Thursday, March 02, 2006

what is a botnet?

a botnet is a network of bots (sometimes explained as a contraction of the word "robots")... essentially a bot is a program that, much like a RAT, allows a 3rd party to direct the affected machine to perform certain tasks; however, unlike a RAT, bots don't sit around on the affected machine waiting for a 3rd party to find and connect to them - instead they go out and connect to one or more communication points where other instances of the bot have also connected to and await instruction... in this way the 3rd party can give instructions thousands of affected computers at once...

the simplest botnet configuration is where all the bots connect to a single hub (such as an IRC chat room) where the bot master (the 3rd party controlling the bots) will give them instructions... although this is conceptually simple, it suffers from problems of scale - the more bots connected to a central communication server the harder it will be for that server to cope with all the connections...

a hierarchical network, where the bot master communicates with only a few (hundred?) bots which in turn each command a few (hundred?) more and so on, is also possible... this has the benefit of scaling better and allowing the bot master to cultivate a much larger botnet...

a third possible configuration is a peer to peer network between bots so that the bot master need only communicate with a single bot which in turn spreads the command to it's bot peers... a peer to peer configuration can help with scaling as well but the more significant strength is it's non-reliance on a central communication point that might get attacked and/or shut down...

in addition to the more sophisticated communication pathway between the machine and the remote 3rd party another difference between a bot and a RAT is that, although a bot gives control of the affected machine to a remote 3rd party, a bot would never be used for remote administration purposes... a botnet's strength is in aggregating control over huge numbers of machines and while a remote control software may be a legitimate means to perform quick and dirty remote administration of one or two machines, when you get to large numbers more formal techniques and technologies (such as group policy or active directory) become appropriate...

one way bots can get installed on a system by tricking the user into running an email or instant message attachment or other file downloaded from the internet and in this case the bot would qualify as a trojan horse at the very least... bots also are often able to spread themselves to systems by self-replication either as worms or viruses or both... in fact self-replication is often the best way to affect large numbers of systems (as we have seen time and again with worms like blaster and slammer)...

back to index

0 comments: