and then performs the command which is returned.
The owner of an infected storm bot net detection tools usually does not even suspect that the computer is being used by cybercriminals. This is why computers infected with bot malware and which are surreptitiously controlled by cybercriminals are also called zombies.
The networks formed from infected machines can be called zombie networks. Botnets can be used by cybercriminals to conduct a wide range of criminal activity, from sending spam to attacking government networks. This is the most common use for botnets, and is also one of the simplest.
It should be noted that spam is not always sent by botnet owners: Botnets made up of thousands of computers allow spammers to send millions of messages from infected machines within a very short storm bot net detection tools of time. In addition to speed and the sheer volume of spam that can be sent, botnets provide spammers with one more advantage. Addresses used to send spam are often blacklisted, and messages coming from these addresses will be blocked or automatically flagged as spam by mail servers.
Stolen addresses are sold to spammers or used by the botnet owners themselves to send spam. A growing botnet will add more and more new addresses to the harvest. The second most popular method of making money via botnets is to use tens or even hundreds of thousands of computers to conduct DDoS Distributed Denial of Service attacks.
This involves sending a stream of false requests from bot-infected machines to the web server under attack. As a result, the server will be overloaded and consequently unavailable. Today, many companies work exclusively on the Internet. Downed servers bring business to a halt, resulting in financial losses. To return stability storm bot net detection tools servers as soon as possible, such companies are more likely to give in to blackmail than ask the police for help.
This is exactly what cybercriminals are counting on, and DDoS attacks are becoming increasingly common. DDoS attacks can also be used as a political tool. Storm bot net detection tools such cases, attacks usually target servers belonging to government organizations. What makes such attacks particularly dangerous is that they can be used as provocation, with a cyber attack on one country being conducted from storm bot net detection tools in another country and controlled from a third country.
Cybercriminals can access web servers using zombie machines and commit cybercrimes such as hacking websites or transferring stolen money. This activity, of course, appears to come from the infected machines. Selling and leasing botnets. One option for making money illegally using botnets is based on leasing them or selling entire networks. Creating botnets for sale is also a lucrative criminal business. Addresses of phishing pages are often blacklisted soon after they appear.
A botnet allows phishers to change the addresses storm bot net detection tools phishing pages frequently, using infected computers as proxy servers. Theft of confidential data. This type of criminal activity will probably never lose its attraction for cybercriminals. A bot used to create a zombie network can download another malicious program, e. Stolen passwords are sold or used for mass infections of web pages in the case of FTP account passwords in order to further spread the bot program and expand the zombie network.
Bots can carry out a wide range of commands, but the most common ones are listed below. Command names can vary from one bot implementation to another, but the functions performed remain the same. This is a basic command and is the first to be executed. It can also be used to infect the computer with other malicious programs such as viruses or worms and install other bots on the computer. Using this command, PSW Trojans can be installed storm bot net detection tools all computers that make up the botnet at the same time in order to find all the passwords ever entered on each computer and stored in its memory.
The passwords will be sent to a server on the Internet. Such streams can cause servers to malfunction, making them inaccessible to ordinary users. Such attacks using botnets are called DDoS distributed denial of service. Although there are numerous methods that can be used to create false network requests, describing them in detail storm bot net detection tools beyond the scope of this article. This feature makes it possible to use any computer which is part of a botnet as a proxy server in order to conceal the real address of the cybercriminal controlling the botnet.
Other commands, which are not as popular as those described above, are only implemented in some bots. Centralized botnets are the most widespread type of zombie network. Such botnets are easier to create, easier to manage and they respond to commands faster.
In practice, building decentralized botnets is not an easy task, since each newly infected computer needs to be provided with a list of bots to which it will connect on the zombie network. Combating decentralized botnets is a much more difficult task than that of combating centralized networks as an active P2P botnet has no control center.
For a botnet owner to be able to send commands to a bot, it is essential that a network connection be established between the zombie machine and the computer transmitting commands to it. All network connections are based on protocols that define rules for the interaction between computers on the network. Therefore, botnets can be classified based on the storm bot net detection tools protocols used.
Botnets can be divided into the following classes when classified according to network protocols:. The history of botnets began in —when the first backdoor programs — the notorious NetBus and BackOrifice — appeared. These were proof-of-concept Trojans, i. NetBus and BackOrifice were the first to include a complete set of functions that made it possible to remotely administer infected computers, enabling cybercriminals to perform file operations on remote machines, launch new programs, make screenshots, open or close CD-ROM drives, etc.
To control an infected computer, a cybercriminal had to establish a connection with each infected machine individually. Even in the early s, remote administration client programs were already able to control several machines at the same time. A malicious user then came up with the idea that computers infected with backdoors should establish connections themselves and that they should always be visible online on the condition that the machine is switched on and working.
This user must almost certainly have been a hacker, because new-generation bots employed a communication channel traditionally used by hackers — IRC Internet Relay Chat.
It is also likely that the development of new bots was made easier by the fact that bots working in the IRC system were open source even though these bots were not designed for remote administration purposes but to respond to user requests such as questions about the weather or when another user storm bot net detection tools last appeared in chat.
When infecting a computer, the new bots connected to IRC servers on a predefined IRC channel as visitors and waited for messages from the botnet owner.
The owner could come online at any time, view the list of bots, send commands to all infected computers at once or send a private message to one infected machine. Developing such bots was not difficult because the IRC protocol has simple syntax.
A specialized client program is not required to use an IRC server — a universal network client, such as Netcat or Telnet, can be used. Information about the new IRC botnets spread rapidly. As soon as articles about them began to come out in hacker magazines, a new breed of malicious users appeared: These people probably knew as much as botnet owners, but they were after easier money. The next stage in storm bot net detection tools evolution of botnets was marked by moving control storm bot net detection tools onto the World Wide Web.
Then somebody developed a method by which a computer on a local area network could connect to a server on the Internet; this made it possible to control the computer from anywhere in the world. Descriptions of the method for remotely controlling computers on local area networks which bypassed such protection as proxy servers and NAT were published online and it soon became popular in certain circles.
If the user configured an address, port, login and password for a proxy server, an authorization mechanism was automatically activated in a dynamic-link library providing HTTP support Wininet. The development of semi-legitimate remote administration tools that could be used to evade protection on machines in local area networks and to gain remote access to such computers paved the way for web-oriented botnets.
A little later, a simple script was developed for controlling small computer networks and cybercriminals found a way of using such controlled networks for making money. Web-oriented botnets proved a very convenient solution, which remains popular to this day. And even a child can learn to use a web interface. The further development of the Internet and improved web development technologies were also conducive to the use of web-oriented botnets.
There storm bot net detection tools also attempts to create botnets controlled via IM services. However, IM botnets never became very widespread, particularly because they require creating IM accounts. It is difficult to register a large number of accounts automatically as systems which protect against automated registrations are constantly modified. This was not the end of botnet evolution: It turned out that botnets with classic architecture i.
If this is disabled, control over the entire network will be lost. In principle, each computer on a botnet can connect to any other computer in storm bot net detection tools same zombie network. Experiments related to creating such networks storm bot net detection tools been conducted for quite some time, but the first large botnet using P2P architecture did not appear until Inthe attention of security researchers was attracted by a P2P botnet created using a malicious program known as the Storm Worm.
Authors of the Storm Worm were spreading their creation so rapidly that it seems as though they had set up a conveyor belt to create new versions of the malicious program.