T 5.156 Bot networks

A bot is a program which is installed by an attacker on a user's computer without his/her knowledge, via corresponding malware for example, and which can remotely execute instructions from the attacker. By combining many bots, a bot network is formed.

Bot networks are used for a number of illegal activities. Fields of application of bot networks include sending masses of spam e-mails or e-mails with malicious attachments and links (e.g. for phishing) but also logging keyboard strokes (keylogging) and thus misappropriation or theft of personal information (such as passwords, PINs, etc.) or confidential business information (corporate espionage). Moreover, bots enable the misuse of infected computers by storing illegal software on them or even using the infected computers to make such software available, for example, by means of file sharing. A form of attack which is particularly serious for networks and services are so-called DDoS attacks (DDoS, Distributed Denial of Service). DDoS attacks are carried out for political, ideological, but mainly for financial reasons.

A simplified typical bot network structure is as follows:

Mechanism for infection and distribution

In the past, infection of a PC with bots was mainly carried out by exploiting known security gaps in system services and applications. For example, the worms SDBot and Agobot were equipped with scan routines in order to detect security gaps in unprotected systems. SDBot is distributed by exploiting the following security gaps, among others: NetBIOS (port 139), NTPass (port 445), DCOM (ports 135 and 1025), and WebDav (port 80). Agobot has an exploit framework for exploiting vulnerabilities of remote services (e.g. ports 135 and 445). In addition, Agobot searches for backdoors left behind by other malicious programs, e.g. by Bagle on port 2745.

An effective infection method from the point of view of the attacker is the use of social engineering in order to entice users to perform a spontaneous thoughtless action such as clicking on manipulated links in e-mails or instant messaging messages or executing e-mail attachments. Many bugs are also distributed by means of file sharing (peer-to-peer networks). Recently, it is increasingly common for legitimate and highly frequented websites to be manipulated and misused as a distribution point for malware by inserting script code in the website in order to automatically install malware on the user's computer (drive by download or drive by infection).

Another important aspect when considering bot networks is their communication and control structure. In most cases, they are controlled via one or several command and control servers. Centrally controlled bot networks are easy to develop and administer. However, blocking of the few command and control servers results in the inability to use the bot network. To protect the bot networks from being discovered and deactivated, other communication models such as peer-to-peer protocols (due to their decentralised architecture) and HTTP as well as masking techniques such as compression, encryption, and fast fluxing are increasingly being used.

Examples: