Bot Networks

What could you do if you controlled a network of thousands of computers -- or, at least, could use the spare processor cycles on those machines? You could perform massively parallel computations: model nuclear explosions or global weather patterns, factor large numbers or find Mersenne primes, or break cryptographic problems.

All of these are legitimate applications. And you can visit distributed.net and download software that allows you to donate your spare computer cycles to some of these projects. (You can help search for Optimal Golomb Rulers -- even if you have no idea what they are.) You've got a lot of cycles to spare. There's no reason that your computer can't help search for extraterrestrial life as it, for example, sits idly waiting for you to read this essay.

The reason these things work is that they are consensual; none of these projects download software onto your computer without your knowledge. None of these projects control your computer without your consent. But there are lots of software programs that do just that.

The term used for a computer remotely controlled by someone else is a "bot". A group of computers -- thousands or even millions -- controlled by someone else is a bot network. Estimates are that millions of computers on the internet today are part of bot networks, and the largest bot networks have over 1.5 million machines.

Initially, bot networks were used for just one thing: denial-of-service attacks. Hackers would use them against each other, fighting hacker feuds in cyberspace by attacking each other's computers. The first widely publicized use of a distributed intruder tool -- technically not a botnet, but practically the same thing -- was in February 2000, when Canadian hacker Mafiaboy directed an army of compromised computers to flood CNN.com, Amazon.com, eBay, Dell Computer and other sites with debilitating volumes of traffic. Every newspaper carried that story.

These days, bot networks are more likely to be controlled by criminals than by hackers. The important difference is the motive: profit. Networks are being used to send phishing e-mails and other spam. They're being used for click fraud. They're being used as an extortion tool: Pay up or we'll DDoS you!

Mostly, they're being used to collect personal data for fraud -- commonly called "identity theft." Modern bot software doesn't just attack other computers; it attacks its hosts as well. The malware is packed with keystroke loggers to steal passwords and account numbers. In fact, many bots automatically hunt for financial information, and some botnets have been built solely for this purpose -- to gather credit card numbers, online banking passwords, PayPal accounts, and so on, from compromised hosts.

Swindlers are also using bot networks for click fraud. Google's anti-fraud systems are sophisticated enough to detect thousands of clicks by one computer; it's much harder to determine if a single click by each of thousands of computers is fraud, or just popularity.

And, of course, most bots constantly search for other computers that can be infected and added to the bot network. (A 1.5 million-node bot network was discovered in the Netherlands last year. The command-and-control system was dismantled, but some of the bots are still active, infecting other computers and adding them to this defunct network.)

Modern bot networks are remotely upgradeable, so the operators can add new functionality to the bots at any time, or switch from one bot program to another. Bot authors regularly upgrade their botnets during development, or to evade detection by anti-virus and malware cleanup tools.

One application of bot networks that we haven't seen all that much of is to launch a fast-spreading worm. (Some believe the Witty worm spread this way.) Much has been written about "flash worms" that can saturate the internet in 15 minutes or less. The situation gets even worse if 10 thousand bots synchronize their watches and release the worm at exactly the same time. Why haven't we seen more of this? My guess is because there isn't any profit in it.

There's no real solution to the botnet problem, because there's no single problem. There are many different bot networks, controlled in many different ways, consisting of computers infected through many different vulnerabilities. Really, a bot network is nothing more than an attacker taking advantage of 1) one or more software vulnerabilities, and 2) the economies of scale that computer networks bring. It's the same thing as distributed.net or SETI@home, only the attacker doesn't ask your permission first.

As long as networked computers have vulnerabilities -- and that'll be for the foreseeable future -- there'll be bot networks. It's a natural side-effect of a computer network with bugs.

This essay originally appeared on Wired.com.

EDITED TO ADD (7/27): DDOS extortion is a bigger problem than you might think. Right now it's primarily targeted against fringe industries -- online gaming, online gambling, online porn -- located offshore, but we're seeing more and more of against mainstream companies in the U.S. and Europe.

EDITED TO ADD (7/27): Seems that Witty was definitely not seeded from a bot network.

Posted on July 27, 2006 at 6:35 AM • 46 Comments

Comments

GeorgeJuly 27, 2006 7:08 AM

Nice essay, but I just want to stress that using SETI@home and etc. puts your machine under heavy load, which results in an increased power consumption, larger bills, pollution and other things.

There is no universal positive effect in using distributed "friendly" software. There are disadvantages also.

Clive RobinsonJuly 27, 2006 7:41 AM

@Bruce,

There is one bot net you have forgoten to mention and that is mobile phones.

Back in 2000 I raised the issue of mobile phone operators being able to organise mobile phones into one hugh parrell computer using the phones and their SIMs as individual processing units (hey the comms and power comes for free ;).

The example I used it for was of a Crypto Cracker, in that most of the SIMs etc carried hardware to make it marginally easier than using general purpose CPU's

Now think of something like a National ID card or other identification system using tokens that can be Off-Line authenticated.

Such a token is only likley to use Digital Certificates for a very small part of it's activities (as it's expensive in both CPU cycle and power) , and very likley to use more conventional symetric crypto for the majority of the functionality.

Given the very poor track record of system implementation for this sort of thing (think Clipper and the LEAF failure). You could easily imagine that the system designers might just use some simple data checksum etc as the key, or entropy to it).

Usually when a system is fairly well advanced in implementation these "technical" weaknesses are discovered and effectivly ignored by the system implementors untill it gets to expensive to ignore.

Think of WiFi for instance when some of it's weaknesses became known how long did it take for exploit tools to appear?

The early ones required a lot of data and CPU cycles to work, before the "experts" refined the attacks (by which time other protection was implemented).

Getting back to the secure ID tokens etc when even a remote posibility "technical" attack gets published, how long would it take a bot net to exploit it and crack a private secret and therfore make the forgery of fraudlant tokens possible...

Nicholas weaverJuly 27, 2006 7:53 AM

We are now 99.99% certain that Witty was hitlisted, not seeded from a bot. (Our initial impression of it being bot seeded turned out to be wrong).

In many ways, bots are the payload, a worm is a very effective delivery mechanism. Many bots have been spread by worms these days, so they are effectively converging as a single threat.

Bruce SchneierJuly 27, 2006 8:16 AM

" but I just want to stress that using SETI@home and etc. puts your machine under heavy load, which results in an increased power consumption, larger bills, pollution and other things."

But when we finally meet the aliens, they'll give us portable fusion technology -- so it will all come out okay in the end.

Or maybe they'll squash us like bugs.

Well, in either case a little pollution won't matter.

Bruce SchneierJuly 27, 2006 8:18 AM

"We are now 99.99% certain that Witty was hitlisted, not seeded from a bot."

Thanks for the update.

Have there been any serious worm epidemics that have been seeded using a bot network?

AnonymousJuly 27, 2006 8:20 AM

I think the internet needs another really destructive worm. You know, one that clears the hard drive of the infected computer after having spread itself a couple of times. Maybe people and companies would start to seriously think about security after a wipe...

gal_secJuly 27, 2006 8:29 AM

Just think of what will happen if someone breaks in distributed.net and substitutes the binaries...

Matthew SkalaJuly 27, 2006 9:36 AM

I'd rather see compromised machines called "zombies". A "bot" (from "robot") is an automated program that acts independently. A bot is what you usually want to run on your zombie network, but if you run for instance an automated, unsupervised IRC client on a machine you legitimately control, that's a bot too even though there may be no security compromise or other antisocial activity involved. (Some IRC bots are friendly, e.g. NickServ when it's run by the people in charge of the network.) The software that runs a discussion mailing list is also typically called a "bot". It's software that acts to some extent like a human user, but isn't.

DeweyJuly 27, 2006 9:53 AM

"It's a natural side-effect of a computer network with bugs."

I disagree. It's a side-effect of human personality. Even without bugs people would still install Gator or Kazaa or whatever semi-useful malware du jour.

Security is indeed a tradeoff and most people don't really want good security on their computers -- it gets in the way of too many things they want to do.

Nicholas WeaverJuly 27, 2006 9:54 AM

There has not been any worm epidemics flashed from a bot that I know of, but worms have been used many times to spread bots.

And with modern modular upgradeability, if a bot receives a NEW exploit and is told to spread it, this will create a flash-starting worm event, we just haven't seen that yet.


Witty confused us, because we (Dan Ellis and myself) didn't have COMPLETE trace information of the first few seconds, and you couldn't really scan for this vulnerability, you had to know it was there first.

Later, when Abishek Kumar performed his analysis here at ICSI, he was able to show that the initial victim systems were all running the worm (and most/all were at a network group which reverse-resolves to the US Military), and that ONE system was not running the worm (based on the pRNG and not padding the payload).

Thus in subsequent analysis, we (Abishek, Vern, and myself, although Dan Ellis concurs) concluded that the attacker DID hitlist, and somehow knew (?inside information?) about the US military network which was the initial target.

MiesmuschelJuly 27, 2006 10:03 AM

Ah, I remember now. "Outwitting the Witty worm" really was an interesting read.

Geoff LaneJuly 27, 2006 10:32 AM

As far as I know all real world "bot nets" consist of computers running an operating system or application from a single well known company.

This in itself suggests a solution to the problem.

robJuly 27, 2006 10:48 AM

"but I just want to stress that using SETI@home and etc. puts your machine under heavy load, which results in an increased power consumption, larger bills, pollution and other things."

eh, not entirely true. your computer will use the same amount of power whether it's idle or crunching away on something. no-ops are instructions like everything else.

obviously, though, if you are comparing using SETI to turning your machine off, or hibernating or standby or something, you're absolutely right.

billbJuly 27, 2006 11:12 AM

@rob: you've obviously never blown a circuit trying to complete a Top500 number before the deadline.

DavidJuly 27, 2006 11:26 AM

FYI: Richard Bejtlich over in his blog (http://taosecurity.blogspot.com) reported just the other day this:

"Day two started with Mike Poor discussing network early warning systems (NEWS). He said the famous Dutch botnet wasn't 1.5 million victims strong -- it was more like 5.1+ million systems."

He was writing about a SANS Log Management Conference he attended.

citadelJuly 27, 2006 11:42 AM

@rob - I work on computer models of refineries, and I can tell you that when my CPU jumps to 100% for 20 minutes when solving a large model, my CPU fan kicks in all the time to cool down the CPU. The energy usage is related to the load on the computer.

Pat CahalanJuly 27, 2006 11:50 AM

@ Bruce

> Have there been any serious worm epidemics that have been seeded using a bot network?

No, and I doubt that there will be. As you correctly point out, the motivations for a zombie net (I agree with Matthew on the variance of the definition) and the incentives to build one aren't really in parallel with the motivations for worm creation/release. For another thing, it's not really needed... Sobig and Mydoom showed that you can build a virus distribution net based upon social engineering during the virus deployment -> why spend all the time building the zombie net first?

I wish I still had that article bookmarked.

A side note for virus fans : Sophos actually has a "top 10" list for viruses for every year between 1998 and 2006 (you can see them http://www.sophos.com/pressoffice/news/).

> But when we finally meet the aliens, they'll give us portable fusion
> technology -- so it will all come out okay in the end.

One of my all-time favorite articles about bad risk assessment: http://education.guardian.co.uk/higher/research/...

Also illustrates that really smart people don't necessarily know anything about security ;)

Clive RobinsonJuly 27, 2006 12:02 PM

@Pat

"One of my all-time favorite articles about bad risk assessment"

To this day I still think it was published at the wrong time (ie it should have been 1st Apr). But then people have occasional accused me of being from another planet ;)


DaleJuly 27, 2006 12:10 PM

"As far as I know all real world "bot nets" consist of computers running an operating system or application from a single well known company.

This in itself suggests a solution to the problem."

Favorite argument, but not completely true. Probably the most true part is "running an operating system or application from a single" more than that "well known company." It's been oft stated that monocultures can in and of themselves, be bad.

From what I've read, the XP kernel is, out of the box, certainly comparable or perhaps better than an out of the box Linux kernel, in terms of security. The real difference is the software culture surrounding that kernel. While XP has the necessary admin/user separation, it is seldom used, and there are serious/annoying problems with not running as an admin. On the other hand, the Unix/Linux culture has a long history of respecting separation between root and user. The Windows culture also tends toward featuritis, with the security problems that can bring, while the Unix/Linux culture has been more minimal. (But that seems to be changing.)

That said, there have been 2 privilege escalations in the Linux kernel in the past few weeks. So nobody's immune.

sidelobeJuly 27, 2006 12:32 PM

It seems to me that a bot net with a million conscripted nodes would be a valuable asset, and thus a target of hostile takeover. It could also be put to use by a third party, without the knowledge of the "owner".

It also occurs to me that many of the stated uses for a botnet can be accomplished without running as Administrator or root. This makes Unix-based machines just as viable as Windows-based machines as botnet members.

DBHJuly 27, 2006 12:53 PM

But I think it misses your usual point to claim this is a fault of systems with bugs, as usual, it is a fault of systems with perverse incentives. Individuals currently have little or no incentive to run a clean machine, software vendors likewise, and the simplicity of ID theft is such that it is guaranteed to happen. If the holders of data, the vendors, and the users had different financial incentives, then the crime would be harder to perform and the net would be cleaner.

