Botnets are considered one of the biggest threats to the internet. This note will cover their capabilities, and how they are controlled.
What is a botnet?
A botnet is a set of computers infected by bots. A bot is a piece of malicious software that gets orders from a master. This appellation "bot" comes from the old chat service Internet Relay Chat (IRC), where users could develop so-called "bots" that could keep channels alive, deliver funny lines on request, etc. The first botnets were directly built as IRC bots.
Once bot malware runs on a computer, it has as much access to the computer's resources as its owner. Bots can then read and write files, execute programs, intercept keystrokes, access the camera, send emails, etc.
For example, Zeus is a popular botnet with cyber criminals. Its capabilities include: Restart or shut down the computer; Delete system files, rendering the computer unusable; Disable or restore access to a particular URL; Inject rogue HTML content into pages that match a defined URL; Download and execute a file; Execute a local file; Add or remove a file mask for local search (e.g. hide the threat's files); Upload a file or folder; Steal digital certificates; Update the configuration file; Rename the bot executable; Upload or delete Flash cookies; Change the Internet Explorer start page.
A sizeable botnet can flood networks with enough traffic to put them offline (DDoS): Akamai analysed a botnet that could deliver up to 150Gbps of traffic.
Command and control
Criminals need to be able to control their bots and give them orders. For this purpose, bots report to Command and Control servers (C&C or CC or C2). These CC servers are the weak point of the botnet: without them the bots are just useless drones. Cyber criminals have been developing more and more sophisticated ways for the bots to receive their orders.
This model is the oldest and simplest. The bots periodically report to a central server (see Figure 1). This used to be an IRC chat room, but other protocols have evolved. The bottom line is the same: if the central server disappears, the bots are useless. If defenders take control of the central server, they are in a position to shut down the whole botnet. Finding the central server is easy for defenders, either by analysing a bot, or the traffic it sends.
Figure 1 Central C&C server
In order to make the task of finding the C&C server harder, bot creators started to include proxies in their architecture (see Figure 2). The individual bots do not contact the C&C server directly, but intermediate machines that serve as relays, or proxies. These proxies can either be servers operated by the botnet master, or infected machines themselves.
There are several advantages to this architecture:
- Defenders need to analyse a proxy in order to find the C&C server;
- Adding more proxies is easy, making the infrastructure more resilient.
However, there is still a single point of failure in the form of the C&C server itself.
Figure 2 Proxied C&C
The final evolution of botnet architecture is the move to peer-to-peer (P2P, see Figure 3). Bots contact other bots, and not the C&C server. Information and control commands are propagated in the network from bot to bot. In order to maintain control of the botnet, its master only needs to be able to contact any infected machine. This makes the takedown of the whole botnet a very difficult task.
Figure 3 Peer-to-peer botnet
Botnets are now part of the underground economy. Botnet masters rent their botnets to other criminals for various purposes:
- Send spam;
- Perform DDoS attacks;
- Steal banking information;
- Host illegal files;
Prices vary with the kind of service, required reliability, and duration. For example, one hour of DDoS is available for $38.
This note presented the basics of botnets and their capabilities, and explained how they are controlled. It is only scratching the surface, though. Much more can be said of the infection vectors, the economy, etc. These topics may become the subject of future notes.