Zombies and botnets

Bot programs allow attackers to remotely control vulnerable computers and form virtual networks of zombies - botnets. Botnets can be leveraged to orchestrate concerted attacks against other computing resources, for example, distributed denial of service (DDoS) attacks against targeted networks. The shift in motivation from curiosity and fame seeking to illicit financial gain has been marked by a growing sophistication in the evolution of bot malware. The ABS estimated that there were over 6.65 million active internet subscribers in Australia in September 2006. Most subscribers are households, with over 5.83 million household users compared with 826,000 business and government users. This paper examines the activities and consequences associated with botnets and provides examples of existing incidents so that subscribers can be better informed of the risks. Business, government and individual householders need to be aware of risk mitigation strategies and to ensure that these strategies are implemented and updated, as attacks on the internet are not likely to disappear any time soon. Toni Makkai Director Bot programs are codes or programs that operate automatically as agents for a user or another program. The first bot program was probably Eggdrop, created by Jeff Fisher, which originated as a useful feature of internet relay chat (IRC) in the early 1990s. Early bot programs were designed to allow IRC operators to script automated responses to IRC activities. As IRC gained popularity among internet users, inappropriate behaviour started to become a problem. Misbehaving users were klined (ejected) from IRC channels. As payback, some ejected users developed ways to attack the IRC channel, which led to the IRC wars that caused the first DDoS attacks in the mid 1990s. Bot programs (malware) are surreptitiously forwarded to victims by various means, such as via email attachments, via peer-to-peer (P2P) networks, and visits to an infected website. Bot malware typically takes advantage of system vulnerabilities and software bugs or hacker-installed backdoors that allow malicious code to be installed on computers without the owners' consent or knowledge. They then load themselves into such computers, often for nefarious purposes. Bots - individual computers infected with bot malware - are then turned into zombies. These can then be used as remote attack tools or to form part of a botnet under the control of the botnet controller as illustrated by Figure 1 . Among the three botnet communication typologies identified by Cooke, Jahanian & McPherson (2005) - centralised, distributed P2P and random - the most commonly used are the centralised and distributed P2R Zombies are nodes in the sleeper cells of machines waiting to be activated by their command and control (C&C) servers. The C&C servers are often machines that have been compromised and arranged in a distributed structure to limit traceability Some forms of authentication mechanism (e.g. password-based login from a predefined domain) are often deployed on C&C servers by botnet controllers to prevent unauthorised third party access. Once the botnet controllers are authenticated and logged in, they can issue attack commands to the servers via IRC channels or using P2P technologies. Building botnets Building botnets requires minimal levels of expertise (Ianelli & Hackwort h 2005). A brief two-step overview on how to build a botnet is outlined below. Information gathering stage There is a wide diversity of exploitations, including many of those used by worms, written into botnet code bases that use well known vulnerabilities to infect target systems (Barford & Yegneswaran forthcoming). Locating such exploits and other information to facilitate the creation of botnets, as outlined below, can be easily achieved using search engines. Source codes - the full text of the actual code that will potentially allow an attacker more room for exploitation can be obtained using search engines, including the recently released Google code search functionality. …