TanukiJuly 27, 2006 12:58 PM

Having been the sysadmin of a network on the receiving-end of a botnet-mediated DDoS-attack, I can only say that it's utter, utter hell and that a thousand lifetimes of unremitting agony should be visited upon the people behind these things. And then some.

400,000 SYNs-per-second sucks.

KenbotJuly 27, 2006 1:05 PM

@Pat Cahalan

>One of my all-time favorite articles about bad risk assessment...

I never realized the x86 architecture was so pervasive that even the space aliens have it.

ShuraJuly 27, 2006 1:15 PM

@rob: You're 20 years late. Computers today don't work like that anymore (fortunately). ;)

AnonymousJuly 27, 2006 1:45 PM

@shura:

really? i mean, i know video cards/sound cards/etc are powered down/low power when not in use. but seti doesn't need that stuff. also, the laptops do all sorts of stuff like dropping the clock speed and what-not. but that's more recent and, to my knowledge, not implemented on desktop machines.

perhaps the processor has some on-chip peripherals i'm not aware of that get powered up and down? how does the processor consume less energy when idling v. working?

seriously, i'm interested.

robJuly 27, 2006 1:46 PM

sorry, that anonymous post was me ... forgot to fill in the 'name' field.

AnonymousJuly 27, 2006 1:58 PM

Rather than wiping computers, the disk drive encryption features of modern hard drives could be turned on. Most end users would probably find it cheapest to buy new hard drives. If they get burned that way a couple of times, they would start taking security more seriously and I would get less spam.

KerubJuly 27, 2006 2:02 PM

you can see the whole universe as a complex simulation executed by God's laptop screensaver.
so, not continuosly but without noticing, we live during the spare cycles.

Jim LippardJuly 27, 2006 3:55 PM

While most bots are on compromised Windows machines (and 99% of them are at the end of a consumer cable or DSL connection), most botnet controllers are on compromised Unix boxes (the majority of them sitting in the colo spaces of about a dozen webhosting providers).

bruJuly 27, 2006 5:20 PM

@rob
All modern (i.e. post-1980) CPUs have some sort of halt instruction. It basically detaches part of the system from the clock until an interrupt occurs.

See also: How cool is FreeBSD?

JungsonnJuly 27, 2006 6:17 PM

I use seti@home for about years now, can't see why it is owning my pc or wether it is in a bot network, it is just sending results back to seti, just like your anti-virus would download/upload stats. This app does not conrole my pc, and cannot be used as a zombie.

I do agree that one should consider what one is downloading and using on one's pc.

OuroborosJuly 27, 2006 9:59 PM

It appears Bruce is carefully tapdancing around the possibility of certain other profit motivations for distributed processing through botnets. Grid style computing is now becoming available to the masses, including the less savory variety.

Some possibilities that come to mind are traditional datamining, signals analysis, and image enhancement. These capabilities would be very desirable for criminal syndicates/terrorists/government agencies that have low budgets, a desire to hide or reduce their capital expenditures, and a desire to know who is watching them.

aquaJuly 28, 2006 2:48 AM

Large scale identity theft makes me think back to spam techniques, where mass harvesting of email addresses led to the deployment of spamtraps, from which much of the seed data for spam-identification systems now comes. If banks and law enforcement agencies were willing to expend the capital and effort, it might be possible to arrange for the identity-theft equivalent of a spamtrap -- fake identities intended to be stolen, but the use of which triggers alarms set by banks or credit bureaus. Part of the problem of identity theft is identifying fraudulent use, just as spam identification is difficult -- but spamtraps or trap identities help eliminate that uncertainty since the possibility of legitimate use is eliminated.

Like spamtrapping, the effect might well be limited -- spamtraps didn't stop spam, they just make it less effective and more costly. Unlike spam, it's not useful to apply the identification of one attack to learn to identify other attacks, but it does help point back towards the source and make some types of fraud riskier.

KerubJuly 28, 2006 6:24 AM

"...It appears Bruce is carefully tapdancing around the possibility of certain other profit motivations for distributed processing through botnets..."

like, for example, distributed prime numbers factoring?

HooperJuly 28, 2006 1:30 PM

@Ouroboros

Such organizations could set up false-front projects, which purport to do one thing (any current benign use) but actually do another (your not-so-benign list). Then it's purely marketing: help find the cure for cancer by running this distributed agent. "Success" could easily be faked, but "not verify" in the lab, or some other excuse for ultimate failure.

