Botnets – the dark side of the Internet

If your PC seems to have developed a mind of its own, and your Internet connection is often overloaded for no apparent reason, then you have probably caught a special type of Trojan. Inventive Malware programmers often control hundreds, and sometimes thousands, of computers with their software pests. These are known as Botnets and this article explains what exactly these are, what risks they present, and how you can protect yourself from them.

The term “Trojan” from Greek mythology represents the same principle in the computer world as the large wooden horse in the mythological story. In this case we are not describing soldiers who want to overcome unscalable walls but rather Malware that wants to hide within the operating system of your computer. In Troy, the residents could not resist the temptation and pulled the wooden horse into the city. The software equivalent also pretends to have a different purpose, in order to convince you to run a program. The temptation is often in the form of pornographic content, illegally copied software, or a dubious email attachment. However, supposed naked pictures of female pop stars can often conceal a Trojan that can take control of your computer after being run only once.

There are basically two types of Trojan. While previous infections usually only affected single computers, increasing numbers of increasingly fast Internet connections have led to the development of new Trojans capable of rapidly infecting hundreds or thousands of computers and which often achieve this target through the naivety and lack of caution of the users. Examples of this type of Trojan are Phatbot, Agobot, SDBot or RxBot, and innumerable derivatives of these. Attentive readers may have noticed the “-bot” ending used in this article, especially in the title. The term “Bot” describes a computer infected with a Trojan that unquestioningly accepts commands from someone else than the actual owner.

As already described, suitable victims are sadly all too easy to find, resulting in not just a single infected system but an entire network of infected computers. In technical jargon, these are called “Botnets” (roBOT NETworks). Botnets are virtual networks of infected systems that receive commands from a server in different ways, depending on their type. IRC is most often used as the communications medium. IRC is a Chat protocol, the so-called Internet Relay Chat. IRC is a pure real-time communications protocol and is harmless in itself, however it now has a somewhat negative reputation as a result of its use by Botnets. Communication under IRC occurs using Channels, in a similar manner to radio.

Additional components are often downloaded to an infected computer once it has logged-in to its pre-defined IRC server. These extra components can include mechanisms for camouflage, for switching off Malware scanners, or other virus-like modules. Once fully installed, the Bots then follow the commands of the Botnet owner – usually beginning with the search for new victims.

Bots do not always spread through the careless behavior of PC owners, but also among each other. This is done by exploiting weak points in the operating system or in specific applications and this is no longer a problem exclusive to Windows. The main focus is still clearly on Windows systems but the risks of becoming part of a Botnet are also increasing for (e.g.) Linux hosts. Linux servers with an installed IRC server can be compromised and the IRC server used as the core element of a Botnet

The potential dangers

Unfortunately, the prevalent opinion of most users seems to be that it does not matter if the home PC is infected with Malware or not – as long as it seems to continue operating properly. These users usually never even consider the fact that other users may be damaged by this and that the owner of the computer is an accomplice to the crime without realizing it. Malware was previously programmed to illustrate the capabilities of the author. Paradoxically, very malicious and effective Malware is usually exceptionally well and efficiently programmed – after all, it should remain undetected and not fall victim to the security software.

However, the massive growth of the Internet has provided new sources of income for Malware programmers. This relates not only to the illegal distribution of the pest but to much more criminal intentions of providing income for the Botnet operators. The possibilities are worrying and combined with the lack of protection and the lack of caution shown by many users this is a very threatening situation. For example, the “owner” of a Botnet can carry out one or more of the following actions:

• Every infected PC can be used as a Proxy Server for criminal activities while hiding the perpetrator. Hackers can initiate an attack from other computers under their control rather than from their own computer.
• Infected PCs can be used for downloading and distributing illegal material such as child pornography, Warez, films, music, etc. without the knowledge of the owner. However, the owner is legally responsible for these activities.
• Bots are also usually equipped with Keyloggers that record personal data, such as credit card numbers and passwords, and send this data to the Botnet owner.
• Every infected system can infect other systems.
• Botnets are also often used for blackmailing particular Website operators or even entire Providers. If several hundred or thousand computers access the same Website using their full Internet connection speed, then this usually overloads and crashes the Provider Website. This type of crash can result in a loss of income or even bring the affected company to a standstill. The operator then has no other option than to pay the blackmailer the amount demanded. The operator has no way of defending themselves against this type of attack and identification of the attacker is usually impossible.
• Last but not least, Botnets are often used for sending Spam. The email programs of the infected computer usually contain large numbers of email addresses, which are then bombarded with new pests and also unwanted advertising emails. In the first case, the Botnet operators receive new Bots in their Botnet, and in the second case they receive cash from their customers – often sellers of online potency drugs or fake brand-name products such as watches.

While reading this article, we hope that you are not thinking “this does not really affect me”. Most PC owners do not realize that their computer is infected. This is logical – you are not supposed to notice this type of infection. If we believe a report from the BBC, then 100 to 150 million of the 600 million Internet PCs worldwide are infected with Bots – about one quarter of all Internet PCs. We wish to explicitly repeat the fact that the abovementioned activities are all highly illegal and that the owner of the system carries the full responsibility for these activities. This brings to mind the well-known phrase – “Ignorance is not an excuse”.

What is the best way for me to protect myself?

There are a few simple ground rules and mechanisms for protecting yourself and your data. If you follow these procedures you will greatly reduce the likelihood of becoming infected.

• Regular updates – The manufacturers of routers, operating systems, or programs are only human and they can make mistakes. These mistakes are often exploited by Malware. Updates solve known mistakes and should therefore be loaded as soon as possible after publication.
• Use a hardware firewall or router – The attacks come from the Internet. Routers protect from many attacks by simply blocking them. Hardware Firewalls are much more resistant to attacks than software Firewalls.
• Think while you surf – Not every Website in the Internet is benign! Sites containing illegal content or pornography should always be viewed with maximum suspicion.
• Always check mail attachments – Do not trust every sender, especially when you do not know them. Especially mails that seem to come from known companies such as Ebay, Deutsche Bank, or a TV channel are almost always forgeries if they contain attachments that the user is supposed to open.
• Suitable software protection – A good anti-malware program should be a standard component of every PC these days. We recommend Emsisoft Anti-Malware, because the innovative behavior analysis also provides protection from unknown types of Malware and new Bot variants. This already provides protection for many weak points in your computer before the necessary Updates and Patches are available.
• How do I get rid of a Bot if I am already infected? – Once a PC has been infected, the Bot has many different possibilities for hiding inside the operating system and resisting deletion. Changes made by Malware are usually very difficult to find and undo. In the worst case you must swallow the bitter pill, reformat your hard drive and reinstall the operating system. This is tedious work that can be avoided in most cases with the correct protection and attentive behavior when using the Internet.

Have a Great (Malware-Free) Day!