How bots transparently control computers

26 February 2010

Paul gets home and sits in front of his computer, as he does most days. He connects to the Internet, updates his Facebook profile and starts chatting with friends. What he doesn’t know is that he’s not alone; his computer is being controlled by a Russian mafia.

This is because his computer is infected and controlled by a bot. Generally speaking, bots (from the word robot) are small programs that contain instructions allowing them to act independently and autonomously. They are run silently and can perform a series of tasks either automatically or in response to remote commands. A computer infected by a bot therefore no longer responds entirely to its owner’s commands, but also to those of the person controlling the bot remotely.

Bots presently pose an invisible threat to countless users. Infected systems are often referred to as zombies, because of the way they are ‘possessed’ and controlled remotely.

What's more, bots are designed to infect numerous computers, which together form a network, called a botnet. The botnet is controlled by a ‘herder’, who coordinates and controls all the computers, creating a powerful network of remotely-controlled systems.

These networks are then used for a series of malicious activities, including sending spam, viruses or spyware; stealing private and personal data (credit card numbers and bank credentials) to be sent to the bot herder; carrying out distributed denial of service attacks (DDoS) on specific targets and generating profits for hackers by automating clicks on Internet adverts.

Controlling botnets

A botnet can consist of anything from just a few compromised systems to hundreds of thousands of computers. The processing capacity in these cases is therefore extremely powerful. The bot herder has complete control of the botnet and can launch all types of malicious actions using some or all of the compromised computers. Once a botnet has been constructed, it can even be hired out to criminal organisations for malicious purposes.

Each bot communicates with the botnet’s Command and Control Center (C&C), the system from which the botnet administrator controls all the zombie computers. From then on, the herder will have administrator privileges over the infected computer remotely from the C&C.

The herder sends instructions to the zombie computers from the C&C, using various channels and protocols including traditional methods over http, more modern methods such as commands on P2P and social networks or other methods like IRC chat channels.

The most advanced way of controlling botnets is through P2P networks, which even allows the bot herder to switch the server in order to avoid detection. Given the vast quantity of nodes and the distribution of P2P networks, disabling these types of botnets can be almost impossible. This represents the latest trend in botnet control, and although it is still not widely used, we will no doubt be seeing more of this type of technique in the future.

The largest botnets

Although the main botnets and malware families used to recruit zombies are well known, they are still difficult to combat. Some of the largest botnets include:

Zeus, the most numerous botnet, consists of hundreds of thousands of computers infected using different versions of the Zbot malware. This botnet is used primarily to carry out phishing attacks.

The Bahama botnet intercepts and steals traffic on Google and spoofs Google adverts with a view to click-fraud. This affects Google, as its traffic and the revenue from adverts decrease. Often, the fraud goes undetected and the original advertisers are the ones that lose out, as they pay for false clicks on their adverts. This botnet owes its exotic name to the fact its traffic was originally redirected through Bahamian Web domains, although it now uses sites from other countries.

After being inactive for several months, the Asprox botnet is back in business, infecting websites and attacking its victims’ PCs. It inserts JavaScript code on the hacked website. This code creates an invisible HTML element -called an iFrame- which launches the attack code.

The Srizbi and Mega-D (also known as Ozdok) botnets are responsible for most of the spam circulating on the Internet. Statistics have frequently varied in the past two years, as new botnets have appeared and servers have been closed down, yet these botnets have accounted for up to 50% and 35% (respectively) of daily spam, with figures of over 60 billion spam messages a day.

Worrying statistics

Obtaining reliable data as to the current level of zombie systems or those that belong to a specific botnet is difficult. Nevertheless, at least 100 million computers have been infected by bots and more than 150,000 systems are infected daily and become part of a botnet.

When infected computers are analysed, it is common to detect multi-infection patterns (infection by multiple malware families), meaning that a single computer can belong to more than one botnet.

The length of time that computers remain in botnets is also a concern. Although the average is around ten months, it can be as long as two years. Additionally, up to 80% of computers in botnets have been infected for over a month.

This period can vary enormously depending on the country, the user’s IT knowledge, and whether an antivirus is installed and updated frequently.

Importantly, it is not just home users that should be worried about bots and infections caused by this type of malware, as according to research, up to 25% of compromised systems belong to corporate domains. However, this percentage could be even higher, as in these cases the visible address is usually that of the Internet gateway. This gateway is used by the entire company, and it is therefore difficult to estimate the exact number of infected computers.

Not all bots are malicious

Although it may seem like all the bots are malicious, this is not always the case. Bots originate from the IRC and on these chat networks, bots were not designed to be used maliciously. Their purpose was to act as an automated user (robot) that kept the channel open and prevented it from being closed or controlled by external users. Some bots were specifically designed for the IRC to manage channels, user names and other functions.

There are also robots used by search engines to index new pages. For example, Googlebot is the robot used by Google to automatically run through the Web pages and index their contents.

Wikipedia also uses bots for automatic editing functions. Additionally, videogames, especially online multiplayer ones, usually contain bots that are capable of playing automatically and on their own. Finally, conversation bots are used in customer services, conversing with users and replying to their queries.