Abstract - Computer networks are playing a more and more important role in our everyday life. As the popularity of the Internet (the global computer network) is increasing, our dependencies on it are increasing too. There are new groups of criminals and terrorists appearing and trying to use the power of the Internet for their own goals. Besides the classic malware (malicious computer programs, like viruses, worms, and trojan horses) a new threat has appeared. Many computers in the world are infected with next generation viruses which combine classic malware functions. They infect PCs like a virus, open a backdoor like a trojan horse and provide control to the attacker. These PCs (called ”zombies” or ”bots”) can connect with each other and act as a single entity. This presentation will show how dangerous a botnet is and how criminals can use it against the entire Internet.
I.Cyber criminals, hacktivists, and cyber terrorists
People who commit crimes on the Internet have different motivations: money, fame in the hacker community or protest against certain organizations (hacktivism1). These actions need tools. Earlier, these were individual actions (cracking into computer networks, defacing web sites, etc.), but a few years ago a new, powerful threat appeared, the so called botnet.
A botnet is a network, made of infected computers (so called zombiePCs or bots), that can run coordinated, distributed functions, and share resources under the same commands. Parts of a botnet include:
Botmaster or herder: the owner of the botnet, who assigns jobs and gathers information provided by the „herd”.
C2 server: bots need a Command & Control channel. All of the bots connect to the C2 server and wait for the command (in centralized botnets, there are several new technology botnets which can operate in P2P - peer to peer- model). The C2 server receives commands from the botherder and distributes them to the botnet. In the past, the most popular C2 technology was IRC (Internet Relay Chat).
Drop server: stores data gathered by the botnet.
Botnet (herd): infected computers, workers.
Figure 1. Centralized botnet architecture
A botnet consisting of many computers provides control of its member’s resources for the botmaster. These resources can be applied for many purposes:
Abuse of advertising systems, click fraud;
Coordinated attacks, a.k.a. Distributed Denial of Service (DDoS).
The botmaster installs an application on the infected computers which can steal the owner’s personal data, and send it to the drop server. Authentication data, electronic banking codes, and credit card information can be acquired this way, which can be used directly (selling on the black market) or indirectly (attempting other actions in the name of the user).
Certain advertisers (for example: Google AdSense) do not pay for ad viewing, only for click through traffic (for example clicking on a banner). A large botnet capable of generating a significant amount of click throughs, can provide a large income to media owners.
Botnets can use the bandwidth of bots for sending unsolicited bulk emails (SPAM2). These emails aren’t efficient in general but a very large amount of emails can generate significant turnover, so there are advertisers who pay for it. There are many products (fake Rolex watches, fake diplomas, and drugs) which cannot be advertised legally. These junk emails consume a lot of resources, and everyone pays for it (Internet Service Providers include the price of bandwidth in their monthly bills). Botnets can also ”recruit” new members by junk emails.
The target (a network or a single computer or server) can be overloaded by a Denial of Service (DoS) attack, rendering normal operation impossible. Distributed Denial of Service (DDoS) is similar, but in this case many computers are involved in the attack, making defense harder.
There are several ways to commit a Denial of Service attack, but some categories can be distinguished based on the network layer where the attacker launches their actions.
Flooding is a successful computer network attack method, in the third or fourth layer of the ISO OSI3 model. There are several flooding technologies that are known, that can be divided into the following categories:
Bandwidth Consumption – Attackers try to flood the target’s Internet connection. The attacking hosts generate very heavy network traffic from and to the target’s network service, so none of the legitimate traffic can reach the target (or the target’s response time increase beyond the clients’ patience).
Malicious Packet Flood – The attacker sends specially constructed network packets to the target, causing failure in the target’s systems. If the target’s operating system is vulnerable, fewer packets are enough for a successful attack.
In this case, the attacker sends multiple normal or special requests to the target, increasing the server load. If the server gets too many requests, the response time is increased to an unacceptable value (when most visitors have to wait more than 7 seconds for a single web page to load, they do not wait and move on instead). These kinds of attacks are launched in the application layer of the ISO OSI model. Practically every application connected to the Internet can be flooded, here are a few types:
Web site Denial of Service – Web servers, like all computers, have limited resources (bandwidth, CPU speed, memory, etc.). Because of these limitations, most administrators use safe settings in web server configurations and limit the number of server processes working at the same time. If an attacker’s requests reaches this limit, the web server can’t accept new connections, so the service is no longer available. Since the World Wide Web protocol is asymmetric, a request is significally smaller than a response, which means, the attacker needs less bandwidth than the target. A typical request to the web search engines can fit in a few hundred byte size packet, but the server must examine many large databases to serve a response. Today’s typical end user Internet connection has a few hundred kilobit/s upload bandwidth. Any average bot can generate hundreds of requests per second. When this is multiplied by 1000s of bots (the size of an average botnet), the danger becomes very significant.
Mail bomb – Electronic mail (e-mail) is a very useful information service. Simple Mail Transfer Protocol (SMTP) is very simple, so a mail sender program can be written in a few kilobytes. Almost every bot client program includes an SMTP engine which is very useful for sending spam or sending infected emails. The classic mail bomb has a compressed attachment (such as a ZIP archive). This attachment is generally very large (more than 2 gigabytes in size) but includes only zeros, which can be compressed in a very efficient way, so the compressed attachment is only a few kilobytes in size. When the target mail server receives this mail, and the built-in content filter (if it has one) tries to examine the attachment, it needs to decompress the ZIP file. The decompressing needs 2 GB of memory, so if the attacker sends many mail bombs to the target, the target’s memory becomes full and its response time increases. If an attacker has a large botnet, it is possible to send so many emails that the target’s filesystem overflows very quickly.
