What are Bots and Botnets?
A bot is a computer that has been compromised through a malware infection and can be controlled remotely by a cybercriminal. The cybercriminal can then use the bot (also known as a zombie computer) to launch more attacks, or to bring it into a collection of controlled computers, known as a botnet.
Short for “robot,” the term “bot” originally had a positive connotation, especially in Internet Relay Chat circles. These bots were programs that were designed to run as a user in the various chat rooms. They could proctor a room, booting out people who used foul language, or referee a trivia game, giving out point and declaring the winner.
But soon after the first beneficial bots started to appear on IRC, so did others that could exploit vulnerabilities and steal passwords and log keystrokes. Out of that usage came the concept of using the IRC client as the basis to launch attacks against other computers. Most botnets today are run through IRC, although more advanced cybercriminals can create their own client.
The two main reasons why cybercriminals create botnets are for financial gain and for recognition. Much like the guy at Muscle Beach who can lift the most weights, bot herders (slang for the hacker who created the bots) gain their notoriety among their peers by the number of infected computers they collect in their botnet. One discovered botnet in Holland collected more than 1.5 million computers.
A bot is created when the malware containing the programming to take over the computer is placed onto its target. Any form of malware delivery can be used to bring the programming onto a computer. It could be brought by a network worm that deposits its payload. It could be a virus that was launched from an infected e-mail attachment. It could be a Trojan horse disguised as a program the target user desired.
After implantation, the bot then attempts to connect with the command-and-control server (as stated above, usually an IRC server). From there, the bot herder can launch any number of attacks.
Types of attacks
As mentioned earlier, most bot attacks have some sort of financial gain as the aim of such cybercrime, while others are done purely for recognition. Some of the types of attacks that can be launched after a computer has been taken over as a bot include:
- Spambot – One of the most common uses of a bot, a spambot is a machine that automatically distributes spam e-mails. Mostly, these are e-mails that contain advertisements for questionable products (pornography, black market pharmaceuticals, fake antivirus software, counterfeit goods) or contain computer viruses themselves. A spammer will usually purchase a botnet from a bot herder in order to use the infected computers to send out the spam e-mails, concealing where the attacks are actually originating.
- Denial-of-service – Another popular use of a bot, denial-of-service attacks look to invade a network or an Internet service provider, usually by stealth, in order to disrupt or cripple service. Here, the attacker tries to get as many computers infected as possible in order to have a bigger botnet network.
- Spyware – Spyware is any malware that can be used to gain information from its target or targets, anything from passwords and credit card information to the physical data contained within files. These can be lucrative to a bot herder, as they can sell the data on the black market. If a bot herder gains control of a corporate network, these can be all the more lucrative, as they may be able to sell the “rights” to their bank accounts and their intellectual property.
- Click fraud – This form of remote control can allow a bot herder to surreptitiously click links on Web sites and online advertising, bolstering numbers for advertisers and producing more money.
- Dial-up bots – Dial-up bots look to try to connect to dial-up modems and force them to dial phone numbers. Sometimes the effect is to tie up the line, eventually forcing the user to change numbers. Other times, the effect is to dial into premium phone number (1-900 numbers) in order to rack up charges on someone else’s bill. It goes without saying that this type of attack is beginning to go by the wayside, as more and more people move away from dial-up modems to broadband connections.
With all the damage that can be done to a computer – and through a computer – that has been turned into a bot, it’s important to take these steps to help prevent this type of attack. Prevention methods include:
- Education – Be aware of the Web sites that are visited, and if IRC is used, be wary of certain chat rooms. Also, since the bot programming can be delivered like any other form of malware, be careful of e-mails and instant messages from strangers and chain e-mails that have been forwarded (especially ones with attachments and funny links).
- Software updates – Make sure all operating system and application software is kept up to date with free updates and patches. Their manufacturers are constantly looking to correct vulnerabilities in their products that allow cybercriminals to deliver malware.
- Use antivirus software – When looking for subscription-based, high quality antivirus software, make sure to use one with antibot protection, such as Norton AntiVirus.
No protection, including using multiple ones, is 100 percent guaranteed to stop a computer from turning into a bot and becoming a part of a botnet. But using these protections can help raise the odds against an attack.