Botnets: Uses and Consequences

Published: November 5, 2011

Why should users be concerned if their computers are infected by rootkits and joined to botnets? The answer is the damage that their infected systems can do. There are myriads of harmful uses for botnets and bot-herders are not limited to a single type. The following list defines some of those uses:

• Distributed Denial-of-Service Attacks
• Spamming
• Sniffing Traffic
• Key logging
• Spreading new malware
• Installing Advertisement Add-on's and Browser Helper Objects (BHOs)
• Google AdSense abuse
• Attacking IRC Chat Networks
• Manipulating online polls/games
• Mass identity theft

Botnets are not limited to any one type of activity and participating bots may contain add-on Trojans as payloads, in fact; controlling botnets has grown into big-business.

Viruses evolved into worms or nefarious code that retain the ability to infect new hosts without the aid of users. The ability of these worms to seek out new hosts led to the inclusion of rootkits and botnet development. Schiller (2007) proposed some alarming questions that describe the current nature of botnets. These questions are as follow:

• What if each PC infected by a worm remained under the control of the worm's author?
• What if notoriety was no longer the driving force among hackers?
• What if the purpose for writing worms drifted to making money?

The what if component in the above questions is no longer hypothetical; those states currently exist.

Botnet Underground

There are underground opportunities for bot-herders to accumulate large sums of money by performing the attacks listed in the previous section for hire. Some bot-herders create web sites dedicated to offering their services. Berinato (2007) reported that security researchers discovered a very large Eastern European e-Business website that charges clients to infect host computers and join those computers to a botnet.

This particular site, called loads.cc, is not alone; there are others. Many of these sites are located in countries with lax security control of their top level domains. The ccdomain is assigned to a territory of Australia but the loads.cc website is believed to originate out of Russia. A business model open to anyone that only charges 20 cents to infect a host, the business model of loads.cc, presents a number of security concerns: unsuspecting victims may own infected machines hosting dozens of bots, each connecting the host to a botnet.

Using the collections of infected computers, cybercriminals have gleaned enough personal data to continue identity-theft operations for many years. The economic impact of spamming operations is just as alarming. As stated by Spammer-X, (2004), spammers can easily send thousands of e-mails from different machines and the risk of these spammers being caught is very low when using botnets.

The interest from spammers became so great that hackers began to sell Botnets, and dealing in compromised machines became part of a secret underground virtual economy. …In the beginning the cost was high. For a 200 zombie botnet, a spammer or hacker could expect to pay up to $1,000.00, but as more worms propagated, the price dropped. Soon, exclusive control over 1000 hosts could be bought for as little as $500.00. Now, exclusive control over a single zombie can sell for as little as 10 cents! (Spammer-X, 2004).

That the business of botnets is exploding is a conclusion that cannot be denied. The number of intercepted botnet communications has grown from a daily figure of 333,023 in June of 2006 to a daily figure of 7,303,148 by January of 2008.

Individuals and organizations are responsible for the activities originating from their computers. Although civil liability or criminal prosecution may be avoided if the activity can be linked to a system compromise, these consequences should be a concern to all computer users. According to Delio (2004), dozens of respondents to a news story claimed to have lost jobs or their good reputations when traces of pornography were found on their computers after being placed their, by a browser hijacker. The case of “Jack” provides a more detailed example:

A victim named Jack by Delio (2004) experienced uncontrollable browser hijacking as the result of a botnet infection. The re-directs often led Jack's browser to illegal porn sites. These sites appeared as pop-ups and closing one site resulted in opening up others. Jack's start page was changed and his favorites were changed to point to illegal porn sites. The only way to stop the activity was to turn off the computer. When Jack later tried to connect to the web, he was once again directed to illegal porn sites and pictures of child porn would display in pop-ups. The police finally raided Jack's house and confiscated his computer, which resulted in Jack spending 180 days in a correction's institution.

Jack’s case, although extreme, demonstrates the possible consequences to unsuspecting victims of Trojans and botnets but all users should remember that they are responsible for the traffic that flows across their Internet connections. Another overlooked consequence to the user is the unnecessary replacement of infected computers. "Newer machines feel old, so people end up buying new machines more often than they have to" (Acohido and Swartz, 2008).

Perhaps the greatest consequence of botnet infection is the effect on the communications infrastructure. “Says Adam O'Donnell, Cloudmark's director of emerging technology; Telecoms and Internet service providers must absorb the cost of carrying botnet traffic; they can be expected to pass that expense onto companies and consumers, he says” (Acohido and Swartz, 2008).

What are your thoughts?

As always, the author appreciates all comments.