Walk With-[Geeks]-

Botnets

The main drivers for botnets are for recognition and financial gain.

The larger the botnet, the more ‘kudos’ the harder can claim to have

among the underground community. The bot herder will also ‘rent’ the

services of the botnet out to third parties, usually for sending out

spam messages, or for performing a denial of service attack against a

remote target. Due to the large numbers of compromised machines

within the botnet huge volumes of traffic (either email or denial of

service) can be generated. However, in recent times the volumes of

spam originating from a single compromised host have dropped in order

to thwart anti-spam detection algorithms – a larger number of

compromised hosts send a smaller amount of messages in order to evade

detection by anti-spam techniques.

Botnets have become a significant part of the Internet, albeit

increasingly hidden. Due to most conventional IRC networks taking

measures and blocking access to previously-hosted botnets,

controllers must now find their own servers. Often, a botnet will

include a variety of connections and network types. Sometimes a

controller will hide an IRC server installation on an educational or

corporate site where high-speed connections can support a large

number of other bots. Exploitation of this method of using a bot to

host other bots has proliferated only recently as most script kiddies

do not have the knowledge to take advantage of it.

Several botnets have been found and removed from the Internet. The

Dutch police found a 1.5 million node botnet and the Norwegian ISP

Telenor disbanded a 10,000-node botnet. In July 2010, the FBI

arrested a 23-year old Slovenian held responsible for the malicious

software that integrated an estimated 12 million computers into a

botnet. Large coordinated international efforts to shut down botnets

have also been initiated.It has been estimated that up to one quarter

of all personal computers connected to the internet may be part of a

botnet.


Botnet lifecycle