Print
|
Send on Yahoo!
|
PDF version
|
RSS
|
Filed Under: BOTNETS
What Bots Can Do?
Date: 08/11/2008
Author: Bogdan Botezatu
Bots are highly specialized tools that can perform multiple tasks for their masters. However, they all share a common set of essential features. The common features might be implemented with various names on miscellaneous bots, but they ultimately have the same destructive potential.
One of the most important functions implemented into a bot is the update feature. This means that the bot is able to download and execute a specific file located on a remote server in order to update its own code with a more efficient and effective version. However, unlike commercial software updaters that automatically check for newer versions at startup, the bot update is only initiated when the botmaster commands it across the compromised network. The update feature is also widely used to run another batch of malware applications onto the host computer (including viruses, Trojans or worms). Flood (also known as Denial of Service or Distributed Denial of Service ) is another important feature built into any malicious bot.
DoS attacks are designed to hinder or stop the normal functioning of a web site, server or other network resource by flooding it with more network traffic than it is able to handle. DDoS attacks are similar to the DoS ones, except for the fact that they are carried using multiple compromised machines at the same time.
This allows the bot to perform false requests to a specific Internet address in order to overload it beyond the point of normal functioning. A flood attack would easily render a server useless, thus getting it out of production for an undetermined amount of time. This kid of attack is usually used as a blackmail tool, as we will discuss later.
Spamming is another popular choice for using bots. This kind of functionality allows the bot to download a spam message template, and then start sending it to any of the e-mail contacts in a spam list. In order to maximize efficiency, each bot is assigned a different e-mail list, or at least a different e-mail range.
Many of the existing bots also include a proxy server that allows remote attackers to connect to the Internet using the compromised machine’s IP address. The function is one of the core components in any “respectable” bot, rather than a disposable plugin. Botmasters usually conceal their illegal activities using one of the zombie computers as proxy servers.
One of the best known examples of PC exploitation was the case of Magnus Eriksson, a law professor at the Lund University, whose computer had been used by third parties to download and store 3,500 pictures with child pornography. He was fired and discredited, and he nearly lost his mind until 2004, when authorities figured it out that the pictures were planted by remote hackers. However, the confusion was cleared out too late, and the damage to his name was beyond repair.
Other minor improvements to the bot’s code include miscellaneous features such as taking screenshots, key-logging or fetching the network activity log file on the compromised machine. Many bots can also grab the serial numbers used to register a wide palette of software applications onto the compromised computer. The serial numbers are then used on websites that allow users to purchase “genuine” software at faint prices. Such websites are usually promoted via spam messages, which means that the entire business runs “in the family”: the same botnet is responsible with either collecting the serial numbers and with spamming users with advertisements promoting the websites.
Share our story:
RELATED:
Comment on this:
Powered by