Sunday, July 15, 2007

Botnets

Contributor: Prithi Anand

The term “botnet” is used to refer to any group of bots. It is generally a collection of compromised computers (called zombie computers) running programs under a common command and control infrastructure. A botnet’s originator can control the group remotely, usually through means such as IRC, for various purposes.

The establishment of a botnet involves the following:

Exploitation: . Typical ways of exploitation are through social engineering. Actions such as phishing, email, buffer overflow and instant messaging scams are common among infecting a user’s computer.

Infection: After successful exploitation, a bot uses Trivial File Transfer Protocol (TFTP), File Transfer Protocol (FTP), HyperText Transfer Protocol (HTTP) or IRC channel to transfer itself to the compromised host.

Control: After successful infection, the botnet’s author uses various commands to make the compromised computer do what he wants it to do.

Spreading: Bots can automatically scan their environment and propagate themselves using vulnerabilities. Therefore, each bot that is created can infect other computers on the network by scanning IP ranges or port scanning.

Scope

A botnet is nothing more than a tool. There are many different motives for using them. It is used in computer surveillance. A surveillance program installed on a computer can search the contents of the hard drive for suspicious data, can monitor computer use, collect passwords, and even report back to its operator through the Internet connection. They are used widely by law enforcement agencies armed with search warrants. There are also warrantless surveillance by such organizations as the NSA. Packet sniffing is monitoring of data traffic into and out of a computer or network. Other uses may also be criminally motivated (eg. Denial of service attack, key logging, packet sniffing, disabling security applications, etc.) or for monetary purposes (click fraud).

No comments: