This article may require copy editing for grammar style cohesion tone or spelling. You can assist by editing it. (May 2011) This article needs attention from an expert on the subject. See the talk page for details. Consider associating this request with a WikiProject. (May 2011) This article needs additional citations for verification. Please help improve this article by adding reliable references. Unsourced material may be challenged and removed. (February 2008)

In malware a botnet is a collection of infected computers or bots that have been taken over by crackers (also known as bot herders) and are used to perform malicious tasks or functions. A computer becomes a bot when it downloads a file (e.g. an email attachment) that has bot software embedded in it. A botnet is considered a botnet if it is taking action on the client itself via IRC channels without the crackers having to log in to the client's computer. A botnet consists of many threats contained in one. The typical botnet consists of a bot server (usually an IRC server) and one or more botclients.1 Contents 1 Background 2 Organization 3 Formation and exploitation 4 Types of attacks 5 Preventive measures 6 Historical list of botnets 7 See also 8 References 9 External links Background

Like many things on the Internet today bots began as a useful tool without malicious overtones. Bots were originally developed as a virtual individual that could sit on an IRC channel and do things for its owner while the owner was busy elsewhere.2 Soon after the release of the first IRC bot a few worms had exploited vulnerabilities in IRC clients and used the bots to steal passwords log keystrokes and hide their identity. The main drivers for botnets are for recognition and financial gain. The larger the botnet the more kudos the herder can claim to have among the underground community. The bot herder will also rent out the services of the botnet to third parties usually for sending out spam messages or for performing a denial of service attack against a remote target. Due to the large numbers of compromised machines within the botnet huge volumes of traffic (either email or denial of service) can be generated. However in recent times the volume of spam originating from a single compromised host has dropped in order to thwart anti-spam detection algorithms  a larger number of compromised hosts send a smaller number of messages in order to evade detection by anti-spam techniques.

Botnets have become a significant part of the Internet albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets controllers must now find their own servers. Often a botnet will include a variety of connections and network types. Sometimes a controller will hide an IRC server installation on an educational or corporate site where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently.

Several botnets have been found and removed from the Internet. The Dutch police found a 1.5 million node botnet3 and the Norwegian ISP Telenor disbanded a 10000-node botnet.4 In July 2010 the FBI arrested a 23-year old Slovenian held responsible for the malicious software that integrated an estimated 12 million computers into a botnet.5 Large coordinated international efforts to shut down botnets have also been initiated.6 It has been estimated that up to one quarter of all personal computers connected to the internet may be part of a botnet.7 Conficker is one of the largest botnets out there that has infected an estimated 1 million to 10 million machines which attempts to sell fake antivirus to its victims.8 Organization

While botnets are often named after their malicious software name there are typically multiple botnets in operation using the same malicious software families but operated by different criminal entities.9

While the term "botnet" can be used to refer to any group of bots such as IRC bots this word is generally used to refer to a collection of compromised computers (called zombie computers) running software usually installed via drive-by downloads exploiting web browser vulnerabilities worms Trojan horses or backdoors under a common command-and-control infrastructure.

A botnet's originator (aka "bot herder" or "bot master") can control the group remotely usually through a means such as IRC and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command-and-control takes place via an IRC server or a specific channel on a public IRC network. This server is known as the command-and-control server ("C&C"). Though rare more experienced botnet operators program their own commanding protocols from scratch. The constituents of these protocols include a server program client program for operation and the program that embeds itself on the victim's machine (bot). All three of these usually communicate with each other over a network using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet network.

A bot typically runs hidden and uses a covert channel (e.g. the RFC 1459 (IRC) standard Twitter or IM) to communicate with its C&C server. Generally the perpetrator of the botnet has compromised a series of systems using various tools (exploits buffer overflows as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally the more vulnerabilities a bot can scan and propagate through the more valuable it becomes to a botnet controller community. The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping."

Botnet servers will often liaise with other botnet servers such that a group may contain 20 or more individual cracked high-speed connected machines as servers linked together for purposes of greater redundancy. Actual botnet communities usually consist of one or several controllers that rarely have highly-developed command hierarchies between themselves; they rely on individual friend-to-friend relationships.10 The architecture of botnets has evolved over time and not all botnets exhibit the same topology for command and control. Depending upon the topology implemented by the botnet it may make it more resilient to shutdown enumeration or command and control location discovery. However some of these topologies limit the saleability and rental potential of the botnet to other third-party operators.11 Typical botnet topologies are: Star Multi-server Hierarchical Random To thwart detection some botnets were scaling back in size. As of 2006 the average size of a network was estimated at 20000 computers although larger networks continued to operate.12 Formation and exploitation This example illustrates how a botnet is created and used to send email spam. A botnet operator sends out viruses or worms infecting ordinary users' computers whose payload is a malicious applicationthe bot. The bot on the infected PC logs into a particular C&C server (often an IRC server but in some cases a web server). A spammer purchases the services of the botnet from the operator. The spammer provides the spam messages to the operator who instructs the compromised machines via the IRC server causing them to send out spam messages. Botnets are exploited for various purposes including denial-of-service attacks creation or misuse of SMTP mail relays for spam (see Spambot) click fraud spamdexing and the theft of application serial numbers login IDs and financial information such as credit card numbers. The botnet controller community features a constant and continuous struggle over who has the most bots the highest overall bandwidth and the most "high-quality" infected machines like university corporate and even government machines.13 Types of attacks Denial-of-service attacks where multiple systems autonomously access a single Internet system or service in a way that appears legitimate but much more frequently than normal use and cause the system to become busy. Adware exists to advertise some commercial entity actively and without the user's permission or awareness for example by replacing banner ads on web pages with those of another content provider. Spyware is software which sends information to its creators about a user's activities  typically passwords credit card numbers and other information that can be sold on the black market. Compromised machines that are located within a corporate network can be worth more to the bot herder as they can often gain access to confidential information held within that company. There have been several targeted attacks on large corporations with the aim of stealing sensitive information one such example is the Aurora botnet.14 E-mail spam are e-mail messages disguised as messages from people but are either advertising annoying or malicious in nature. Click fraud is the user's computer visiting websites without the user's awareness to create false web traffic for the purpose of personal or commercial gain. Access number replacements are where the botnet operator replaces the access numbers of a group of dial-up bots to that of a victim's phone number. Given enough bots partake in this attack the victim is consistently bombarded with phone calls attempting to connect to the internet. Having very little to defend against this attack most are forced into changing their phone numbers (land line cell phone etc.). Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. Preventive measures If a machine receives a denial-of-service attack from a botnet few choices exist. Given the general geographic dispersal of botnets it becomes difficult to identify a pattern of offending machines and the sheer volume of IP addresses does not lend itself to the filtering of individual cases. Passive OS fingerprinting can identify attacks originating from a botnet: network administrators can configure newer firewall equipment to take action on a botnet attack by using information obtained from passive OS fingerprinting. The most serious preventive measures utilize rate-based intrusion prevention systems implemented with specialized hardware. A network based intrusion detection system (NIDS) will be an effective approach when detecting any activities approaching botnet attacks. NIDS monitors a network it sees protected hosts in terms of the external interfaces to the rest of the network rather than as a single system and get most of its results by network packet analysis.15 Some botnets use free DNS hosting services such as DynDns.org No-IP.com and Afraid.org to point a subdomain towards an IRC server that will harbor the bots. While these free DNS services do not themselves host attacks they provide reference points (often hard-coded into the botnet executable). Removing such services can cripple an entire botnet. Recently these companies have undertaken efforts to purge their domains of these subdomains. The botnet community refers to such efforts as "nullrouting" because the DNS hosting services usually re-direct the offending subdomains to an inaccessible IP address. Similarly some botnets implement custom versions of well-known protocols. The implementation differences can be used for fingerprint-based detection of botnets. For example Mega-D features a slightly modified SMTP protocol implementation for testing the spam capability. Bringing down the Mega-D's SMTP server disables the entire pool of bots that rely upon the same SMTP server.16 The botnet server structure mentioned above has inherent vulnerabilities and problems. For example if one was to find one server with one botnet channel often all other servers as well as other bots themselves will be revealed. If a botnet server structure lacks redundancy the disconnection of one server will cause the entire botnet to collapse at least until the controller(s) decides on a new hosting space. However more recent IRC server software includes features to mask other connected servers and bots so that a discovery of one channel will not lead to disruption of the botnet. Several security companies such as Afferent Security Labs Symantec Trend Micro FireEye Umbra Data and Damballa have announced offerings to stop botnets. While some like Norton AntiBot (discontinued) are aimed at consumers most are aimed to protect enterprises and/or ISPs. The host-based techniques use heuristics to try to identify bot behavior that has bypassed conventional anti-virus software. Network-based approaches tend to use the techniques described above; shutting down C&C servers nullrouting DNS entries or completely shutting down IRC servers. Newer botnets are almost entirely P2P with command-and-control embedded into the botnet itself. By being dynamically updateable and variable they can evade having any single point of failure. Commanders can be identified solely through secure keys and all data except the binary itself can be encrypted. For example a spyware program may encrypt all suspected passwords with a public key hard coded or distributed into the bot software. Only with the private key which only the commander has can the data that the bot has captured be read. Newer botnets have even been capable of detecting and reacting to attempts to figure out how they work. A large botnet that can detect that it is being studied can even DDoS those studying it off the internet. There is an effort by researchers at Sandia National Laboratories to analyze the behavior of these botnets by simultaneously running one million Linux kernels as virtual machines on a 4480-node Dell high-performance computer cluster.17 Historical list of botnets Date created Name Estimated no. of bots Spam capacity Aliases 1999 !a 999999999 100000 !a 2009 (May) BredoLab 300000003000000018 3.6 billion/day Oficla 2008 (around) Mariposa 1200000019 0  0 Conficker 10500000+20 10 billion/day DownUp DownAndUp DownAdUp Kido 0 Zeus 3600000 (US Only) 21 -1n/a Zbot PRG Wsnpoem Gorhax Kneber 2007 (Around) Cutwail 1500000 22 74 billion/day Pandex Mutant (related to: Wigon Pushdo) 0 Grum 560000 23 39.9 billion/day Tedroo 0 Mega-D 509000 24 10 billion/day Ozdok 0 Kraken 495000 25 9 billion/day Kracken 2007 (March) Srizbi 45000026 60 billion/day Cbeplay Exchanger 0 Lethic 260000 27 2 billion/day none 2004 (Early) Bagle 23000027 5.7 billion/day Beagle Mitglieder Lodeight 0 Bobax 18500027 9 billion/day Bobic Oderoor Cotmonger Hacktool.Spammer Kraken 0 Torpig 180000 28 -1 n/a Sinowal Anserin 2006 (Around) Rustock 150000 29 30 billion/day RKRustok Costrat 0 Storm 160000 30 3 billion/day Nuwar Peacomm Zhelatin 0 Donbot 125000 31 0.8 billion/day Buzus Bachsoy 2008 (November) Waledac 80000 32 1.5 billion/day Waled Waledpak 0 Maazben 50000 27 0.5 billion/day None 0 Onewordsub 40000 33 1.8 billion/day 0 0 Gheg 30000 27 0.24 billion/day Tofsee Mondera 0 Nucrypt 20000 33 5 billion/day Loosky Locksky 0 Wopla 20000 33 0.6 billion/day Pokier Slogger Cryptic 2008 (Around) Asprox 15000 34 0  Danmec Hydraflux 0 Spamthru 12000 33 0.35 billion/day Spam-DComServ Covesmer Xmiler 0 Xarvester 10000 27 0.15 billion/day Rlsloup Pixoliz 2009 (August) Festi 0  2.25 billion/day none 2008 (Around) Gumblar 0  0  None 0 Akbot 0  0  None 2100 z! -100000000 -99999 z! See also Anti-spam techniques (e-mail) Bot Computer worm Dosnet E-mail address harvesting E-mail spam List poisoning Spambot Spamtrap Timeline of notable computer viruses and worms Zombie computer References al. Craig A. Schiller ... et (2007). "2". Botnets the killer web app (Online-Ausg. ed.). Rockland MA: Syngress Publishing. p. 30. ISBN 9781597491358.  al. Craig A. Schiller ... et (2007). "1". Botnets the killer web app (Online-Ausg. ed.). Rockland MA: Syngress Publishing. p. 6. ISBN 9781597491358.  Botnet operation controlled 1.5m PCs by Tom Sanders vnunet.com. Telenor takes down 'massive' botnet by John Leyden The Register. "SOME INPORTANT INFORMATION WHEN YOU USE 3RD PARTY APPICATIONS AND GAMES BECAREFUL". Facebook. http://www.facebook.com/note.phpnoteid191466177550278. Retrieved 8 April 2011.  ISPs urged to throttle spam zombies by John Leyden The Register. Criminals 'may overwhelm the web' BBC 25 January 2007. Messmer Ellen. "The botnet world is booming". Network World. http://www.networkworld.com/news/2009/070909-botnets-increasing.html. Retrieved 6 April 2011.  Many-to-Many Botnet Relationships Damballa 8 June 2009. "what is a Botnet trojan". DSL Reports. http://www.dslreports.com/faq/14158. Retrieved 7 April 2011.  Botnet Communication Topologies Damballa 10 June 2009. "Hackers Strengthen Malicious Botnets by Shrinking Them" (PDF). Computer (IEEE Computer Society). April 2006. http://csdl2.computer.org/comp/mags/co/2006/04/r4017.pdf. Retrieved 2010-10-22. "The size of bot networks peaked in mid-2004 with many using more than 100000 infected machines according to Mark Sunner chief technology officer at MessageLabs...The average botnet size is now about 20000 computers he said.".  "Trojan horse and Virus FAQ". DSLReports. http://www.broadbandreports.com/faq/trojans/1.0Trojanhorses. Retrieved 7 April 2011.  "Operation Aurora  The Command Structure". Damballa.com. http://www.damballa.com/research/aurora/. Retrieved 2010-07-30.  al. Craig A. Schiller ... et (2007). "5". Botnets the killer web app (Online-Ausg. ed.). Rockland MA: Syngress Publishing. p. 156. ISBN 9781597491358.  C.Y. Cho D. Babic R. Shin and D. Song. Inference and Analysis of Formal Models of Botnet Command and Control Protocols 2010 ACM Conference on Computer and Communications Security. "Researchers Boot Million Linux Kernels to Help Botnet Research". IT Security & Network Security News. 2009-08-12. http://www.eweek.com/c/a/Security/Researchers-Boot-Million-Linux-Kernels-to-Help-Botnet-Research-550216/kcEWKNLLIN08182009STR2. Retrieved 2011-04-23.  Infosecurity (UK) - BredoLab downed botnet linked with Spamit.com "Suspected 'Mariposa Botnet' creator arrested". .canada.com. accessdate2010-07-30. http://www2.canada.com/topics/technology/story.htmlid3333655.  "Calculating the Size of the Downadup Outbreak  F-Secure Weblog : News from the Lab". F-secure.com. 2009-01-16. http://www.f-secure.com/weblog/archives/00001584.html. Retrieved 2010-04-24.  America's 10 most wanted botnets "Pushdo Botnet  New DDOS attacks on major web sites  Harry Waldron  IT Security". Msmvps.com. 2010-02-02. http://msmvps.com/blogs/harrywaldron/archive/2010/02/02/pushdo-botnet-new-ddos-attacks-on-major-web-sites.aspx. Retrieved 2010-07-30.  "Research: Small DIY botnets prevalent in enterprise networks". ZDNet. http://www.zdnet.com/blog/security/research-small-diy-botnets-prevalent-in-enterprise-networks/4485. Retrieved 2010-07-30.  Warner Gary (2010-12-02). "Oleg Nikolaenko Mega-D Botmaster to Stand Trial". CyberCrime & Doing Time. http://garwarner.blogspot.com/2010/12/oleg-nikolaenko-mega-d-botmaster-to.html. Retrieved 2010-12-06.  "New Massive Botnet Twice the Size of Storm  Security/Perimeter". DarkReading. http://www.darkreading.com/security/perimeter/showArticle.jhtmlarticleID211201307. Retrieved 2010-07-30.  "Technology Spam on rise after brief reprieve". BBC News. 2008-11-26. http://news.bbc.co.uk/2/hi/technology/7749835.stm. Retrieved 2010-04-24.  a b c d e f http://www.messagelabs.com/mlireport/MLI201004AprFINALEN.pdf Researchers hijack control of Torpig botnet - SC Magazine US Chuck Miller (2008-07-25). "The Rustock botnet spams again". SC Magazine US. http://www.scmagazineus.com/the-rustock-botnet-spams-again/article/112940/. Retrieved 2010-07-30.  "Storm Worm network shrinks to about one-tenth of its former size". Tech.Blorge.Com. 2007-10-21. http://tech.blorge.com/Structure:%20/2007/10/21/2483/. Retrieved 2010-07-30.  Spam Botnets to Watch in 2009 - Research - SecureWorks "Waledac botnet 'decimated' by MS takedown". The Register. 2010-03-16. http://www.theregister.co.uk/2010/03/16/waledactakedownsuccess/. Retrieved 2011-04-23.  a b c d Gregg Keizer (2008-04-09). "Top botnets control 1M hijacked computers". Computerworld. http://www.computerworld.com/s/article/9076278/Topbotnetscontrol1Mhijackedcomputers. Retrieved 2011-04-23.  "Botnet sics zombie soldiers on gimpy websites". The Register. 2008-05-14. http://www.theregister.co.uk/2008/05/14/asproxattackswebsites/. Retrieved 2011-04-23.  External links Wired.com How-to: Build your own botnet with open source software The Honeynet Project & Research Alliance "Know your Enemy: Tracking Botnets". The Shadowserver Foundation - An all volunteer security watchdog group that gathers tracks and reports on malware botnet activity and electronic fraud. NANOG Abstract: Botnets - John Kristoff's NANOG32 Botnets presentation. Mobile botnets - An economic and technological assessment of mobile botnets. Lowkeysoft - Intrusive analysis of a web-based proxy botnet (including administration screenshots). EWeek.com - Is the Botnet Battle Already Lost. Attack of the Bots at Wired Dark Reading - Botnets Battle Over Turf. List of dynamic (dsl cable modem etc) addresses - Filter SMTP mail for hosts likely to be in botnets. ATLAS Global Botnets Summary Report - Real-time database of malicious botnet command and control servers. FBI LAX Press Release DOJ - FBI April 16 2008 Milcord Botnet Defense - DHS-sponsored R&D project that uses machine learning to adaptively detect botnet behavior at the network-level A Botnet by Any Other Name - SecurityFocus column by Gunter Ollmann on botnet naming. v d eBotnets Notable botnets Akbot  Asprox  Bagle  Bredolab  Cutwail  Donbot  Grum  Gumblar   Kraken  Lethic  Mariposa  Mega-D  Rustock  Srizbi  Storm  Torpig  Waledac  Zeus Main articles Computer worm  Malbot  Malware  Operation: Bot Roast  Dosnet v d eMalware Infectious malware Computer virus  List of computer viruses  Computer worm  List of computer worms  Timeline of computer viruses and worms Concealment Trojan horse  Rootkit  Backdoor  Zombie computer Malware for profit Privacy-invasive software  Adware  Spyware  Botnet  Keystroke logging  Web threats  Fraudulent dialer  Malbot  Scareware  Rogue security software  Ransomware By operating system Linux malware  Palm OS viruses  Mobile virus  Macro virus Protection Antivirus software  Defensive computing  Firewall  Intrusion detection system  Data loss prevention software Countermeasures Computer surveillance  Operation: Bot Roast  Honeypot  Anti-Spyware Coalition