The botnet business

Kaspersky Lab, a leading developer of secure content management solutions, has published an article entitled "The botnet business" by senior virus analyst Vitaly Kamlyuk. The article describes how botnets (also known as zombie networks), which have evolved into one of the most serious information security threats, are created and operated. This article is the first in a series of publications on the botnet problem.

Botnets have been in existence for about 10 years; experts have been warning the public about the threat posed by botnets for more or less the same period. Nevertheless, the scale of the problem caused by botnets is still underrated and many users have little understanding of the real threat posed by zombie networks (that is, until their ISP disconnects them from the Internet, or money is stolen from their credit cards, or their email or IM account is hijacked).

A botnet is a network of computers which are infected with a malicious program that enables cybercriminals to remotely control infected computers. Malicious programs that are designed specifically for use in creating botnets are called bots.

Botnets have vast computing power. They are used as a powerful cyber weapon and are an effective tool for making money illegally. The owner of a botnet can control the computers which form the network from anywhere in the world – from another city, country or even another continent. Importantly, the Internet is structured in such a way that a botnet can be controlled anonymously.

The owner of an infected machine usually does not even suspect that the computer is being used by cybercriminals. Most zombie machines are home users’ PCs.

Botnets can be used by cybercriminals for conducting a broad range of malicious activities, from sending spam to attacking government networks.

Sending spam. This is the most common use for botnets, and is also one of the simplest. Experts estimate that over 80% of spam is sent from zombie computers. It should be noted that spam is not always sent by botnet owners: botnets are often rented by spammers.

According to our data, an average spammer makes $50,000 – $100,000 a year. Botnets made up of thousands of computers allow spammers to send millions of messages from infected machines within a very short space of time.

Blackmail. The second most popular method of making money via botnets is to use tens or even hundreds of thousands of computers to conduct DDoS (Distributed Denial of Service) attacks. This involves sending a stream of false requests from bot-infected machines to the web server under attack. As a result, the server will be overloaded and consequently unavailable. As a rule, cybercriminals demand payment from the server’s owner in return for stopping the attack.

Today, many companies work exclusively on the Internet. Downed servers bring business to a halt, resulting in financial losses. To return stability to servers as soon as possible, such companies are more likely to give in to blackmail than ask the police for help. This is exactly what cybercriminals are counting on, and DDoS attacks are becoming increasingly common.

DDoS attacks can also be used as a political tool. In such cases, attacks usually target servers belonging to government organizations. What makes such attacks particularly dangerous is that they can be used as provocation, with a cyber attack on one country being conducted from servers in another country and controlled from a third country.

Anonymous Internet access. Cybercriminals can access web servers using zombie machines and commit cybercrimes such as hacking websites or transferring stolen money. This activity, of course, appears to come from the infected machines.

Selling and leasing botnets. One option for making money illegally using botnets is based on leasing them or selling entire networks. Creating botnets for sale is also a lucrative criminal business.

Phishing. Addresses of phishing pages are often blacklisted soon after they appear. A botnet allows phishers to change the addresses of phishing pages frequently, using infected computers as proxy servers. This helps conceal the real address of the phishers' web server.

Theft of confidential data. This type of criminal activity will probably never lose its attraction for cybercriminals. Botnets help increase the haul of passwords (passwords to email and ICQ accounts, FTP resources, web services etc.) and other confidential user data by a factor of a thousand. A bot used to create a zombie network can download another malicious program, e.g., a password stealing (PSW) Trojan, and infect all the computers on the botnet with it, providing cybercriminals with passwords from all the infected computers. Stolen passwords are sold or used for mass infections of web pages (in the case of FTP account passwords) in order to further spread the bot program and expand the zombie network.

The botnet business

The answer to the question why botnets keep evolving and why they are coming to pose an increasingly serious threat lies in the underground market that has sprung up around them. Today, cybercriminals need neither specialized knowledge nor large amounts of money to get access to a botnet. The underground botnet industry provides everyone who wants to use a botnet with everything they need, including software, ready-to-use zombie networks and anonymous hosting services, at low prices

The first thing needed to create a botnet is a bot, i.e. a program that can remotely perform certain actions on a user’s computer without the user’s knowledge. Software for creating botnets can be easily purchased on the Internet by simply finding a appropriate advertisement and contacting the advertiser.

A simple web-oriented botnet requires a hosting site where a command and control center can be located. Such sites are readily available, and come complete with support and anonymous access to the server (providers of anonymous hosting services usually guarantee that log files will not be accessible to anybody, including law enforcement agencies). Advertisements like the one shown below are abundant on the Internet.

When a C&C site has been created, what’s needed next are computers infected by a bot. One option is to buy a ready-made network with somebody else’s bot installed. Since stealing botnets is a common practice, most buyers prefer to replace both the malicious programs and the command and control centers with their own, thereby gaining guaranteed control over the botnet.

Conclusion

Today, botnets are among the main sources of illegal income on the Internet and they are powerful weapons in the hands of cybercriminals. It is totally unrealistic to expect that criminals will relinquish such an effective tool. Security experts view the future with some trepidation as they anticipate the continued development of botnet technologies.

It may not only be cybercriminals who have an interest in creating international botnets. Such botnets can be used by governments or individuals to exert political pressure in tense situations. In addition, anonymous control of infected machines that does not depend on their geographic location could be used to provoke cyber conflicts. All this takes is organizing a cyber attack on one country’s servers from computers located in another country.

Networks which unite the resources of tens or hundreds of thousands or even millions of infected computers, have the potential to be extremely dangerous – a potential which (luckily!) has not yet been fully exploited. Virtually all this cyber power stems from infected home computers, which make up the overwhelming majority of zombie machines exploited by cybercriminals.