Botnets Part One - Classification
- Log in to post comments
As discussed in our Pizza With a Side of Malware post, there are a large number of Internet schemes and scams trying to get legitimate users to click on certain links. Many believe that the creators of these scams are after private information stored in your computer. While rue, the scenario is a bit more complicated. They are also after your computer resources. When the "payload" contained in a file of Internet website is downloaded to your computer and the malicious software executes, they control (or own) your computer. At that point, your system may become part of a bonnet with the bot master or bot herder in control of your resources. In terms of a definition, A botnet is a collection of compromised computers, each of which is known as a 'bot', connected to the Internet. The botmaster or bot herder controls these compromised computers via standards-based network protocols such as IRC and http, in other words, the botmaster issues commands through the Internet. This presents a perfect opportunity for a hacker to have sufficient resources and bandwidth to perpetrate larger-scale attacks or to further conceal the attacker's real location. Some classifications of botnets include: IRC bots Internet Relay Chat (IRC) bots operate in a star network where all bots connect to a IRC server and listen for commands. When the bots connect with the IRC server, they join a specific channel. The communications work like normal IRC chat conversations in a language that the bots interpret and process. These communications allow the botmaster to control the bots, including the infected computers. HTTP bots HTTP bots are also known as Puppets. Contrary to IRC bots, in HTTP botnets, the botmaster can not command its Puppets in real-time. Instead, he leaves malicious instructions that web browsers later retrieve and execute. Through an http botnet, visitors of a website may become unwilling participants in the botmater's attacks. The power behind http botnets is that Puppetnets do not require computers to be infected. P2P Peer-to-peer or P2P networks do not have a centralized server. Instead, the computers connected to the network can perform server functions. This decentralization gives P2P botnets a high resistance against attacks and disruption. They are also difficult to detect. Although Network Address Translation (NAT) may prevent P2P applications from using TCP based communication, UDP based systems can work around many NAT restrictions. Email Email features a stealthy command and control (C&C) channel, blending the commands with either Spam or non-Spam email. Automatic detection can be very difficult, which is complicated by the ease of hacking user email accounts, and using them for encrypted C&C communication and for manipulating spam measures implemented by Google, Yahoo, Microsoft, and others. On the next post, we will explain the power that can be unleashed by a botmater and the types of attacks that a compromised computer system can become a part of.
Botnets are obviously a threat to businesses who may be victimized by losing necessary resources. Likewise, BotNets are also a threat to the "zombie" computers, whose owners may not be aware that their computers are being used to perpetrate a crime. AVM Technology discussed this threat with NBC 12 of Richmond Virginia.