Bots are highly specialized tools that can perform multiple tasks for their masters. However, they all share a common set of essential features. The common features might be implemented with various names on miscellaneous bots, but they ultimately have the same destructive potential.
One of the most important functions implemented into a bot is the update feature. This means that the bot is able to download and execute a specific file located on a remote server in order to update its own code with a more efficient and effective version. However, unlike commercial software updaters that automatically check for newer versions at startup, the bot update is only initiated when the botmaster commands it across the compromised network. The update feature is also widely used to run another batch of malware applications onto the host computer (including viruses, Trojans or worms). Flood (also known as Denial of Service or Distributed Denial of Service ) is another important feature built into any malicious bot.
DoS attacks are designed to hinder or stop the normal functioning of a web site, server or other network resource by flooding it with more network traffic than it is able to handle. DDoS attacks are similar to the DoS ones, except for the fact that they are carried using multiple compromised machines at the same time.
This allows the bot to perform false requests to a specific Internet address in order to overload it beyond the point of normal functioning. A flood attack would easily render a server useless, thus getting it out of production for an undetermined amount of time. This kid of attack is usually used as a blackmail tool, as we will discuss later.
Spamming is another popular choice for using bots. This kind of functionality allows the bot to download a spam message template, and then start sending it to any of the e-mail contacts in a spam list. In order to maximize efficiency, each bot is assigned a different e-mail list, or at least a different e-mail range.
Many of the existing bots also include a proxy server that allows remote attackers to connect to the Internet using the compromised machine