So, Just What Is A BotNet?
Hayden Smith explains the concept of a BotNet and what they mean for computer security…
Within hours of the announcement of the Shellshock bug in BASH, which people are now frantically patching, the first attempts to use it were found in the wild. With estimates putting the total of vulnerable machines that could be leveraged by an attack at levels that appear to be in the region of “wild stab in the dark”, no-one can disagree that there will be many systems where patches were missed or performed too late.
The reports on those early attacks indicated that the attacker was trying to use the vulnerability to build themselves a botnet. If this scaled out quickly this could have meant that it could have grown to be one of the largest botnets seen.
But what is a botnet and what was the attacker trying to achieve by creating one?
At a basic level a botnet is a network of bots. A bot is a computer that is remotely controllable by a botnet master in order to do whatever they wish it to do. Bots are generally created by the attacker gaining a compromise on the target computer and then installing some software that allows them to remotely control the computer.
Computers don’t just require major bugs like BASH’s one to be compromised, some are done through the installation of trojans via email scams or through drive-by downloads on websites. So it’s not just servers that can end up caught in a botnet, your home computer could be, your office computer could be, even your mobile phone could be.
To prevent such attacks it’s important to keep your anti-virus software up to date and make sure you stay on top of critical security patches for your software.
Once infected, the bots will then talk to a command and control server to get instructions on what they need to do. By this method the bots can then bypass things such as firewalls and Network Address Translation (NAT) on secure networks that would normally block inbound traffic attempting to control them.
Without any further instruction the bots will check in periodically to find out what they need to do, once instructions are received the bots will set to performing whatever nefarious purpose they were given. Often this involves searching for more computers that can be infected or compromised to deliver further infections, otherwise spamming and denial of service attacks are a common usage.
After it has become established, the botnets are often available to the highest bidder, whereby the person running the botnet will sell the services of all or part of the network to others to perform tasks they desire. Such as DDoS attacking a target they dislike, mailing off their spam distributions, etc.
On the other side of the botnet battle, security researchers are constantly monitoring these networks trying to find and capture the command and control servers in order to disable the botnets. Large networks will monitor attacks from their networks to isolate bots and hopefully find the related command and control server in order to block traffic and nullify bots on their networks before they can cause too much damage to the Internet at large.
The thing to note, though, is that although isolating the command and control servers from the bots may stop the network, the infections remain and botnets can be revived by replacing the command and control server with another, so it is important that to be vigilant in monitoring your computers for infections.