“Bots” is a term to describe PCs that have been unknowingly assimilated into part of a botnet, an organized collection of zombie computers that enable cybercriminals to commit large-scale click-fraud and distribute pornography, spam, and other malicious content. Criminals also use botnets to launch distributed denial of service (DDoS) attacks, in which a botnet is programmed to flood a target system with email, shutting it down and denying service to legitimate users.
Cybercriminals can also upload hidden keylogging software to the bots, enabling them to record personal data entered on an affected machine, including usernames, passwords, bank account information, and social security numbers. The software then passes this data to the criminal organization running the botnet, which sells it on the black market. From a cyberscammer’s perspective, botnets are extremely efficient because as bots spread, the central command console grows more powerful.
Botnets range from small networks — a thousand drones — to enormous networks with hundreds of thousands of infected PCs, placing enormous computing power and high network bandwidth in criminals’ hands.
King of the botnets
The Russian Business Network (RBN), thought to be based in St. Petersburg, Russia, was a hosting provider thought to be harboring a group of criminals linked to sophisticated, modern botnet syndicates in Russia and the Ukraine. These criminals’ most notorious achievement was the Nuwar botnet, also known as Storm, which began infecting computers in early 2007 and appeared to control several hundred thousand to several million machines, though its demise was recently posited. But even if a fraction of those nodes had existed, experts believe Storm could have potentially disabled or compromised major financial, governmental, and business institutions.
After the advent of Storm, researchers witnessed a startling development in spam traffic during the first week of November 2007. Routing information for IP addresses that hosted thousands of questionable domains linked to fraud schemes mysteriously disappeared — literally overnight. At first it was believed that the IP addresses were withdrawn in response to heightened publicity received last year from bloggers and U.S. news media. Security organizations predicted that the cybercrooks had gone underground in an attempt to avoid detection — but no one was really sure.
Some researchers theorized instead that some of the world’s largest telecommunications providers literally cut cybergangs off at the knees by terminating upstream internet access. Providers such as British Telecomm may have acted aggressively as part of an international botnet sting operation, or perhaps the immense size and impact of the Storm botnet motivated the companies to halt botnet traffic. Whatever the reason, Storm activity disappeared for 10 to 15 days.
Back in business
What was at first called the “disappearance” of Storm was later called a “pause in activity.” Displaying amazing adaptability, the botnet regenerated almost immediately — not in St. Petersburg but in countries such as China, Turkey, and Taiwan. An early theory was that the absence of the Storm cybergang created a vacuum that smaller players attempted to fill. It later seemed unlikely, however, because within two to three weeks of the criminals’ supposed disappearance, Iframes that previously pointed to Russian sites hosted by RBN were pointing to domains in China.
Reports showed that high spam levels resumed—with smaller internet service providers and activity scattered around the world. Thus, Russian cybergangs may have simply found a way to make it appear as if they had dismantled and a new generation of hackers had taken over in their absence.
Botnets regularly update infected machines, and researchers can then capture outgoing spam as it occurs. Amazingly, researchers observed infected PCs sending anywhere from 700,000 to one million Storm emails in a single day. Although users may have noticed sluggish internet transactions, a compromised machine appeared normal—especially if the robot sent spam at nighttime when most computers users were asleep.
Lots of bots
Additional botnets, which may eventually surpass Storm in size, have appeared on the horizon. One such botnet, named “Kraken,” emulates Storm except it lacks a peer-to-peer (P2P) architecture. The botnet code appears in an image file, such as a JPEG or PNG. Once the image is clicked on, an executable copies itself to a PC, restarts then deletes the original copy. Like the Storm Trojan virus, Kraken uses encrypted communications and seems most interested in luring mass quantities of new members.
Although it definitely creates a stir, Kraken is still a bit of a mystery. Newcomers are relatively easy to spot because their code has not yet evolved to Storm’s level of expertise. For example, most botnet newcomers fail to package sophisticated malware features, such as rootkits, anti-virtualization or an advanced P2P decentralized botnet, leading researchers to speculate that this is new botnet activity that has developed features to bypass virus detection. New botnet varieties could potentially overtake Storm, at least in terms of computing power. According to the latest statistics, Kraken is roughly twice the size of Storm and gained more than 100,000 new machines in a single month.
The impact of recent increased botnet activity emphasizes the need to combat abuse of internet protocols used for communication between bots and bot herders. Malicious IRC traffic can be easily detected today but P2P and HTTP traffic pose a greater challenge. In a corporate environment, P2P traffic should be blocked completely to reduce the risk of data leakage. Residential users can detect malicious P2P activity by correlating it with other traffic, like outgoing spam emails. An up-to-date virus scanner protects against a majority of these threats. In addition, blocking traffic to known command and control websites will stop HTTP bot communication.