Botnets are one of the most significant network security threats facing organizations today. With their size ranging from a few thousand to well over a million compromised systems, these botnets are used by cybercriminals to conduct various malicious activities including mounting targeted attacks known as Advanced Persistent Threats (APTs).
|
Video: The Threat of Bots & Botnets |
Video: The New Anti-Bot Software Blade |
A botnet is typically comprised of a number of computers that have been infected with malicious software that establishes a network connection with a controlling system or systems, known as Command and Control servers. Various communication protocols have been used for these connections, including Internet Relay Chat (IRC), HTTP, ICMP, DNS, SMTP, SSL, and in some cases custom protocols created by the botnet software creators. Once under control of the C&C server, the botnet can be directed by the bot herder to conduct tasks such as infecting more machines to add to the botnet, mass spam emailing, DDoS attacks and theft of personal, financial, and enterprise-confidential data from the bots in the botnet.
As an example of how powerful a botnet can be, the "Rustock" botnet's bot army was generating up to 14 billion spam emails per day before it was dismantled in a joint operation between U.S. federal law enforcement and Microsoft in March 2011.
The first bot, "GMBot", was not malicious—it was created in the late 1980s to emulate a live person in Internet Relay Chat (IRC) sessions. However, around 1999 bots emerged that were designed with harmful intentions; Sub7 and Pretty Park used IRC as a Command and Control channel.
Subsequent bots grew more sophisticated, and in some cases were commercialized as products; the Zeus bot of 2006 originally sold for several thousand dollars. IRC was replaced by protocols such as HTTP, ICMP, and SSL for command and control of a network of compromised systems.
