Have you ever heard about botnets and what they do ?
No ?

Let me enlighten you. Some of the most known botnets are Conficker, Kraken or Srizbi.
Maybe you have heard of one of those.

A botnet is what you would call a collection of software robots, that are controlled by a human master.
While the term botnet could be used for an innocent collection of bots like they are used on IRC channels, most of the time when you read about a botnet it will be in the context of malicious software.

Many of the spyware, malware, trojans or virusses that exist today are in fact pieces of software that will connect to a central server to form a botnet. From this central server, the botnet master can give the botnet different commands to run, like send out spam messages or attack another system on the internet.

Most of the spam you receive today, is sent out by botnets. Take a look at the source of the spam mail, you will see that it originated somewhere on a normal computer on the internet, mostly connected via adsl or cable. If you take a look at multiple spam messages you will see that it comes from another computer everytime. This makes it very hard for firewalls or ISP's to block computers that send out spam. Maybe your computer is infected by a bot right now, and is it sending out spam as you read this!

The best protection is an up to date virusscanner, that can also detect malware.

In essence, a botnet provides a botnet master with a lot of stolen computer power, distributed on many computers connected to the internet. He can use this for a variety of things, including but not limited to the following, and combinations of:

  • Scanning websites to retrieve email addresses to send spam to.
  • Sent spam messages to email addresses in its database. Most of the time, the botnet master will be paid to do this.
  • Have the botnet attack a single system on the internet. A lot of residential upload can combine to a lot of data that will overflow the connections of the system that is being targeted. This prevents the system to handle valid requests from real users, effectivly rendering the system offline. This is also know as DDOS or Distributed Denial Of Service attack.
  • Scan for other computers that are vurnerable and can be infected by the same bot software, enlarging the botnet.
  • Record every keystroke the computer user types. This can record creditcard numbers, logins and passwords, documents that are being written (could be sensitive data of a company), etc.
  • Intercept every http post that goes to the internet. This can record every form filled out on the internet, including creditcard numbers, logins and passwords, personal information, personal addresses, etc.
  • Generate click fraud. This will use the users computer without him knowing to surf to websites and click on advertisement links, generating profit for the owner of the website (mostly affiliated to the botnet's master)
  • Intercept when a user surfs to an online banking application, and serve the user with a false website where he then logs in, thus stealing the users financial data. This is also called fishing, but most of the time fishing protection does not work since the fraudulent webpage is served by the bot software on the users computer.
  • Turn on the users webcam or microphone (buildin with most recent laptops) and stream the data to the central server, listening in meetings or watching people do private stuff.

In January 2009, at the University of California, Santa Barbara (UCSB), a group of CS undergraduates together with their professor Richard A. Kemmerer reverse enginered a botnet called Torpig and took it over for 10 days. Together with the FBI they recorded all the data that was coming in from the botnet.

In 10 days time, they collected over 1500 creditcard numbers, thousands of emails, login and password, financial information and so on. UCSB
showed that the botnet existed of 180000 computers, with an average of 60000 bots online at any given time.

You might ask yourself why does a botnet master want all this information ? In the current time and day, most of these botnets are exploited by criminal organisations, from all around the world. The Torpig botnet was suspected to being ran by the Russian mafia. None of the people in the organisation will use the creditcard numbers for example, it would make it to obvious to trace them. They sell the information. If you look at the creditcards alone, knowing that a stolen creditcard number is sold on the black market for about $25, they made $37500 in 10 days. Don't forget about the other information they have collected.

As you might have realised in the meantime, the people who run these botnets have motives enough to do it, ranging from taking down systems, sending out a lot of spam to advertise their products in an indirect way, collecting information for profit and even corporate or governmental espionage.

If you would like to know more about the research done by the UCSB, you can view a Google Techtalk presentation on youtube about the subject.

The internet doesn't look as safe as it is. Be carefull out there. Its a wilderness.