Since the early days of the public Internet, the word bot (from robot) has referred to automated software programs that perform tasks on a network with some degree of autonomy. Bots can perform many beneficial and even vital functions. For example, the web crawling software programs used by popular search engines to index web pages are a class of bots, and participants in the well-known SETI@HOME program (http://setiathome.berkeley.edu) voluntarily install bots on their computers that analyze radio telescope data for evidence of intelligent extraterrestrial life. Unfortunately, bots can also be developed for malicious purposes, such as assembling networks of compromised computersâ€”botnetsâ€”that are controlled remotely and surreptitiously by one or more individuals, called bot-herders.
Computers in a botnet, called nodes or zombies, are often ordinary computers sitting on desktops in homes and offices around the world. Typically, computersÂ become nodes in a botnet when attackers illicitly install malware that secretly connects the computers to the botnet and they perform tasks such as sending spam, hosting or distributing malware or other illegal files, or attacking other computers. Attackers usually install bots by exploiting vulnerabilities in software or by using social engineering tactics to trick users into installing the malware. Users are often unaware that their computers are being used for malicious purposes.
Example of a typical botnet in action
Click on the Image to Enlarge.
In many ways, a botnet is the perfect base of operations for computer criminals. Bots are designed to operate in the background, often without any visible evidence of their existence. Victims who detect suspicious activity on their computers are likely to take steps to find and fix the problem, perhaps by running an on-demand malware scan or by updating the signature files for their existing real-time malware protection. Depending on the nature of the bot, the attacker may have almost as much control over the victimâ€™s computer as the victim has, or perhaps more.
By keeping a low profile, bots are sometimes able to remain active and operational for years. The growth of always-on Internet services such as residential broadband has aided bot-herders by ensuring that a large percentage of the computers in the botnet are accessible at any given time. Botnets are also attractive to criminals because they provide an effective mechanism for covering the tracks of the botnet herderâ€”tracing the origin of an attack leads back to the hijacked computer of an innocent user, which makes it difficult for investigators to proceed further.
In practice, many threats include limited command and control capabilities that are tailored to specific tasks, like downloading files, but do not provide the attacker with the kind of full-featured control that bots typically do. Malware authors also often add command and control capabilities to existing families as they develop them, so it is possible for malware families to evolve into botnets over time as new variants are released. For the purposes of this analysis, the Security Intelligence Report defines botnet as a network of computers that can be illicitly and secretly controlled at will by an attacker and commanded to take a variety of actions. Under this definition, a trojan downloader that is only designed to download arbitrary files and cannot otherwise be controlled by the attacker would not be considered a bot.