Email this Article Email   

CHIPS Articles: The Lazy Person's Guide to Botnets

The Lazy Person's Guide to Botnets
By Dale J. Long - July-September 2008
Cyberspace: the Wild West of the 21st century. The world is migrating information, commerce, governance and leisure activities into cyberspace in a shift that parallels American expansion into the Western frontier in the 19th century, only much faster and with many more people. This cyberspace migration has many of the problems that the early settlers encountered: con artists, bandits, claim jumpers — and outright warfare.

In response, the U.S. military is moving from merely operating in cyberspace to cyber-warfare operations, and we are once again exploring unfamiliar territory, particularly in terms of how we employ various technologies, procedures and behaviors. Earlier parallels include the introduction of telecommunications as a means of command and control and the development of large-scale military airlift operations.

In the first case, introducing radios and other long-distance communications devices into the C2 environment allowed us to share more information between larger numbers of people over great distances. However, radio and other communications technologies changed the operational dynamic by, among other things, allowing control of local operations by people thousands of miles away from the action.

Likewise, the Internet enables a functional increase in communications several orders of magnitude beyond what mere radios added, with equivalent levels of change in how we operate.

Military airlift was, at first, not much more than a way to get a small number of supplies to small groups out in the field — until the Berlin Airlift. Over the 18 months of the Berlin Airlift, military operations, doctrine, technology and procedures changed to keep a major city resupplied by air, revolutionizing military operations.

In cyberspace we face both challenges: employing disruptive technologies that change how we operate in the real world while exposing us to the relatively new, uncharted frontier of cyberspace. When we added airpower to the battlefield, we had to learn to think in three dimensions instead of two. In cyberspace, thinking in three dimensions is not enough. Our threats and opportunities will require thinking in at least four or even five dimensions.

Still, some things will remain constant. Whether it's controlling weapons with artificial intelligence or launching online attacks in cyberspace, it all really comes down to command and control. And where do we look to find the latest and greatest in computer-mediated warfare?

Well, I usually start in Zippy's basement.

Robotic Warfare

Last time we visited Zippy he had a small semantic misunderstanding with his robotic butler, Alfie. When I called to discuss cyber warfare, he was very excited about showing me his latest artificial intelligence project: Charlie. I was primarily interested in botnets, but first I had to see Charlie, artificial intelligence represented by a holographic computer simulation. I knew I would not get anything else out of Zippy until he demonstrated Charlie, so I descended into his basement lair to see the show.

The 3-D holographic display was state-of-the-art. It showed a small city scene with several buildings and a large wheeled machine that looked a bit like a large tank sitting in the middle of a four-way intersection. "Meet Charlie," Zippy proudly said. "He's just a simulation at the moment, but we're mostly concerned with getting the AI right before he goes into production."

"What does he do?" I asked.

"Oh, he can do a lot of things. Since he's meant to be a joint resource, we're teaching him how to follow directions depending on which service is using him. Here, I'll show you."

He pushed a button on the control console, leaned over a microphone, and said, "Charlie, Army, secure building number one."

A speaker on the console replied: “Order acknowledged.” The machine spun to one of the buildings, and deployed six smaller vehicles that surrounded the building and took up defensive positions.

“Guards posted. Building secure. Charlie out,” the electronic voice reported.

“Now for the next one,” Zippy said with a grin. “Charlie, Marine Corps, secure building two.”

“Order acknowledged.” The robot spun toward another building. Several panels opened on the sides and top of the machine and out popped a variety of weapons. Ten seconds later, the building had been reduced to rubble.

“Potential threat neutralized. Building secure. Charlie out.”

“That’s quite a different interpretation,” I remarked.

“Yes,” Zippy replied, “that’s an issue with developing one system for different groups. You have to take into account that words can mean different things depending on who you’re dealing with, like doors versus bulkheads, decks versus floors.”

He turned back to the microphone and said, “Charlie, Navy, secure building number three.”

“Order acknowledged.” Charlie rolled over to another building. This time, a long, thin probe extended out and plugged into the side of the building. All the lights in the windows went out, and there was a succession of audible clicks.

“Lights out and doors locked. Building secure. Charlie out.” Charlie rolled back to the middle of the intersection.

“May I try?” I asked.

Zippy nodded and stepped away from the microphone.

“Charlie,” I said, “Air Force, secure building number four.”

“Order acknowledged.”

But other than what looked like a satellite dish swiveling about 30 degrees, Charlie didn’t move an inch.

“It’s not doing anything,” I said.

“Sure it is,” Zippy replied. “This was actually the hardest one to code. It’s calling the landlord and negotiating a three-year lease with an option to buy.”

As it turns out, Charlie’s AI also includes routines that would allow it to run network defenses and counter-perations against cyber warfare attacks, so even if we never produce the physical version, maybe we can use something like Charlie, with a good semantic understanding and much better cyber-reflexes than humans, for C2 in our network defense systems.

But before we use any tool, we should understand what we’re up against so we can give it the correct commands. And the biggest warmongers in the frontier that is cyberspace are: Botnets.

Botnet 101

We have looked at distributed computing in CHIPS in the Fall 2004 issue ( computing.htm) in terms of projects like SETI@home which can distribute pieces of a puzzle and have many computers working in parallel for a shared objective.

A botnet, like most distributed systems, is a collection of otherwise independent computers working “cooperatively” to accomplish a distributed task. However, the term “botnet” is reserved specifically for describing distributed computing systems designed and used for illegal and malicious purposes.

One feature that particularly distinguishes botnets from other distributed computing systems is that botnets are typically composed of machines that have been compromised and assimilated into the botnet without their owners’ knowledge or consent. The compromised computers are referred to as drones or zombies. The software application inserted and hidden on a computer that executes botnet commands is called a “bot.” The people who manage botnets are referred to as “herders.”

Building a botnet involves assimilating drones into the collective. Bot software can be spread by a number of means, including: spam e-mails, infected files, scripts inserted by malicious Web sites, or drones actively seeking and infecting other computers with security holes.

The most successful botnet is known as Storm, which some say infected more than 1 million computers worldwide. Storm uses a worm (malicious software hidden inside an attractive shell) combined with social engineering techniques to lure people to Web sites that infect their PCs through a Web browser. The bot code then hides itself on the user’s PC and, while waiting for commands from the botnet, spends its time quietly looking for other computers to infect.

For an explanation of how Storm functions, I recommend, “Storm and the future of social engineering” ( on the Help Net Security Web site.

More drones equal more power. Consider a botnet with 1,000 ordinary PCs in homes across the world, each with a 56-kilobit dial-up connection to the Internet. That collectively translates into more than 50 megabits of total bandwidth for the botnet, which is enough to launch a distributed denial of service (DDoS) attack on a 45-megabit (T3) connection.

Then consider what kind of bandwidth, 100,000 or 1,000,000, zombies represent and that most of the zombies in the botnet have a much faster connection than 56 kilobits if they are connected via a digital subscriber line (DSL), cable modem or T1.

That is serious bandwidth!

Botnet C2

What distinguishes a botnet from a worm is that while many worms are designed to just self-replicate, botnets have a unifying C2 (to borrow a military term) mechanism designed to organize and focus their activities.

Bot herders do not communicate directly with their drones. They communicate with botnets through what we would think of as C2 servers. If the C2 server is privately-owned and operated, this offers the herder some protection. Herders can also use a network anonymous proxy — a service that masks who they are — as an additional layer of protection. Even if law enforcement officials find, seize and search a botnet C2 server, the anonymous herder is still out there, likely salvaging and rebuilding the botnet through a backup server.

One of the traditional mechanisms for controlling botnets is Internet Relay Chat. IRC has been a common Internet communications standard for a long time. It is simple to use, flexible and easy to adapt to a variety of functions. Bot applications are programmed to connect the infected PC to an IRC server and accept commands as they are posted to the chat server, so this is a real-time C2 protocol.

Bot herders can either use existing chat services and networks or set up their own control servers by installing an IRC program that runs in the background on one of the infected PCs in the botnet.

The main disadvantage of IRC for a bot herder is that traffic is generally transmitted as clear text. This makes finding and analyzing botnet messages relatively easy if you know what to look for and have the right tools. Herders have adapted by using encryption to mask their bot commands, but any encrypted traffic will stand out among all the clear text.

Botnets may also use hypertext transfer protocol for C2. With this method, the drone browses a Web page looking for instructions. However, unlike IRC, using HTTP requires the drone to periodically refresh the command page, so herders cannot send commands in real time. HTTP has an advantage over IRC in that it is not usually blocked by firewalls and monitoring the communication will not reveal any information about other drones on the network.

Lions and Tigers and Botnets, Oh My!

Botnets give their herders a lot of power on the Internet, and it is very unlikely that most bot herders built their botnets to help analyze signals from outer space or figure out protein folding within human DNA. Botnets are weapons — and they have many uses.

Let us start with the most “weaponized” use: DDoS attacks. Botnets can attack other systems on the Internet by completely saturating their bandwidth or computing resources. While a DDoS is merely a brute force assault on a system that does not steal information or add new drones to the collective, it can take down the target site and render it essentially inoperative for very long periods of time.

The problem of defending against a DDoS is that the attack comes from thousands of different places simultaneously. There is no single source that you can identify, block or retaliate against. The easiest way to stop the attack from hitting your system is to disconnect from the Internet. Ironically, this achieves the same result as the DDoS attack: denial of service.

