The Secret Life of a Bot

Botnet operators are making it tougher to tell if you've been recruited to their armies

November 13, 2007

3 Min Read
Network Computing logo

5:55 PM -- Psst -- ever secretly wonder if your PC or laptop could be a bot?

Let's see. You probably wouldn't even have entertained that question six months or a year ago. But the sophisticated and surprisingly professional Storm mega-botnet has changed everything when it comes to these armies of zombie machines. Enterprises are waking up to the fact that they aren't immune to bot infections, and there's always that chance your kids may have exposed your home machine. (See Bots Rise in the Enterprise and The World's Biggest Botnets .)

Even if you're fastidious about patching, scanning, watching for unusual activity on your machine, and avoiding social engineering traps (and keeping your kids security-minded), you have to admit the botnet evolution is a bit unsettling.

Here are some bot numbers that will make your head spin: There are around 1.6 million active bots in peer-to-peer mode per 24-hour period, and 480,000 total bots used for spam alone during a 24-hour period, according to Damballa.

Security experts who investigate and follow botnets say they see signs of these traditionally annoying spam-spewing infrastructures being used to inflict more serious damage (think Estonia).

Trouble is, it's even getting tougher to detect bot activity on your machine. Botnet operators are not only hiding and covering their tracks from researchers and investigators hot on their trail, but they're also taking pains to keep a low profile on bot machines as well. You're more likely to find out you were a bot only when IT comes a-knocking, or when your home ISP cuts you off for "spamming."

Even watching for tell-tale signs like slow or unexplained behavior on your machine doesn't always cut it anymore, notes Alfred Huger, vice president of development for Symantec Security Response. "A lot of botnets are using CPU-rate metering, and they try not to steal too much so that you'll notice," he says. "Or they try not to steal too much bandwidth so you won't notice them."

And once they've infected a machine, some patch it so that no other botnet operators can recruit it. But more interestingly is how some botnet operators handle enterprise bots: "We've seen them... rope in enterprise targets, and treat them differently," Huger says. A botnet operator won't turn on the spamming feature in an enterprise bot at a big corporation, for instance: Instead, he'll let it sit "quietly" and either use it as an entry to break into that company, or sell it to another botnet operator or cybercriminal that wants access to that company, Huger says.

Windows critics, Mac (and Linux) enthusiasts argue that botnets are really just a Windows problem, and given the malware used by the top three botnet families -- Storm, Rbot, and Bobax -- which prey on Windows vulnerabilities, they have a point. Of course, much of that has to do with the conspicuous target called Microsoft.

It's the constant populating and repopulating of these armies that's frustrating researchers, and the way they reinvent themselves to survive. Even seemingly benign adware used by botnet operators can be deployed as a weapon: Bill Guerry, vice president of product management for Damballa, says adware can quickly morph into a DDOS attack. "People think 'it's just adware, it's not a big deal,' but it is when it can be updated or rented out to a criminal organization."

The big fear is that botnet operators will sell their botnet armies to those who want to attack a government or country, security experts say. "But when they do that, they sell off or rent out part of the botnet, which would mean losing a large section of what they control," says Shane Coursen, senior technical consultant for Kaspersky Lab. "My guess is they'll want to stay smart about it... and continue to make money as they have been."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights