Torbec 1

Botnets
Computers have been a part of my life for around 30 years now, going all the

way back to the late 1970s when very few people had access to them. As

such I have had to deal with a lot of computer problems over the years from

hardware and software issues to the occasional stupid user.

For the most part my focus has always been on computer support doing

everything working with home users and small business to setting up large

business networks. However, a few years ago shortly before I started my

undergrad program at DeVry University my focus switch to computer

security.

It seemed like the natural thing for me to do. Computer Security has become

a major focus in the industry and I have always enjoyed tracking down and

solving problems. Plus I had already spent a lot of time dealing with virus,

worms, and the occasional hacker getting in to a system so how hard could it

be. Heck, I even wrote a Trojan of my very own designed to destroy the work

I did for a past employer who refuse to pay me for my work. By the way it

worked.

However, for the first time after making this switch and maybe even the first

time in my 30 years of using computer I have come across something that

really scares me. In fact working on group project on the subject, I realized

that it scared me so much that I tossed aside the case study I had already
 Torbec 2
k

started because I needed to write more on the subject than I was going to be

able to cover in the group project.

So what is it that scares me so much? BOTNETS.

The goal of this paper is to try and educate the reader not only on what

Botnets are, but what they are used for, how they work, and how you can

protect yourself from them. After all the only pay to break yourself from the

fear of something is to really understand it.

So what is a botnet?

A Botnet is a Robotic Network of computers controlled from single command

and control system by a few or even just a single user. While there are

legitimate uses for BOTNETs like distributed computing project (SETI@HOME)

and creation of the databases used by search engines like Google and

Microsoft Bing. The term today is mostly used to describe a network of

compromised computers being used without the knowledge of the computers

owner.

As I will explain in more detail later in this paper, this network of

compromised computers can consist of a few or even millions of computers,

each of which is known as a Zombie or a node1.Together the Botnet is

normally used for illegal purposes by the Botnets creator known as a “Bot

Herder” or “Bot Master”.

The Bot Herder uses a form of Malware known as a BOT Client to take control

of vulnerable computers normally by taking advantage of a known

1
The term node can also referee to a group of Zombies.
 Torbec 3
k

vulnerability that has a patch available, but the patch has not yet been

installed on the vulnerable computers. This Bot Client is not a Virus, Trojan,

or a Worm, but a hybrid of all three.

After he has control the Bot Herder use a Command and Control Center

(C&C), normally another infected computer, to send orders to the other

zombie computers. This C&C can use one of many or even multiple forms of

communication to relay orders or retrieve information from each of the

Zombies. I go in more detail on the types of C & C systems later in this paper.

What are Botnets Used For?

In the past the creators of Botnets (Bot Herders) created the network to gain

headlines and to prove to others that they could do it. It was more about

bragging rights than anything else. However, today the Botnets are created

for financial gain for both the Bot Herder and for the people they rent or sell

the access to the network of Zombies (Dunham & Melnick, 2008).

A Botnet can be used to do almost anything that requires a large amount of

computing power or Internet bandwidth. In many ways its use only depends

on the skills and motivation of the Bot Herder. However, based on research

done by Universities and Computer Security companies the most common

uses are list below (Schiller & Binkley, 2007).

Distributed Denial-of-Service Attacks (DDoS)

A Denial of Service Attack (DoS) is an attack on a computer system or

network with the goal of denying the use of or access to a specific services

or system. While this can be done with a single computer if it has enough
 Torbec 4
k

bandwidth, the system

administrators can easy stop

the attack because it is

coming from a single source.

However, using a Botnet an

attacker can perform a

Distributed Denial-of-Service

Attack (DDoS) in which the

Botnets Zombies are ordered to attack the target at a set date and time.

Because the Zombies can be located all over the world this form of attack is

very difficult to stop.

Sending Spam

SPAM is Unsolicited Commercial Email. We all get it and if you are like me

you have noticed that your getting a great deal more SPAM now than ever

before. In fact according to Symantec SPAM now accounts for 90.4 percent of

all email (Whitney, 2009). This is an increase of almost 60% in a year.

Botnets are major factor in this increase. Over the last few years SPAM had

actually gone down. This was because new filtering technologies had been

developed and Internet Service Providers (ISP) no longer would tolerate

spammers user their (the ISP) networks to send the SPAM. However, with the

growth of BOTNET the spammers don’t need to deal with the ISPs.

