From simpleton beginnings in the late 1990s, bot networks (or botnets) have arguably grown to become the most significant means by which criminals exploit the Internet for gain.
Invented to “recruit” large numbers of ordinary PCs for use as remotely-controlled “slaves,” or “zombies,” the use of botnets as criminal tools are many and still multiplying, so much so that even knowledgeable computer users have trouble keeping up with new varieties of botnet malevolence.
In fact, though the term “botnetworks” is referred to by security experts as if it were a brand of soda found in any convenience store, almost nobody beyond the slashdotting hordes has even heard of the phenomenon.
This is a large clue to their success, but that is true of many security problems and is not unique to bots.
Perhaps the best way of describing their operation in relation to the Internet, on whose structures and protocols they have thrived, is to think of a botnet as a rapacious parasite.
The medium of infection or transmission is the Internet itself, while the host is the Windows PC, invariably penetrated through one of a common class of software vulnerabilities.
Typically a botnetwork will start with the compromise of a host – a server – using its processing power and bandwidth to initiate an infection process by way of conventional malware, such as Trojans or worms. Once enough PCs have been infected, these are then set up as nodes on the botnetwork itself, configured to receive instructions on an automated basis.
This is traditionally done using IRC (Internet Relay Chat), a technology that has long been used for setting up many-to-many communications across the Internet.
More recently, HTTP has become a new channel for botnet communication (see later discussion). IRC has, nevertheless, proved popular because it is so easy to set up, typically requiring only a small clutch of servers accessing a variety of IRC channels for redundancy.
Networks can be made up of any number of PCs ranging from many millions to the small thousands. Bigger sounds more impressive, but smaller botnets are no less dangerous because they can be proportionately harder to detect.
What would remotely-controllable PCs be useful for?
Traditionally, the answer would have been to execute a distributed denial-of-service (DDoS) attack, where large numbers of PCs flood an unprotected server or router with traffic so that it fails to pass genuine packets or falls over. This can start with a number of motivations, including blackmail, and several large companies have, without warning, found themselves on the receiving end of such unwanted traffic.
Other basic uses include the sending of spam in a distributed format, using the harvested PCs as relays, or simply, the opening of a back door to steal data from that PC at a point in future, without the need for the criminal to directly intervene.
What changed bot networks from a technical inconvenience to something treacherous was simply what has changed technical crime in general – commerce.
At some point it became apparent that criminals could use them to generate money for almost no risk. Since they have many criminal uses, why not create a botnet to sell on to secondary criminals with other areas of expertise such as spam hawking?
This is the division of labour responsible for the sudden acceleration of so much malware – criminals no longer need to do the whole malware creation process on their own, and can call on powerful tools such as bots to do some of the heavy lifting for them.
In the near future, bot networks will continue to refine their operating techniques to avoid detection and increase efficiency, as well as extend their reach.
Bots have used encrypted channels for communication and, more recently, have abandoned IRC as the control channel in favour of HTTP, to avoid detection and to simplify certain aspects of automation.
Beyond technical refinement, a number of alarming if novel possibilities have been aired as to more extreme uses for botnets. It is certain that they will spread to the mobile arena – mobile phones and other devices are also hackable clients after all. It is also likely that a large-scale DDoS attack will be attempted at some point, most probably for political reasons and using a “rented” bot.
Perhaps, though, they could utilise encryption to a more specific effect, distributing key retrieval across large numbers of zombie PCs in the manner of distributed computing. Ultimately, in a more far-fetched scenario bots could even start attacking one another, spiking traffic across parts of the Internet in the process.
Botnets will not stand still and will continue to evolve in step with other types of criminal exploitation of the Internet. For the time at least, they will remain a mysterious, unseen, and sometimes misunderstood problem, where users and sometimes even researchers find themselves witnessing their dire effects.
Botnets will always be with us as long as Windows remains in its current, insecure state.