Botnet: 10 Years of Security Threats

As compared to the PC viruses and worms, botnets are recently new threats to the IT landscape.

Their history dates back in the late 90s, when the infamous NetBus and
BackOrifice2000 backdoor Trojans started to spread havoc among computer users. NetBus
and BackOrifice2000 were more than simple Trojans with new features: they were
completely distinct breeds of malware that integrated new technologies and
functions.  For instance, these two
Trojans were the first pieces of malware to allow remote administration of the
infected computer.

The real danger posed by the Trojans was amplified by the fact that
only a few tech specialists could completely understand the phenomenon, while
the rest of the PC users were merely panicked. After all, software applications
that would open or close without users’ interaction were a little more than the
average PC consumer could understand. However, such Trojans were not able to
team up in an independent network, which meant that both NetBus and BackOrifice
2000 were rather proof-of concept pieces of malware, designed for fun and not
for profit.

One year later, in
2000, remote administration software applications got new abilities to
simultaneously control multiple machines at the same time. New features have
been subsequently added to the already existing backdoor programs, in order to
allow them to automatically connect to a defined rally point. The new generation
of security threats built on a tool that has been previously used by hackers:
IRC channels. Upgrading regular IRC bots to perform malicious tasks was piece
of cake, since the vast majority of bots were available as open-source
software. More than that, the IRC protocol has a simple syntax, which means
that any person with average programming skills could hijack a regular bot into
a weapon of mass destruction.

The new challenge
as far as botnets are concerned was to simultaneously control as many computers
as possible. While controlling a single computer was piece of cake, controlling
thousands of systems as once proved to be more difficult than on paper. This is
why more and more bots were equipped with a “call home” feature: each time a
bot would infect a system, it would immediately call home and report for duty.
This means that it would log onto a pre-defined IRC channel and send a private
message to a logged-on user (usually the bot controller). The message could
look like this:

“Hi, I am ready to start. My IP is and I take commands on port 1222.”

Things got serious
in 2003, when the SoBig email worm struck millions of computer users. The
attack was alleged to be the first organized attempt to add an incredible
number of computers to the same botnet. It was also the first time that an
e-mail worm came with a bot as payload.

Media played a
crucial role in promoting botnets as one of the most important security threats
ever. As information about IRC-based botnets disseminated among hackers and
malware authors, they have quickly rallied to improve and strengthen botnets.
Of course, other malware authors decided that they had rather hijacked already
existing botnets than building their own from scratch. IRC channels with huge
numbers of visitors become the main targets of hijackers. After successfully
bypassing authentication, hijackers would simply redirect the “confiscated”
bots to another IRC channel, thus seizing control on someone else’s botnet.

However, as IRC
botnets gained ground, more and more Internet service providers imposed strict
firewall limitations on IRC ports, and many botnets found themselves
irreversibly separated from their command centers. It was expected that the
Botnet industry to migrate to a different protocol that would be harder to

Worldwide hackers
started working on fully-fledged HTTP servers able to remotely control
compromised systems located behind a corporate firewall or NAT server. More and
more whitepapers and howto-s were published on specialized hacking forums. HTTP
proved to be extremely user-friendly, given the fact that port 80 was never
blocked by the corporate firewall. However, any experienced system
administrator could easily detect abnormal traffic associated with the port 80,
thus endangering the botnet itself.

Malware authors
also attempted to create botnets using instant messaging services, but they
gave up shortly thereafter, as each bot would need to have its own username and
password, a painstaking task that takes up time and effort.  Some botmasters shifted their attention to
implementing new network architectures. New botnets came with multiple command
and control centers, as single C&C centers could be easily hijacked, taken
down or otherwise destroyed. Multiple C&C nodes bring extra efficiency, but
at the same time, they are much harder to maintain.

Next on the evolutionary roadmap, there
were Peer-to-Peer networks . The new infrastructures enjoyed increased
efficiency over the traditional C & C botnets, but at the same time, they
were dramatically conditioned by the total number of bots they could control at
once. Some botmasters experimented with P2P architectures since 2004, but it
was only in 2007 that the first large P2P botnet was discovered.

Called the Storm
botnet, the new P2P network was built using the fearful Storm Worm (Storm Worm is a mixed-type piece of
malware that combines worm features with backdoor and Trojan capabilities.
Initially spotted in the wild on January the 17th 2007, the worm is
trying to infect computers, and then to add them to the Storm botnet. The worm
disguises itself as a newsletter containing a film about forged news stories,
especially weather cataclysms). The Storm Worm was extremely prolific and, in
order to bypass antivirus detection, its author(s) came up with new and updated
variants of the code. It is alleged that the worm came in five different
flavors (The Storm Worm was extremely similar to a polymorphic virus, but
unlike conventional polymorphism, mutation took place on an Internet server
rather than locally, on the infected machine) that basically unleashed the same
malicious payload.

Larger botnets
were immediately labeled as threats to the national security, the national
information infrastructure, and the economy, so multiple government
institutions took stance against the attackers. The Federal Bureau of
Investigation started a new national initiative, called the Operation Bot Roast. They identified
over one million of compromised machines that had been used to relay spam and
perform other types of informational attacks in the US alone. A couple of
botmasters located in the US received home visits from the agency, and three
persons were trialed and convicted with computer fraud and abuse in violation
of Title 18 USC 1030.

James C. Brewer, a
computer programmer living in Arlington, Texas was sentenced to imprisonment
for having operated a botnet
inside the Chicago area hospitals. It is alleged that Brewer managed to infect tens
of thousands of computers worldwide. Jason
Michael Downey of Covington, Kentucky was also charged with computer fraud, as
his botnet would send huge anmounts of traffic to intended recipients to cause
damage by impairing the availability of Pcsystems (Distributed Denial of
Service). Last, but not least, Robert Alan Soloway of Seattle, Washington was
charged with computer fraud and abuse as his botnet was used to spam

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.