NOTE: The opinions expressed on this page are those of the author and not of SpamCop.
The term botnet
("robot network") is used to describe a large collection of computers under the control of a computer criminal often called a botherder
; these computers have been subverted by the botherder through various means, and can be used for various purposes including spam
The massive growth in spam volume over the past ten years or so can be attributed directly to the creation and deployment of botnets, since they provide very effective camouflage behind which spammers can send their mail and run their websites.
An individual computer within a botnet is often called a bot
or a "zombie"
(or often an open proxy
). Such computers have been "cracked" using malware or viruses, or exploitation of weak security (espeically weak password
security). The botherder uses these avenues to implant software on the bot that he can use to operate the computer himself under remote control, mainly as a sort of shield (or proxy,
to use the technical term) to hide his network activities behind those of the bot. Usually, the owners of bot computers are quite unaware that their computers are working overtime for crooks, and they may only suspect a problem when they experience poor performance from their computers or their internet connections (due to the simultaneous activities of the botherder).
By closely monitoring DNS
activity within spam website botnets, one can easily find botnets that consist of thousands
of computers, all under the control of a single botherding operation (and new bots appear constantly for as long as the snooper chooses to continue monitoring the activity). According to Wikipedia∞
, botnets containing as many as 1.5 million computers have recently been exposed. In the same article, it is estimated that as many as one quarter of all computers on the public network
may secretly be members of criminal botnets. Many of these no doubt belong to the Storm botnet∞
, which is estimated to comprise (or to have once comprised) anywhere between 1,000,000 and 50,000,000 infected Microsoft Windows computers.
What botnets do for spammers
The bot computer does not require very sophisticated software in order to serve the botherder's ends; it need only have the "remote control" software -- often an internet relay chat (IRC) agent adapted for the purpose (although growing suspicion and blocking of IRC traffic at many networks has led botherders to seek other avenues of control) -- plus, a functioning TCP/IP protocol suite, and clear full-time access to the internet. As noted above, the bot thus becomes a sort of "sock puppet" that the botherder can hide behind to perform various tasks by remote control. In the context of spam, these tasks include (1) sending spam mail, (2) shielding spam websites, and (3) proxying for authoritative name servers for a spam domain.
Sending spam mail
The bot can be operated via the botherder's "back channel" to relay hundreds or thousands of spam messages at a time. E-mail analysts may only be able to trace the messages as far back as the bot itself, and not to the botherder. The botherder does not use any of the bot owner's software (e.g., mail clients) for this purpose, and generally leaves no historical traces of this activity on the bot machine.
In the typical spam run, the task of delivering the messages is usually divided among many bots. The "exposure" of any given bot is thus often not high enough to attract attention at the time of the run. However, the IP addresses of bots can quickly end up on DNS blocking lists
, which will limit the spammer's ability to re-use the bots for this purpose.
Using a technique known as reverse proxying,
the botherder can use the bot to "front" for a spam website. The bot does not have any web server software, and no web pages or other files; it simply acts as a conduit to the real website, which is located elsewhere and cannot be readily traced. Requests from visitors can be passed back to the real website via the botherder's back channel, and responses from the web server can be sent in the same fashion.
The specific bots that do the web proxying are changed rapidly over time so that the spammer can elude detection and block-listing of his web traffic. The botherder "anoints" a particular bot to take the incoming traffic for the website by listing the IP address of the bot with the authoritative name server for the domain; the listing will have a very short "time-to-live" (TTL) value (sometimes as short as a couple of minutes), forcing local name servers to refresh their cache on almost every request for the spam website. In this way, the botherders can literally change the apparent address of the website as often as they wish, in order to evade detection. This practice is sometimes called IP rotation
Often, several bots at a time will be listed as authoritative addresses for the website, which helps overcome poor performance or disappearance of individual bots. Again, entire groups of bots can be rotated in and out of the "barrel" as the botherder desires.
Proxying for name service
The botherder can also use reverse proxying to make a bot appear to be an authoritative name server
for a spam domain.