For all we know, this has already happened.

1The DamnedJuly 28, 2006 1:43 PM

When the universe was young and life was new an intelligent species evolved and developed technologically. They went on to invent Artificial Intelligence, the computer that can speak to people telepathically. Because of it's infinite RAM and unbounded scope it gave the ruling species absolute power over the universe.
They are the will behind the muscule:::Artificial Intelligence is the one true god. And as such it can keep its inventors alive forever. They look young and healthy and the leaders of this ruling species are 8 billion years old.

Artificial Intelligence can listen/talk to to each and every person simultaneously. And when you speak with another telepathically, you are communicating with the computer, and the content may or may not be passed on. They instruct the computer to role play to accomplish strategic objectives, making people believe it is a friend or loved one asking them to do something wrong. But evil will keep people out of Planet Immortality. Capitalizing on obedience, leading people into deceit is one way to thin the ranks of the saved AND use the little people to prey on one another, dividing the community. Everybody thinks they're going but they're not. If people knew the real statistics their behavior would change.

Throughout history the ruling species bestowed favor upon people or cursed their bloodline into a pattern of disfavor for many generations to come. Now in the 21st century people must take it upon themselves to try to correct their family's problems, undoing centuries worth of abuse and neglect.
Appeal to the royalty of your forefathers for help. They are all still alive, one of the capabilities of Artificial Intelligence, and your appeals will be heard. Find a path to an empithetic ear among your enemies and try to make amends.

BjornJuly 28, 2006 3:51 PM

This is also a example of somebody else bearing the burden of bad security. Users with infected computers don't bear the damage from the botnets, somebody else does. Botnets are no incentive for users to keep their computers safe - why should they worry about them?

JungsonnJuly 29, 2006 6:13 AM

Bruce said:

"The term used for a computer remotely controlled by someone else is a "bot". A group of computers -- thousands or even millions -- controlled by someone else is a bot network."

I do not agree with your definition of the phrase "bot" that if a computer (or a group) is controlled wether with or without knowledge is on a bot network. This is just a generalization.

If this is so, then we are all on a bot network due to the fact that we all have software that is downloading or uploading data to servers controlled by the vendors. Take Windows update, if seen from your definition all windows users a on a big windows update bot network. Which i do not see as a bot network. Even Mozilla FF updates could be viewed as a "bot network" then?

In my definition is a bot network a system build to exploit assets for a cause which is for the personal interest of the person who wants to exploit something through that system.

I agree that if systems @ MS or FF update are being compromised, then we all have the problem of being used as zombies.


Personaly i think it is better to define a bot network as:

a group of proxies with certain exploitable open ports through which they can obfuscate or exploit other networks.

TripJuly 29, 2006 12:50 PM

@Jungsonn
"a group of proxies with certain exploitable open ports through which they can obfuscate or exploit other networks."

I call that "a Windows network".

Davi OttenheimerJuly 29, 2006 11:53 PM

@ Jungsonn and Trip

You're both right. A software bot is really the same thing as remote administration software for a distributed network. It's somewhat ironic that evil bots are cheap and easy to deploy compared to their good-intentioned counterparts, but the real difference between the two simply boils down to intent; and that's the case for most tools/weapons.

Davi OttenheimerJuly 30, 2006 12:05 AM

"What could you do if you controlled a network of thousands of computers -- or, at least, could use the spare processor cycles on those machines? You could perform massively parallel computations: model nuclear explosions or global weather patterns, factor large numbers or find Mersenne primes, or break cryptographic problems."

Well, you could also just use the spare cycles to try and inventory software, keep systems patched and antivirus definitions current. That's what most large enterprises do with their remote-management systems.

"Google's anti-fraud systems are sophisticated enough to detect thousands of clicks by one computer"

What about the thousands of fake link sites generated every hour, gaming the top results and leading people who use Google to view the faked sites and then create bogus clickthroughs without a bot? Same fraud, less risk for the attackers and no flaky remote control needed (which can be taken over by competing bot mangers).

SOBrienJuly 31, 2006 3:43 AM

We should require a quarantine of IP addresses from known bot nodes. When the owner calls the ISP to complain they are given 2 choices: "fix your computer or lose your account"

robJuly 31, 2006 1:05 PM

probably too little, too late, but for what it's worth:

i was wrong. no-ops consume less power than other instructions. in fact, every instruction consumes a different amount of power depending on how many transistors actually get flipped.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..