Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

The Beauty of Bots

8:00 AM -- Bot armies are all the rage with spammers, phishers, and click fraudsters. There's a pretty dark world of people who attempt to locate and execute commands against servers for black market trade. Over the last few months, I've come to know and love a number of spammers, not by getting to know them, but by watching what they try to do to my servers on a daily basis.

When I started my Website I got maybe 100 people a day visiting it. Now I get nearly 10,000 unique IP addresses a day. But some fraction of that number is based on robots, not legitimate users. At first that wasn't a big deal -- they were attempting to find vulnerabilities in programs that we don't even use. No harm, no foul.

After a while we noticed one detriment that we could no longer ignore: Bandwidth. Not only were the robots requesting one function from our Website, they were doing it hundreds, and in some cases, thousands of times a day.

After some tinkering, we ended up finding a few key signatures that we could block, and after a few tweaks, we were back to the normal bandwidth usage you would expect of a site with 10,000 users a day. After five days we ended up with somewhere around 3,000 unique IP addresses of worms that were themselves infected and attempting to find other sites to attack. So if you are wondering what that looks like as a percentage of our traffic, it was nearing 6 percent before we banned them!

During the investigation it became clear to me that this list could be used for other less benign purposes. Let's pretend I was an up-and-coming miscreant. There's no reason I couldn't turn this list around and re-hack into each of those machines using the exact same exploit they attempted to use on my server (since that is how they got hacked). Who doesn't want 3,000 machines at their disposal?

The best part is that it's highly targeted. You would only be attacking machines that you knew had issues with them, instead of all the noise generated by other worms. Passive listening could easily be one of the most effective ways for hackers to identify and build bot armies.

Alternately, this information could be easily used to build a robot to go back into those machines and patch them so that they can't be re-hacked using the same exploit. Although dangerous and illegal, it has been discussed on a number of occasions amongst the security community. Think of it as virulent antivirus ware, if you can imagine that. No, I'm not planning on doing this anytime soon, but the thought did cross my mind.

Bot armies are here to stay. If we don't figure out ways to combat them more effectively, the bad guys will. Trust me.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F* Special to Dark Reading