III.History of botnets
The evolution of malware4 started with computer viruses. Running an infected program starts the virus code which makes itself resident in the computer memory. Once the virus is active, it can infect other programs in the main file system and in portable devices, so the user can carry the infection to other computers. Since the Internet era began, next generation viruses have quickly appeared, that can infect computers via email attachments or operating system vulnerabilities. These malware (called worms) can infect a very large number of computers in a few days. At the same time a new malware arrived, called ”the remote administration tool” by its authors. These applications open a backdoor to the internet, and anyone can grab control of the computer. A bot client program is basically a combination of two kinds of malware: it infects like a virus and hijacks the computer like a backdoor (sometimes called ”trojan horse”).
The first bot was created in 1989 by an IRC server administrator. It wasn’t a malicious application, just a simple game using connected computers.
The first malicious botnet client was PrettyPark, discovered in 1999. It was a real quantum leap in botnet technology, the client application was able to steal users personal information, launch Denial of Service attacks, and make file transfers to external servers. In addition, the client program was able to update itself automatically.
The next notable application was SubSeven. It had all of the features of PrettyPark but also included a keylogger (an application that saves user keystrokes) and remote access capability. The author advertised SubSeven as a remote administration tool, this was the first trojan horse.
The next generation botnet started in 2002, when a russian programmer made SDBot. It was capable of infecting Windows machines automatically, using backdoors made by SubSeven and other trojan horses, it was also open source, which meant that anyone with some level of computer programming skill could modify the source code and make a new bot client.
Nowadays, many modular bot client applications are available, the wannabe botmaster can select the necessary modules and start making a botnet.
There are two different approaches to making an infection:
Automatic infection, without the user’s cooperation;
Infection with the user’s cooperation.
A flawless software cannot be compromised from an outside network, but flawless software doesn’t exist. Every program – including operating systems – have program errors and security glitches, making it possible for an intruder to install malicious code in the computer’s memory. These holes are usually exploitable only within a certain period of time, because most software manufacturers provide security patches for known vulnerabilities.
Based on these vulnerabilities, a bot client can scan the network and infect exploitable computers.
Some notable infection types:
Conficker/Downadup worm infection.
Vulnerability in a Microsoft Windows Server service may allow the remote attacker to execute code.  This code may be a botnet client. The Conficker worm made a very large botnet (more than 10 million Windows machines) but fortunately, botmasters wanted money only, so the Conficker botnet sends SPAM mails. 
This bot client is a new threat, because it doesn’t infect computers but routers (which are basically computers too). Some ADSL6 modems and routers with MIPS7 processors have a vulnerability which allows the attacker to execute special code in the device’s memory. This code is stored in RAM and a restart deletes it from the memory but routers tipically run in 24/7 mode. This means, that every infected router can send SPAM and other junks non-stop, day and night. The first affected modem was the Netcomm NB5. 
Chuck Norris botnet.
Similar to its predecessor, Psyb0t, this worm can infect some MIPS-based routers and ADSL modems, including some D-Link devices. The malware got its name from a comment in its source code: "in nome di Chuck Norris” which means "in the name of Chuck Norris” in Italian. 
V.Notable incidents involving botnets
In December of 1995 the "Strano Network” group attacked various French government Web sites protesting against nuclear and social policies. These attackers were real people who repeatedly reloaded Web pages in their Web browsers, causing a service slow down. In this case activists (hacktivists) acted like a botnet and made a successful DDoS attack. 
DNS root servers
In February of 2007 a coordinated attack hit some DNS root server instances. DNS is a service which translates domain names (ie. www.example.com) to IP addresses, so if someone can stop this service, practically the whole Internet stops too. The analysis of this attack proves that an HTTP-based botnet controlled the action. 
Estonian cyber war
2007 Estonia DDoS attacks. In April of 2007, the Estonian government moved a Soviet World War II memorial from Tallin. The Russian minority started protesting. After some bloody incidents, the Estonian government Web sites came under attack, which lasted almost a month. The Estonian network security experts claimed that some of the attacks originated from Russian government IP adresses, but probably these were infected PCs, members of a botnet. Some sources called this incident "Cyber War I”. 
Georgian cyber war
2008 Georgia DDoS attacks. When Russia started military actions against Georgia, cyber attacks started as well. These cyber actions included the defacement of Web sites and DDoS attacks – like the attacks against Estonia just a year before. Web sites of President Mikheil Saakashvili, Georgian Ministry of Foreign Affairs and the National Bank of Georgia were defaced.
Figure 3. Picture of a defaced Georgian Web site (source: http://i.zdnet.com/blogs/georgia_ddos3.JPG)
Matthew Boyd, „Botnets”
„Vulnerability Note VU#827267”
„Kaspersky impressed with Conficker botnet's slickness”
Terry Baume, „Netcomm NB5 Botnet – PSYB0T 2.5L”
Robert McMillan (IDG News Service), „Chuck Norris botnet karate-chops routers hard”
Gunter Ollmann, VP of Research, Damballa, „The Opt-In Botnet Generation”
John Kristoff, Rodney Joffee; „Botnets and Packet Flooding DDoS Attacks on the Domain Name System”; May 29. 2007
Kertu Ruus, Cyber War I: Estonia attacked from Russia.