Attack of the 50 foot Botnet Monster

Yes the title is a little dramatic, but I wanted to bring attention to a recent Microsoft report, Security Intelligence Report (SIR) volume 9, which covers the period from January through June 2010. The report, based on data received from more than 600 million systems worldwide and internet services, singles out botnets as the single greatest source of cybercrime in the world today.

Based on the importance of the topic, today we begin a 4-part series on botnets: what they are, how they attack and what you can do to defend against them.

What is a botnet?

For the purposes of this analysis, the Security Intelligence Report defines a botnet as a network of computers that can be illicitly and secretly controlled at will by an attacker and commanded to take a variety of actions. Under this definition, a trojan downloader that is only designed to download arbitrary files and cannot otherwise be controlled by the attacker would not be considered a bot. Microsoft desktop anti-malware products removed bots from 6.5 million computers around the world in 2Q10.

Computers in a botnet, called nodes or zombies, are often ordinary computers sitting on desktops in homes and offices around the world. Typically, computers become nodes in a botnet when attackers illicitly install malware that secretly connects the computers to the botnet and they perform tasks such as sending spam, hosting or distributing malware or other illegal files, or attacking other computers.

botnetatack resized 600

Attackers usually install bots by exploiting vulnerabilities in software or by using social engineering tactics to trick users into installing the malware. Users are often unaware that their computers are being used for malicious purposes.

By keeping a low profile, bots are sometimes able to remain active and operational for years. The growth of always-on Internet services such as residential broadband has aided bot-herders by insuring that a large percentage of the computers in the botnet are accessible at any given time. Botnets are also attractive to criminals because they provide an effective mechanism for covering the tracks of the botnet herder—tracing the origin of an attack leads back to the hijacked computer of an innocent user, which makes it difficult for investigators to proceed further.

The botnet world is divided between bot families that are closely controlled by individual groups of attackers and bot families that are produced by malware kits. These kits are collections of tools, sold and shared within the malware underground, that enable aspiring bot-herders to assemble their own botnet by creating and spreading customized malware variants.

Bot operators use several tactics to attack organizations, companies, and individuals in an effort to achieve their goals. Being aware of and understanding the different attacking mechanisms can help IT and security professionals gain a deeper understanding of the nature of the botnet, the purpose behind it, and sometimes even the origin of the attack.

Next blog: How botnets attack