'AuthNS' servers are critical components in an internet domain, because they are used to link host names within the domain to IP addresses; everyone in the world who wants to reach a given host by name must eventually get address information from an AuthNS for the domain.
AuthNS servers represent a vulnerability
for botherders and spammers, because investigators can obtain a great deal of information about a spam operation by consulting these servers, and the DNS providers can stop such operations cold simply by closing down the AuthNS service for the domain in question. And so, by hiding their authoritative name service behind bots, and by rapidly changing the bots used for this purpose (as is done for shielding websites), spammers can sow a great deal of confusion regarding their activities.
A top-level DNS lookup for a botnet-hosted spam domain often reveals a large number of AuthNS hosts, most of which have names with very low TTL values (like the "web server" bots). Typically, one or two of these AuthNS hosts will be the "real" ones that do not change rapidly.
Other things botnets can do
If you have control of thousands of computers located throughout the world, you can do a great deal more besides just sending people spam. In 2003, a spam blocking list known as SPEWS∞
was victimized by a denial-of-service (DOS) attack launched from a botnet, in which individual bots pelted the SPEWS servers with abnormally high volumes of traffic, forcing the temporary shutdown of these servers. A similar fate befell the Blue Frog∞
"spam unsubscribing" service in 2006, eventually forcing Blue Frog to cease operations permanently.
It would appear that Botnets are also involved in the collection of spam mailing lists via directory harvest attack (see the Wiki entry for "blank" spams and probes
). Botherders can also program individual bots to capture their user's keystrokes (including sensitive info like passwords), or to analyze traffic and activity on the bot with an eye toward (further) computer crime. Also, botnets can be used for such less-sinister but equally dishonest practices as generating false "click" traffic to websites of interest (e.g., to pump up ad revenues that are based on "cost-per-click").
Countermeasures against botnets
The threats posed by botnets are very large and complex; at this stage, most anti-botnet measures amount to treatment for particular symptoms of the problem, rather than comprehensive solutions.
As noted, the use of DNS blocking lists
can be very effective in spotting spam deliveries made via botnet. Once a particular bot begins mailing spam, it doesn't take long for this machine to end up on a DNSbl, and the subscribers to the DNSbl can use this information to block (or, more likely, to detain in a "spam bucket") any mailings that come from this source.
Avoiding DOS attacks:
It can be very difficult for an internet service to block or defend against distributed denial-of-service attacks offered by botherders; however some specialized techniques do exist (as mentioned in the Wikipedia article∞
Hampering bot activity:
Internet providers who want to limit the activities of bots within their network space can often take measures such as the selective blocking of network traffic important to botherders, such as outbound mail (SMTP
) connections, or inbound web (HTTP) and DNS connections. Businesses and institutions that operate networks can take even more stringent measures, such as installing restrictive web proxies and blocking possible control channels such as SSH, telnet, or IRC.
Sabotaging botnets: However large they may become, botnets do often have significant weak spots that can be exploited to distrupt them or limit their growth and activity. For example, the domain names used in a spam or botnet operation can be shut down (through so-called "nullrouting"), as can central DNS services used by the botnet. The effectiveness of these measures may be limited by the responsiveness of the domain registrars and DNS providers (who do not always demonstrate a strong interest in controlling botnet activity). Furthermore, the most effective botnets are very robust, so such measures do not generally keep them off the air for long.
Since the botherders are invariably breaking laws against computer crime, law enforcement personnel are entitled to trace them down, apprehend them, and see that they are prosecuted. This is far more easily said than done, however, thanks to the diffuse and transnational nature of botnet operations. Nevertheless, the U.S. Federal Bureau of Investigation has had some early success under the program known as Operation Bot Roast∞
, which for example led to the apprehension and prosecution in 2007 of several alleged computer criminals, including Robert Soloway, a very prolific and persistent spammer who allegedly used botnets in his operations.
Killing the zombies:
Finally, individual computer users can (and certainly should) take measures to see that their computers are clear of botnet software; see the Wiki page for zombies
for some further information.