Botnet is a jargon term for a collection of software robots, or bots, that run autonomously and automatically. The term is often associated with malicious software but it can also refer to the network of computers using distributed computing software.

While the term "botnet" can be used to refer to any group of bots, such as IRC bots, the word is generally used to refer to a collection of compromised computers (called Zombie computers) running software, usually installed via worms, Trojan horses, or backdoors, under a common command-and-control infrastructure. The majority of these computers are running Microsoft Windows operating systems, but other operating systems can be affected.

A botnet's originator (aka "bot herder") can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command-and-control takes place via an IRC server or a specific channel on a public IRC network. This server is known as the command-and-control server ("C&C").

A bot typically runs hidden, and complies with the RFC 1459 (IRC) standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping."

Botnets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Often, a botnet will include a variety of connections, ranging from dial-up, ADSL and cable, and a variety of network types, including educational, corporate, government and even military networks. Sometimes a controller will hide an IRC server installation on an educational or corporate site where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently as most script kiddies do not have the knowledge to take advantage of it.

Several botnets have been found and removed from the Internet. The Dutch police found a 1.5 million node botnet [ [ Dutch Botnet Suspects Ran 1.5 Million Machines] by Gregg Keizer, TechWeb Technology News] and the Norwegian ISP Telenor disbanded a 10,000-node botnet. [ [ Telenor takes down 'massive' botnet] by John Leyden, The Register.] Large coordinated international efforts to shut down botnets have also been initiated. [ [ ISPs urged to throttle spam zombies] by John Leyden, The Register.] It has been estimated that up to one quarter of all personal computers connected to the internet may become part of a botnet. [ [ Criminals 'may overwhelm the web'] , "BBC", 25 January 2007.]


Botnet servers will often liaise with other botnet servers, such that a group may contain 20 or more individual cracked high-speed connected machines as servers, linked together for purposes of greater redundancy. Actual botnet communities usually consist of one or several controllers that rarely have highly-developed command hierarchies between themselves; they rely on individual friend-to-friend relationships.Fact|date=May 2007

To thwart detection, some botnets were scaling back in size. As of 2006, the average size of a network was estimated at 20,000 computers, although larger networks continued to operate. []

Formation and exploitation

This example illustrates how a botnet is created and used to send email spam.

# A botnet operator sends out viruses or worms, infecting ordinary users' computers, whose payload is a malicious application -- the "bot".
# The "bot" on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server).
# A spammer purchases access to the botnet from the operator.
# The spammer sends instructions via the IRC server to the infected PCs, ...
# ...causing them to send out spam messages to mail servers.

Botnets are exploited for various purposes, including denial-of-service attacks, creation or misuse of SMTP mail relays for spam (see Spambot), click fraud, spamdexing and the theft of application serial numbers, login IDs, and financial information such as credit card numbers.

The botnet controller community features a constant and continuous struggle over who has the most bots, the highest overall bandwidth, and the most "high-quality" infected machines, like university, corporate, and even government machines.Fact|date=May 2007

Botnet lifecycle

* Bot-herder configures initial bot parameters such as infection vectors, payload, stealth, C&C details
* Register a DDNSRegister a static IP.
* Bot-herder launches or seeds new bot(s)Spreading the bot.
* Bots spreading -- growingCauses an increase of DDoS being sent to the victim website.
* Losing bots to other botnets
* Stasis -- not growing

= Types of attacks =
* Denial-of-service attacks where multiple systems autonomously access a single Internet system or service in a way that appears legitimate, but much more frequently than normal use and cause the system to become busy.
* Adware exists to advertise some commercial entity actively and without the user's permission or awareness.
* Spyware is software which sends information to its creators about a user's activities.
* E-mail spam are e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious in nature.
* Click fraud is the user's computer visiting websites without the user's awareness to create false web traffic for the purpose of personal or commercial gain.

Preventive measures

If a machine receives a denial-of-service attack from a botnet, few choices exist. Given the general geographic dispersal of botnets, it becomes difficult to identify a pattern of offending machines, and the sheer volume of IP addresses does not lend itself to the filtering of individual cases. Passive OS fingerprinting can identify attacks originating from a botnet: network administrators can configure newer firewall equipment to take action on a botnet attack by using information obtained from passive OS fingerprinting. The most serious preventive measures utilize rate-based intrusion prevention systems implemented with specialized hardware.

Some botnets use free DNS hosting services such as,, and to point a subdomain towards an IRC server that will harbor the bots. While these free DNS services do not themselves host attacks, they provide reference points (often hard-coded into the botnet executable). Removing such services can cripple an entire botnet. Recently, these companies have undertaken efforts to purge their domains of these subdomains. The botnet community refers to such efforts as "nullrouting", because the DNS hosting services usually re-direct the offending subdomains to an inaccessible IP address.

The botnet server structure mentioned above has inherent vulnerabilities and problems. For example, if one was to find one server with one botnet channel, often all other servers, as well as other bots themselves, will be revealed. If a botnet server structure lacks redundancy, the disconnection of one server will cause the entire botnet to collapse, at least until the controller(s) decides on a new hosting space. However, more recent IRC server software includes features to mask other connected servers and bots, so that a discovery of one channel will not lead to disruption of the botnet.

Several security companies such as Symantec, Trend Micro, FireEye, Simplicita and Damballa have announced offerings to stop botnets. While some, like Norton Anti-Bot (aka Sana Security), are aimed at consumers, most are aimed to protect enterprises and/or ISPs. The host-based techniques use heuristics to try to identify bot behavior that has bypassed conventional anti-virus software. Network-based approaches tend to use the techniques described above; shutting down C&C servers, nullrouting DNS entries, or completely shutting down IRC servers.

Newer botnets are almost entirely P2P, with command-and-control embedded into the botnet itself, and the single point of failure being a domain name - often registered with obscure registrars that may lack policies, and with stolen credit cards and fake identities.

= [|Historical List of Botnets] =

See also

* Storm botnet
* Kraken botnet
* Srizbi botnet
* Buffer overflow
* Computer worm
* Denial-of-service attack
* Dosnet
* Bot
* Clickbot.A
* Script kiddie
* E-mail spam
* Spambot
* Timeline of notable computer viruses and worms
* Trojan horse (computing)
* Zombie computer
* E-mail address harvesting
* List poisoning
* Spamtrap
* Anti-spam techniques (e-mail)


External links

* [ How-to: Build your own botnet with open source software]
* [ The Honeynet Project & Research Alliance] , "Know your Enemy: Tracking Botnets".
* [ SwatIt - Bots, Drones, Zombies, Worms] - A gallery of botnet structure.
* [ The Shadowserver Foundation] - An all volunteer security watchdog group that gathers, tracks, and reports on malware, botnet activity, and electronic fraud.
* [ NANOG Abstract: Botnets] - John Kristoff's NANOG32 Botnets presentation.
* [ Mobile botnets] - An economic and technological assessment of mobile botnets.
* [ Lowkeysoft - Intrusive analysis of a web-based proxy botnet] (including administration screenshots).
* [,1895,2029720,00.asp - Is the Botnet Battle Already Lost?] .
* [ Wired Magazine - Attack of the Bots] - How one company fought the new Internet mafia – and lost.
* [ Dark Reading - Botnets Battle Over Turf] .
* [ List of dynamic (dsl, cable, modem, etc) addresses] - Filter SMTP mail for hosts likely to be in botnets.
* [ VX CHAOS File Server - Bots and Botnets] - Bot and Botnet Source Codes and Snippets for IT Security and Anti-Virus Researchers.
* [ ATLAS Global Botnets Summary Report] - Real-time database of malicious botnet command and control servers.
* [ FBI LAX Press Release DOJ]
* []
FBI April 16, 2008

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Botnet — es un término que hace referencia a un conjunto de robots informáticos o bots, que se ejecutan de manera autónoma y automática. El artífice de la botnet (llamado pastor) puede controlar todos los ordenadores/servidores infectados de forma remota… …   Wikipedia Español

  • Botnet — es un término que hace referencia a una colección de software robots, o bots, que se ejecutan de manera autónoma (normalmente es un gusano que corre en un servidor infectado con la capacidad de infectar a otros servidores). El artífice de la… …   Enciclopedia Universal

  • Botnet — Un botnet est un ensemble de bots informatiques qui sont reliés entre eux. Historiquement, ce terme s est d abord confondu avec des robots IRC (bien que le terme ne se limitait pas à cet usage spécifique), qui était un type de botnet particulier… …   Wikipédia en Français

  • Botnet — Ablauf der Entstehung und Verwendung von Botnetzen: 1. Infizierung ungeschützter Computer, 2. Eingliederung in das Botnet, 3. Botnetbetreiber verkauft Dienste des Botnets, 4./5. Ausnutzung des Botsnets, etwa für den Versand von Spam Ein Botnet… …   Deutsch Wikipedia

  • botnet — /ˈbɒtnɛt/ (say botnet) noun a collection of zombie PCs infected with software specifically designed to create a network, as for a spam attack. Also, bot net. {bot3 + net(work)} …   Australian-English dictionary

  • Botnet — …   Википедия

  • botnet — noun /ˈbɒtnɛt/ A collection of zombies that are controlled by the same cracker; a collection of compromised computers that is slowly built up then unleashed as a DDOS attack or used to send very large quantities of spam. Then they blacklisted… …   Wiktionary

  • botnet — ● ►en n. m. ►SECU Réseau de robots logiciels installés sur des machines aussi nombreuses que possibles. Souvent utilisé à des fins malhonnêtes (quand on a un objectif honnête, on parle plutôt de calcul en grille) …   Dictionnaire d'informatique francophone

  • botnet — …   Useful english dictionary

  • Botnet Srizbi — Le botnet Srizbi, aussi connu sous les noms de Cbepblay et Exchanger, est réputé être le plus grand ou le deuxième plus grand botnet et est responsable de la transmission de la moitié du spam qui transite par l ensemble des botnets… …   Wikipédia en Français

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”