Botnets or ‘bot armies’ are large groups of malicious software, remotely controlled and operated, that can launch multiple penetration attacks and lead to massive denial of service (DOS) or similar network activity on a grand scale. Infested computers can be used to spread spam, conduct fraudulent activities, and interfere with authorized network traffic. Bot armies pose one of the most serious security threats to all networks.1 They are controlled and operated by botmasters (also called bot-herders). While their activity has so far been limited to extralegal and criminal activity, their potential for causing large-scale damage to the entire Internet is incalculable.
Bot armies first arose with the development of Internet chat and their capabilities have grown ever since (see Figure 1).2–5 They are effective both because they can execute multiple overt actions against targets and, alternatively, they can provide multiple coordinated and covert listening points within targeted networks and computer systems.
Botnet creation requires a few basic steps. Software must be created and propagated to infest targets. A command and control system must be set up, together with a system enabling check-in for further instructions. To facilitate contact after infestation, the bot author typically encodes an initial contact domain name into the bot software. To prepare for contact from bots as they become active, a computer, or suite of computers, is set up to run an Internet relay chat (IRC) to provide command and control.
Figure 1. Notional Bot Army
Bot software exhibits the triple characteristics of a virus, a worm, and a Trojan. From the point of view of a botherder, virus technology is just a means for infecting a computer. Similarly, worm technology only enables bot software to move through the Internet. A bot employs Trojan technology to disguise itself by behaving like a program purporting to carry on some innocent behavior while in fact engaging in nefarious activities.
Once infestation is established, the bot checks in to receive instructions: these generally direct it to seek out and infest additional hosts, to locate and exfiltrate information of interest to the botmaster, or to participate in coordinated attacks on other targets. The botherder has two main jobs: assigning tasks to the army and developing new software for it, to be distributed to the bots via the command and control nodes.
Currently, the key to botnet defense lies in detecting command and control activity and the subtle indicators of infestation. Because capturing a lone bot is difficult, scrutiny of command and control is the usual route for hunting bot armies. Avoiding discovery is a challenge for botherders, who avoid capture by directing bots to connect to specific machines. This approach is easy to implement but also simple to defeat. Botherders continually explore new ways to improve command and control of their bots.
Bot armies pose a threat to the Internet, with worse perhaps yet to come. Penetration of systems is not difficult and most bots go undetected unless the botmaster makes a mistake. At present we lack wide-ranging, capable defensive technologies. As botmasters continue to improve their capabilities, a philosophy of vigilance will be requisite in developing bot defenses.
Sheila B. Banks, president of Calculated Insight, receiverd her MS degree in electrical and computer engineering from North Carolina State University, Raleigh, NC, and her doctorate in computer engineering (artificial intelligence) from Clemson University, Clemson, SC. Her research interests include artificial intelligence, human behavior and cognitive modeling, and cyberwarfare modeling.
Institute for Defense Analyses
Martin R. Stytz works for the Institute for Defense Analysis. A retired Air Force officer, he earned a BS degree from the U.S. Air Force Academy in 1975, two masters degrees and, in 1989, a PhD in computer science and engineering from the University of Michigan.