Botnets are not a new threat, but they are a serious one. Amassing the resources of possibly millions of compromised PCs, attackers use that combined power for all sorts of nefarious activities.
Since their inception, botnets have been one of the more difficult threats to neutralize, and new and innovative techniques are making this malware even more difficult to stop.
Bots: the building blocks of botnets
Bots — shorthand for “robots” — are not inherently malicious and come in various forms, such as web crawlers, Internet bots, chat bots, IRC bots, and gaming bots. Search engines, for example, use bots as web crawlers — small apps that sweep up information about other websites. IT admins could use them to automate or remotely initiate specific tasks.
Bots can emulate human interactions on computers — though at much faster speeds than true human interactions. For purposes of this discussion, bots are applications installed on personal computers. They typically monitor a designated Internet Relay Chat (IRC; more info) channel for specified commands. They then act on those commands.
It didn’t take long for cyber criminals to see the potential power in bots. If a bot can perform remote tasks for admins, it can also execute malicious code on behalf of an attacker. They also discovered that their malicious bots could be easily scaled, quickly compromising and linking tens of thousands or even hundreds of thousands of PCs.
Once infected, those systems would join a botnet, quietly monitoring an IRC channel — and wait for instructions. (For Star Trek fans, the Borg will immediately come to mind.)
Taking control starts with phoning home
In most cases, when a botnet executable compromises a PC, its first action is to connect with an Internet-based command-and-control (C&C) server and request instructions. Usually, it’s directed to download additional malware components — code that will help the botnet remain hidden on the compromised system. It might also be instructed to download malicious code that a cyber criminal wants spread to other systems.
After that initial activity is completed, the bot typically lies dormant in the PC, quietly waiting for new commands from the C&C server. That reliance on Web-based servers makes a botnet relatively easy to disable. If you can locate the malicious server and either block it or take it offline, you effectively render the botnet useless — even if every bot-infected system is still technically compromised.
Effectively, cutting off the head kills the snake.
Due to their sheer numbers, it should be no surprise that Windows machines make up the bulk of botnet-compromised personal computers. In recent years, Microsoft has worked closely with the U.S. Federal Bureau of Investigation and Department of Justice to hunt down and close major botnets — by going after malicious C&C servers.
Distributing botnet command-and-control
Cyber criminals are nothing if not resourceful. Faced with a rising tide of C&C shutdowns, they simply came up with a more innovative approach…
Read the full article at WindowsSecrets.com (subscription required): Botnet innovation: Resistance is (nearly) futile.