In many ways BOTNETs are an ideal medium for spammers. Similar to with a

DDoS Attack they offer a larger target that is hard to block. Because the
 Torbec 5
k

spammer is using the bandwidth of the Zombies they not only don’t have an

ISP complaints to deal with, but they don’t have a large bandwidth bill either.

In fact BOTNETs can not only be used to send SPAM, but they can also be

used to collect email address from all the infected computers.

Phishing Scams

Phishing is the act of tricking someone into giving up confidential information

or tricking them into doing something that they normally wouldn't do or

shouldn't do. For example: sending an e-mail to a user falsely claiming to be

an established legitimate enterprise in an attempt to scam the user into

surrendering private information that will be used for identity theft.

Phishing is many ways is related to SPAM, because the user normally

receives an email asking them to do something, but in the case of Phishing

this email is disguised to look like it is coming from a legitimate source like

the users bank. This Phishing email normally informs the user that there is a

problem that they need to take care of right away and if they click on the

links in the email it will take them where they need to go to fix the problem.

While the links may look like they are going to a legitimate source they are

actually going to a Phishing Website that like the email is made to look like a

legitimate source.

Botnets are used in Phishing Scams in multiple ways. The first is for the

sending of the Phishing emails, just like the way they are used for

Spamming. The second is that one or more of the Zombies are turned in to

web servers to host the Phishing Website.

 Torbec 6
k

Identity Theft

Phishing Scams are not the only way that BOTNETs are used for identity

Theft. They are also used to collect personal information from the victim’s

computers. This can be done in multiple ways. The Bot Herder can simple

order the Botnet Client to send back files retrieved from the victim’s

computer or they can have the client itself monitor all traffic going in and out

of the computer and send back that data. Many clients even have built in

Keylogging software. Some of the newer Botnet Clients being used can not

only make a screen capture (picture or video) of the victims computer, but

the can turn on a users webcam and send back pictures of the victims home

or office.

In many ways Identity Theft is what scares me the most about Botnets. A

great example of why it scares me is the resent story (May 2009) in which

the University of California Santa Barbara Hijacked the “Torpig” Botnet. In the

ten days the school had control of this relatively small Botnet (around

180,000 Zombies) they collected 70GB of data, including 10,000 bank

accounts and credit card numbers.

Pay-Per-Click Abuse

Many internet sites including Google provide away for other websites to

make money using advertisements or Affiliate programs. Google AdSense,

which is the largest of such programs, reportedly pays out hundreds of

millions every year to companies who have placed advertisements sold by

Google on their own websites.

 Torbec 7
k

Google and its Affiliates make money based on the number of times that the

advertisement is clicked on by a user. This can easily be taken advantage of

by BOTNETs. To do so the Bot Herder, or someone they have rented the

Botnet to, sets up a fake website. They then join the affiliate program like

AdSense and place ads on the fake website and order the Zombies to start

clicking on the advertisements. Some Zombies will even intercept the web

code that identifies the affiliate from every site a user visits and replace it

with their own affiliate id.

While this is one of the newest forms of BOTNET attacks Google claims it is

growing and they expect to lose millions to this form of attack over the next

few years.

Remote Login to Networks (Rlogin)

Originally designed for Unix/Linux systems Remote Login (Rlogin) is the

ability to connect to a network from a remote location and interact with the

network as if the remote computer is the host computer. Many of the Botnet

Clients have Rlogin built in to them giving the Bot Herder the ability bypass

much of the victim’s network security and gain access to the network

undetected.

Attacking Other Botnets

Competition can be both a good thing right? Not in the world of Bot Herders.

According to the FBI there is currently a major turf war going on between the

major botnet. Using their Zombies the Bot Herders are not only performing
 Torbec 8
k

DDoS attacks on each other’s Command & Control computers, but they are

attempting to hijack large chunks of each other’s Zombies.

Manipulating Online Polls/Voting

Online polls are getting more and more attention now days. In fact many of

the most popular reality shows use them as an option for users who don’t

want to make repeated attempts to phone over the phone to vote for their

favorite signer or dancer.

To prevent manipulation of the voting most polling systems are designed to

let votes only vote a set number of times. This is normally done by

monitoring the IP address of the computer the vote is coming from. BOTNETS

make it rather easy to beat this because they can send votes in from tens of

thousands, hundreds of thousands, or even millions of computers.

While it is still unconfirmed, several different security groups believe this

happened in the most recent running of the reality show Dances with Stars.

Reports are that one of the contestants, Steve Wozniak Cofounder of Apple

Computer Corp, received a much larger percentage of web votes than he did

phone votes. In fact report millions more making him and his partner the

receiver of the most votes in total. This continued for several weeks until the

producers of the show reduce the value of the points that could be earned

from internet voting.

Stealing Software

Not only can many of the Botnet Clients download files from a victim’s

computer, they can also retrieve serial numbers and activations codes for
 Torbec 9
k

the applications found on the victim’s computer. Botnets are also used in the

trading of pirated software by using the infected computer as a host for

downloading the software.

Infecting More Zombies

The final common use for BOTNETs is to infect more Zombies. This normally

starts right from the start after a Zombie is under the control of the Bot

Herder orders it to search for and infect more vulnerable computers. I will go

in more deals on that later in this paper.

Why use a Botnet and not some other technology?

So why would someone use a Botnet compared to other technologies? For

the most part the answer to this question is for financial gain for both the Bot

Herders and the Botnet Renters. Together BOTNET have enormous amounts

of both computing power and bandwidth. In fact the larger networks can

have as much computing power as a supercomputer and more bandwidth

than many small countries.

Another reason for using a BOTNET is that they make it very difficult to track

the users of the BOTNET. This is because not only are the attacks coming

from multiple locations around the world; it is a moving target because the

BOTNET is expanding.

Building and Using a Botnet.

Before going in to details on how to build and use a BOTNET I need to spend

a little time introducing the cast of characters involved. Each of which plays

a very important part in the BOTNET.

 Torbec 10
k

○ BOT HERDER: Sometimes also known as a “Bot Master”, the “Bot

Herder” is the person responsible creating and managing the Botnet.

○ BOTNET CLIENT: Malware (Virus/Trojan/Worm) used to infect

vulnerable computers and turning computer in to Zombie.

○ Zombie: Infected Computer now under control of “Bot Herder”

○ C&C: Command and Control Center used for two way communication

with Zombies

○ Renter: Rents use of Botnet to send SPAM or for another use.

Building the Botnet:

Setup Stage

The first stage in building a BOTNET is the setup stage. During this stage

the BOT Herder needs to both setup the Command and Control Center

(C&C) and create the Malware “Bot Client” that is going to be used to

infect vulnerable computers turning them in to Zombies.

The C&C is the Bot Herders way of communicating with the Zombies. Not

only is it used to send commands to the Zombies, put it also receives

responses back from them. The responses can be everything from “Hello I

infected a new computer”, to files and data retrieved from the infected

computers. Sometimes the Herder will setup the C&C on a rented server

at an internet host, but this is a little dangerous so normally the C&C is

just another Zombie with a high speed internet connection.

There are a lot of options in how C&C will communicate with the Zombies.

Below is a list of the most common.

 Torbec 11
k

○ Direct Connection: With this form of C&C communicate directly with

each other using and available TCP/IP port. Direct Connection was used a

lot with early Botnets, but today it is easily detected.

○ Internet Relay Chat (IRC): IRC is a chat protocol which allows servers

worldwide to link and allow for users to access them with special software

and chat (via text) in real time. This is the most common way of handling

the communication between the Zombies and the C&C because it is both

easy to setup and allows for real time communications. However, the

increasing use of Firewalls and advanced network monitoring by business

and ISPs has force Herders to start looking for other options.

○ EMAIL: With this options all communications is handled using emails.

When the Herder wants to send a command to a Zombie he simple

instructs the Herder to send an email. That email goes to only a few of the

Zombies who in turn forward the email to more of the Zombies. While this

option may sound a little strange it kind of makes sense. After all many of

the Zombies are already setup mail servers so they can send SPAM.

However, the biggest problem with this option is that it is a lot slower.

○ WEB/FTP Retrieval: With WEB/FTP retrieval the commands are uploaded

to a WEB or FTP Server that has been pre programmed in to the Zombies.

At a set time and day the Zombie checks the server for it orders. While

two way communication is possible it is as detectable as Direct

Connection so this form of communication is normally used only for DDoS

Attacks.
 Torbec 12
k

○ Peer-to-Peer Networks: Peer-to-Peer communications is very similar to

WEB/FTP Retrieval except that the encrypted orders are placed on a Peer-

to-Peer Network (like Kazaa). The one advantage with this option over

WEB/FTP Retrieval is that it offers two way communications. Peer-to-Peer

is quickly on its way to catching up with IRC, but it is still not real time.

○ Preset (Time/Date): Preset is another older option and is really not a

form of communication, because the orders are pre programmed in to the

Bot Client which has the Zombie just sit and wait for a set time and date

to activate the orders. Preset is normally only used for DDoS Attacks.

○ Social Networks: I could not find anything that directly talked about the

use of Social Networks with BOTNETs. However, as someone who uses

several different social networks including Facebook and Twitter it only

make sense that this new form of Internet Communication is going to be

used by BOTNETS in the future if it is not already being done.

Now that the Bot Herder has the C&C online they need to turn their

attention to the Bot Client. The Client is a form of Malware (kind of a

Virus/Trojan/Worm hybrid) used to infect vulnerable computers and

turning computer in to Zombie. The Bot Herder really has two options

when it comes to the Client.

The first is to write a Botnet Client from scratch. This option takes a real

expert because they need to not only write the client to handle the control

of the Zombie, but they need to understand and know how to take

advantage of vulnerability. The second option is to customize one of the

 Torbec 13
k

many Bot Clients available on the internet. This option is really the better

option for most Bot Herders because they are already designed to take

advantage of known vulnerabilities (using plug-ins for each), and the

Herder and had modules for the features they want to include.

Infection Stage

Now that the Setup Stage is done it is time to start creating Zombies. The

first thing the Bot Herder does is to create the first Zombie by infecting a

single computer on the internet with the Botnet Client. Once infected the

Zombie reports back to the C & C telling it that it has infected a computer

and asks what it should do next. The Bot Herder monitors the C & C

looking for the new Zombie to report back, once it has he orders the

Zombie (using the C & C) to look for and infect additional computers. As

each new Zombie reports back it receives the same order to search and

infect additional vulnerable computers. After there are enough Zombies

the Herder can start using the Botnet and making money from it.

Using the Botnet:

The first step in using the BOTNET is todivide it in to two groups. The details

of how the divided up the network really depends on what they plan on doing

with Botnet. Are they going to keep the network and us it themselves, rent

out its use, or sell it outright? However, most of the time the network is

broking up in to two groups, the Zombies with the fastest connections are

reserved for attacks (sending SPAM, Phishing, etc) while the Zombies with
 Torbec 14
k

slower connections are used to continue to build the network or for DDoS

Attacks.

Once the BOTNET is divided it is time to start using the network. To do so the

herder follows the following steps.

1. Herder sends orders to C & C.

2. C & C either forward orders to Zombies or waits for Zombies to pick

up the orders.

3. Zombies receive orders and it goes to work.

How to Protect Yourself

It is possible to protect yourself from a Botnet by following the same steps as

you already should be following to protect yourself from Virus, Works, and

Trojans and using a little Common Sense. Below is a list of steps that both

home and business users should be doing.

○ Install a Firewall

○ Install an Antivirus and Keep Definitions up-to-date.

○ Install all Security Fixes and Updates.

○ Be careful when clicking on links in emails, Instant Messages, and on

Social Networking Websites.

○ Only Install Software that is Absolutely Necessary

○ Avoid File Sharing Networks, such as Kazaa and Limewire.

○ Don’t Open Email Attachments.

Business should also:

○ Install an Infusion Detection System

 Torbec 15
k

○ Educate Users on how to protect themselves and the network

resources.

○ Block Email Attachments.

○ Block user Installation of Software.

Conclusion

While I do fear them, I am not the type to sit back and hide from my fears. So

I have decide to create a website to help educate people on the dangers of

BOTNETs and I am even going to try to write my own so I can gain even more

knowledge on how they work.

I hope that by reading my paper you have gained a little insight on the

danger of BOTNETS and maybe understand why I have a general fear of what

they can do. It is not the DDoS attacks or even the SPAM that I fear, but the

potential for BOTNETS to be used on a massive scale for Identity Theft.

 Torbec 16
k

Works Cited
Botnets - Wikipedia. (n.d.). Retrieved June 15, 2009, from Wikipedia:
http://en.wikipedia.org/wiki/Botnet

Dunham, K., & Melnick, J. (2008). Malicious Bots: An Inside Look into the Cyber-
Criminal Underground of the Internet. Auerbach Publications.

Gage, D., & Nash, K. S. (2006, April 6). Security Alert: When Bots Attack. Baseline
Magazine .

Roddel, V. (2009, April 13). Computer Infectors and Spam. Retrieved June 14, 2009,
from Bright Hub: http://www.brighthub.com/internet/security-
privacy/articles/4276.aspx

Schiller, C., & Binkley, J. (2007). Botnets: The Killer Web App. Syngress.

Whitney, L. (2009, May 26). Report: Spam now 90 percent of all e-mail. Retrieved
June 14, 2009, from CNET: http://news.cnet.com/8301-1009_3-10249172-83.html