Bot herders have extorted money from businesses with an online presence by “DDoSing” their site and then demanding payment to stop the attack.

Another common botnet function is “click fraud.” This is where drones are commanded to visit Web pages and “click” on advertising banners. Herders use this method to steal money from online advertisers that pay a small amount of money for each click on its banner ad. Thousands of bots, each clicking a few times on various ads, can generate a lot of revenue, and since the clicks can come from thousands of drones scattered all over the world it may look like legitimate traffic to the advertisers. DDoS does not pay a bot herder’s rent, but click fraud might.

Botnets can be used to steal, store or distribute software. They can search the hard drives of their victims’ computers for software and licenses and transfer them elsewhere for duplication and distribution. Drones may also be used to store copies of pirated software. Drones can function as a distributed storage network with an aggregate storage capacity on the same scale as its aggregate bandwidth. Bots can grant the herder complete access to a drone’s file system and allow the herder to transfer any files, read any documents, or upload more malicious applications. More frighteningly, botnets can “keylog” on infected drones. Keylogging captures keyboard activity and reports keystrokes back to the bot herder.

Bots can be programmed to log keystrokes when its drone visits banking or other Web sites involving financial transactions and steal passwords and other account information. Finally, botnets are a major mechanism for spreading email spam, which some say accounts for a majority of all e-mail traffic on the Internet. In March, USA Today reported two alarming statistics in “Botnet scams are exploding,” an article by Byron Acohido and Jon Swartz.

Security firm Damballa pinpointed 7.3 million unique instances of bots carrying out nefarious activities on an average day in January — an astronomical leap from a daily average of 333,000 in August 2006. That included botnet-delivered spam, which accounted for 91% of all e-mails in early March, up from 64% last June, says e-mail management firm Cloudmark. –

If Damballa’s and Cloudmark’s data are correct, botnet activity increased by nearly 22 times in five months and nine out of every 10 e-mails sent on the Internet in March 2008 were botnet-generated spam. That would suggest that botnet growth in the last year dwarfs the most aggressive organic cancers currently known to medical science.

Four-Dimensional Warfare

I mentioned earlier that cyber warfare will require thinking in more than three dimensions. This is because, unlike physical attacks that require movement of troops or weapons through space over time, botnet attacks are not bound by normal space and time limitations. They come instantaneously and from thousands of directions simultaneously.

Even if you own a botnet of similar or larger size, you can only return fire to a limited number of drones in real time. For example, if you have 500,000 bots of your own, know the location and address of every zombie attacking you, and could neutralize one attacking drone with a DDoS attack by just 100 of your own drones, you can still only take down 5,000 of the machines attacking you. If the attacker has 6,000 zombies that leaves 1,000 zombies still active — and you have no remaining to deal with a second attack.

Botnet war in cyberspace is likely to be asymmetric, with botnets as offensive weapons, and some other more subtle or indirect methods used for defense.

Botnets are only really dangerous when the herders own large numbers of zombies. A botnet with 50,000 zombies is a serious threat, a botnet with 500 — not so much. But the best way to neutralize botnets is to keep them from forming in the first place.

Unfortunately, botnets form because malicious software infects vast numbers of unsecured systems. While we can hope everyone else patches and upgrades their systems, we cannot depend on it. All we can do is ensure that our own systems and software are defended so we don’t contribute to the problem.

Next in our arsenal is something every submariner knows: listen carefully to every sound, no matter how small. The key to dealing with botnets is finding them, and careful listening is the key. This includes:
•Using “honeypots” – baited and trapped systems to attract and collect malicious software from bots and other attacking computers.
•Monitoring instant message spam and identifying links sent to IM users that point to malicious files.
•Browsing forums and search engines for keywords related to known malicious applications and their variants.
At some point you may collect enough information to identify a botnet’s C2 methodology and control channels. If you can identify the herders, and they live in a cooperative country, send local law enforcement after them.

Final Words

Keeping your personal computing devices secure is just as important as safeguarding the network environment in the office. While we have security experts and policies to help us at work, the stakes are just as high at home, and we must be ever vigilant.

We have really just scratched the surface of botnets here, so if you want to keep current with what is going on in the world of botnets, my recommendation is to start with the Shadowserver Foundation, a volunteer watchdog group of security professionals that gather, track and report on malware, botnet activity and electronic fraud. Their mission is, “to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malware.”

Until next time, Happy Networking!

Long is a retired Air Force communications officer who has written regularly for CHIPS since 1993. He holds a Master of Science degree in information resources management from the Air Force Institute of Technology. He is currently serving as a telecommunications manager in the Department of Homeland Security.

The views expressed here are solely those of the author, and do not necessarily reflect those of the Department of the Navy, Department of Defense or the United States government.

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer