Bot-Nets

Keeping your computer safe while connected to the Internet is becoming more and more difficult. The "attackers" are becoming more sophisticated and are sharing more ways to get their software into your computer. Business Week recently ran an article on the major security problems expected in 2008. Unfortunately, most of them arrived long before the new year started. We have been warned for years that it was possible to recruit unprotected computers into networks that could be controlled by an external source. This recruitment network problem has gotten much worse over the past few years. It is estimated that 7% of the computers connected to the Internet have been infected with a Botnet program. So what is a "Botnet"?

A robot or "bot" software program allows a computer to be remotely controlled without the knowledge of the computer's owner. When you have a number of "bot" controlled computers it is referred to as a "botnet". All of the computers in the botnet carry out commands issued by the network controller. Just one example of what can be done with a botnet is the sending of spam. The controller can easily have 100,000 computers in its network. So the botmaster will contract to send out one million e-mail messages. The network can then send ten messages from each of the compromised computers. With the constant connection to the Internet using cable or DSL the computer owner will have no idea that his/her computer has been the source for ten spam messages.
Now you might say that the idea that someone can control 100,000 computers in a botnet is ridiculous. However, as of October 2007 a major Internet security service had the IP addresses of over 12 million computers that were infected with bot software. There is also a newer threat called the Storm Worm botnet that has infected millions of computers just this year. In addition to its computer recruiting ability, it has built-in defenses that are preventing security services from analyzing it. In an E-Week article it was noted that ".. Storm worm is sending DDoS attacks to not only the researchers looking into it but to anybody on their subnet, within 5 seconds of (their) initiating efforts to fight it or examine it". A DDoS attack is a "distributed denial of service" which can bring down a computer system or network by overwhelming it with messages. A very large volume of messages are sent by the botnet in a very short period of time. It is estimated that the Storm net controls over one million computers. This would make it the most powerful supercomputer in the world, exceeding the computing power of all previous computers.

People frequently wonder why anyone would want to produce viruses, worms and other kinds of Internet attacks. Years ago it was primarily because "they could do it". Today, it has become a real source of financial gain. Let's take a look at one financial resource created by controllers of botnets. On many web pages you find ads of various types that are sponsored by Google. When these ads are clicked, the advertiser pays Google who, in turn, pays the owner of a web page, usually 80% of the fee. So the botmaster sets up a web page and contracts with Google to display ads. Then, using the botnet, sends commands to the computers in its net to click on the ads. This results in payments to the botmaster. So even with a small botnet of say 5-10,000 computers, the botmaster can easily obtain $15,000-$20,000 per month in fraudulent payments. When you consider that the known botnets all have more than 100,000 compromised systems, you get a better idea of the scale of the fraud involved. This type of click fraud has been estimated to make up 5-20% of the payments made by search companies.

Another use of large botnets is extortion. The botmaster can send an e-mail to a corporation warning that a DDoS will take place at a specific time unless a payment is made. As I mentioned earlier, spam e-mail contracts are also a source of revenue for botmasters. As these networks proliferate, the sale of the IP addresses of robotically controlled computers is also favored as an income source.

So far it would appear that the only persons affected by botnets would be corporations. However, if your computer is infected, everything you do can be reported to the botmaster. Bots can incorporate "keylogger" software. That will record keystrokes, especially any related to passwords, user names or other desirable information. Another function of bot software is screen capture. It can record an entire screen and transmit the data to the botmaster. A compromised computer can also be used as a base for finding other unprotected computers to be recruited into the net. Another consideration is that the largest number of computers are those in the hands of private individuals. So you may be a major part of the problem if your computer is infected by a bot.

Once a computer has been compromised, the bot software is usually designed to hide and protect itself. For example it will search for and disable any other malware located on the computer or its associated network. It may also hide itself by means of a rootkit. It may also block updates of any anti-virus or anti-spyware software. It may even fake the process so the user believes that an update has taken place. One of the most common modifications involves changes to the Windows host file or by changing the location of the host file and altering the registry.

There are also some traps on the Internet that can lead a user to download bot (Trojan) software without realizing it. Phishing e-mail can lead to web pages that have automatic download links for bot software. Web pages can be hijacked and links added to lead the viewer to web sites that contain "free" software links that are actually hidden bot programs. Bot programs are incorporating "social engineering" functions which serve to entice users to unknowingly download malware. People are the weakest link in the security chain. E-mail, web pages, instant messaging, social contact web sites are all used by bot malware as a means of collecting information and linking to compromised computers.

Many times the actions of a computer user are governed by visual clues. An attacker may take advantage of this by providing false visual clues on a web page or a pop-up. If the dialog box or pop-up is intrusive the user may click inappropriately just to get rid of the intruder. This can lead to the download of a bot.

So how do you know if you've been infected? The easiest way to tell is related to how you have been protecting your computer from infection. Do you have all of the following?

• hardware firewall.
• software firewall that checks both incoming and outgoing messages.
• anti-virus software that is updated at least daily.
• anti-spyware software that you either run weekly or that runs in RAM constantly.
• keep your Windows software patches up to date.

If you don't use any of these safety mechanisms, then your machine is almost 100% guaranteed to be compromised. Even if you have taken all of these precautions, you can still be infected. However, the most effective mechanism for dealing with bots is to prevent their getting into your computer. So you have to keep the software up to date and you have to use it.

Ideally, your firewall hardware/software combination should keep you invisible on the Internet. Bot programs are constantly searching for unprotected computers with open ports. You may not be aware that your computer has over 64,000 port that can be used for communication. The most common usage are the ports in the lower range, under 1,024. However, some bots use high end ports (>60,000) for transmission of commands. One place you can check your computers port and its invisibility on the Internet is www.GRC.com. The Gibson Research site provides a free port scan and much good information on interpreting the findings as well as how to protect your system.

Ideally the anti-virus and anti-spyware software would be able to find and remove any bot software that made its way onto your computer. However, this software needs to know the "signature" of the malware in order to identify it. So the producers of the malware are always a step ahead of the good guys. The security services have to find and disassemble the new malware before they can devise the protection against it. So it is up to the user to keep the security software as current as possible to reduce the chances of infection. Like it or not, security on the Internet is a never ending battle.

Dr. Lewis is a former university and medical school professor of physiology. He has been working with personal computers for over thirty years, developing software and assembling systems.

This article has been provided personally by the author solely for publication by APCUG member groups. All other uses require the permission of the author (see e-mail address above).

---