QuickStudy: Botnets

Computerworld - Botnets are networks of computers taken hostage by malware that controls them and makes them send spam and act in other nefarious ways. They're growing in size, number and impact. A botnet may be remotely controlled by the creators of the malware that drives it (hence the "zombie" appellation) or it may be rented out by spammers or other persons of ill will. There is no known beneficial use for botnets.

Botnets were originally created to send spam. They were useful for that purpose because they masked the location and identity of the spammer, making it difficult for early spam-blockers to stop their flood of Viagra-selling and stock-swindling e-mail messages. Currently, they're also used to launch denial of service attacks, manage adware campaigns, monitor user activity by logging keystrokes, or steal anything or any behavior from a computer that looks as if it might have value.

Botnets are created by a worm program that's usually transmitted through a spam campaign, a spyware program or an adware campaign that leaves a program or other file behind. When a user clicks on a link that downloads a file of some type (which doesn’t even have to appear to be an executable file), it installs a botnet client, also known as a zombie, that can be controlled from afar.

All this mayhem is remarkably invisible to the user sitting in front of the infected machine. It's uncommon for a machine inducted into a botnet to display any obvious sign of trouble, though users may notice periodic sluggishness with their net connections. (It's not common for a botnet to deploy any single zombified computer constantly, making it even harder for spam-blockers or other monitors to pinpoint a troubled machine.)

The botnet client program and the method for transmitting it or its progenitor may appear to be completely legitimate. "The bad guys have gotten very good at this," says Ironport Vice President of Technology Patrick Patterson, "and so, for example, they use a legitimate-looking notification of a software update to sneak their bot client onto a machine." Symantec’s senior manager of security response, Dean Turner, adds, "Of course, no legitimate software company is going to notify you that way, but that doesn’t stop people from clicking through anyway." It’s sort of like phishing, only in this case it’s for access to a user’s computer rather than for a user’s money.

Once the botnet client is loaded, things happen quickly. The first thing a botnet client does when it is activated is to "call home," usually using the IRC channel. That contact establishes a communications link between the client and its manager and sets things up for future instructions, which may come right away or may be delayed.

Ferris Research lead analyst for e-mail security Richi Jennings notes that virus writing today has become a real business. "Today the virus writers are focused more on execution than on spreading," he says, "and their programs spread very quickly and do damage almost immediately. Remember, this is for cash, not for notoriety."

Want to learn more? See Four steps to battling botnets.

See additional Computerworld QuickStudies