Tracking Bot Networks

This is a fascinating piece of research on bot networks: networks of compromised computers that can be remotely controlled by an attacker. The paper details how bots and bot networks work, who uses them, how they are used, and how to track them.

From the conclusion:

In this paper we have attempted to demonstrate how honeynets can help us understand how botnets work, the threat they pose, and how attackers control them. Our research shows that some attackers are highly skilled and organized, potentially belonging to well organized crime structures. Leveraging the power of several thousand bots, it is viable to take down almost any website or network instantly. Even in unskilled hands, it should be obvious that botnets are a loaded and powerful weapon. Since botnets pose such a powerful threat, we need a variety of mechanisms to counter it.

Decentralized providers like Akamai can offer some redundancy here, but very large botnets can also pose a severe threat even against this redundancy. Taking down of Akamai would impact very large organizations and companies, a presumably high value target for certain organizations or individuals. We are currently not aware of any botnet usage to harm military or government institutions, but time will tell if this persists.

In the future, we hope to develop more advanced honeypots that help us to gather information about threats such as botnets. Examples include Client honeypots that actively participate in networks (e.g. by crawling the web, idling in IRC channels, or using P2P-networks) or modify honeypots so that they capture malware and send it to anti-virus vendors for further analysis. As threats continue to adapt and change, so must the security community.

Posted on March 14, 2005 at 10:46 AM9 Comments


Israel Torres March 14, 2005 11:22 AM

The more botnets are probed the more they will sink back into the pit. Right now they are very visible due to the easy setup and mechanisms required (read: lazy). However they have the ability to get really complex and difficult to track if effort is put forth.

Israel Torres

Bruce Schneier March 14, 2005 8:20 PM

“We’ve heard all the talk about ‘cyberterrorism’. Well, this is it.”

Actually; it’s not. The difference between this sort of network hooliganism and terrorism is enormous. (And actually, we’re seeing these bot networks being used for crime: extortion mostly. That’s cybercrime, not cyberterrorism.

scosol March 14, 2005 8:28 PM

hmmm, i just finished up a presentation specifically about DOS prevention in a distributed-provider enviironment-
(i work for one of said distributed providers)
redundancy is not all that is provided here, some problems with botnet DOS attacks are completely eliminated, but some others emerge.
i’ll talk to some people internally and see if i can share it with you…

Spamhuntress March 15, 2005 6:01 AM

I get probed incessantly. Thankfully, the firewall stops it. But I have friends that don’t have any protection, and who have sharing enabled…

And the ISP’s don’t care.

I’ve also seen botnets used for trackback spam runs. In contrast to spammers using proxies, the botnet spam runs are often brief and intense. I keep wondering if the spammer leases the botnet for a finite time period?

Ryan March 15, 2005 8:55 AM

I hear everybody here screaming crime, but are there any documented cases where someone has actually used a botnet to blackmail someone, or is this just FUD?

It’s probably been done already, but I’m not sure if it’s been done on the scale the media purport. Am I right in thinking that most botnets are used by script kiddies with infiriority complexes, or am I wrong here?

Timm Murray March 15, 2005 1:52 PM

I wonder if this information could be used to shut botnets down. Let’s say you’ve got your honeypot setup and have allowed it to be infected. You analyze the traffic and figure out how to get on the bot network yourself. You also find out the bot command for the bots to update themselves to a new revision.

Now you setup your own update, get on the bot server, and issue the command to update from your own server (the update commands shown seem to allow any HTTP URI to be specified). The bot network disappears as soon as the update is applied.

The question is what your update should do. This is walking rather close to vigilante justice. It could potentially:

  • Do nothing
  • Popup a simple window informing the user that their machine has been infected
  • Download and apply patches

Personally, I’d never go as far as trying to patch another person’s machine. But “Do nothing” leaves the machine open for the next attacker. Informing a user (perhaps with a link to a website for more information) seems the best option.

Also, by killing the bot net, you destroy any information you could have gotten out of it, such as the identity of the owner.

I suspect that in time, malware writers will stop using the (stripped-down) IRC protocol and use another simple RPC protocol. As the paper states, IRC is bloated (even in this simplified form) for this task. Switching to another (perhaps custom) RPC protocol will make anaylisis harder, but not substantially so.

UnderSiege March 16, 2005 9:37 AM

Our company has been the recipient of 14 DDOS/Extortion attempts over the last 9 months.

These aren’t script kiddies.. The trails lead to Russia.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.