A few weeks ago, a Los Angeles man was arrested and charged with creating a 400,000-PC-strong botnet, then using it to spread adware and break into various U.S. government computer systems.
Botnets are distributed networks of computers that are linked to a common source, be it a criminal hacker (cracker) or a corporate entity. Sony's recent root kit-powered DRM technology could become the foundation for a new botnet itself. Botnets have been around since the late 1990s but have only recently become worth owning, selling, or trading. What good are 1,000 remote-controlled PCs? Let's find out.
Botnets defined
Trojan horses are bad programs that install on your computer without your knowledge. RATs are remote-access Trojan horses, affording a cracker easy backdoor access in and out of your compromised PC. When you create a network of owned PCs, it becomes a private remote-access network that the cracker alone controls; if the network is encrypted, only he or she can install or retrieve code from the owned PCs. Scale this up to 1,000, and you start getting botnets, invisible webs connecting unrelated, random "zombie" computers to one individual or group of individuals who can control the data harvested off the linked computers or who can upload new software (such as keystroke loggers) onto those computers without the owners knowing.
How are botnets created? One way is to use a virus. Sobig, for example, created a botnet so that each iteration of itself spread faster and faster by first infecting already infected computers, then branching out from there. Botnets can compete: Text code found within the viruses MyDoom, Bagle, and Netsky accused each other of interfering with the creation of bigger and better botnets. Another way to build a botnet is to use infected Web sites, where ActiveX or JavaScript downloads RATs onto your computer through your Internet browser, in what is called a drive-by infection. And, of course, there are spywarelike downloads (be careful with the apps you download onto your PC).
| To protect their investment, botnet owners frequently change their Trojans ever so slightly so that antivirus scanners won't recognise them. |
Crackers then ping a specific port they've opened on infected computers, or they have the code itself contact its creator once installed. A cracker simply sits back and watches as his screen fills with Internet address he or she now "owns." To protect their investment, botnet owners frequently change their Trojans ever so slightly so that antivirus scanners won't recognise them. And botnet owners are also starting to use encryption, which makes their detection even harder. What's even more frightening is what these botnets can do.
Spam distribution
If we knew who was sending us spam, we would simply block their e-mail address or domain and be done with it. As it happens, spammers are much more sophisticated than that. Knowing they'll be stopped cold if they try to send 1,000 spam messages from a single Internet address, they are now buying up botnets that can spew more digestible chunks of spam. Get 1,000 owned PCs to each send out 100 spam messages, and that's 100,000 spam messages delivered almost instantly (all flying under the radar of most ISPs). It's long been suspected that the creator of Sobig was in the employ of a spam operator, looking to both harvest new e-mail addresses and have a means to distribute spam itself.
Denial-of-service attacks
As with spam, using 1,000 coordinated computers to single-handedly ping a target Web site (an attack known as a denial-of-service attack) is well known. Years ago, a cracker would hack into a large company and use its large bandwidth to pelt a target site with denial-of-service attacks. Trouble was, authorities needed only to shut down one site to silence the attack. But if you distributed the attack over 1,000 owned PCs, well, your chances of a sustained attack would be much better.
Last month, Dutch authorities arrested three individuals who used technology from 180Solutions to plant remote access Trojans on roughly 1.5 million PCs, then used this platform to threaten various companies with denial-of-service attacks unless extortion money was paid. Elsewhere in Europe, where online gambling is thriving, thanks to passionate fans of football, botnets have been used by extortionists to shut down (via denial-of-service attacks) lucrative gambling sites on the day of a big game. Even if it's offline for only a few hours, the online gambling site could stand to lose several thousand euros an hour. In most cases, the company settles directly with the extortionists (who also promise not to attack for a period of time afterward) -- infuriating law enforcement who have no accurate way to measure how often such extortion attempts occur.
By placing keystroke loggers on remote-controlled computers around the world, the owner of a botnet can harvest passwords, credit card numbers, social security numbers, and other personal data from thousands of victims at leisure. There is a known relationship between the users of methamphetamines and identity thieves; basically, the creation of ID-stealing botnets is an effortless way for an addict to get a lot of cash quickly.
But what if we start thinking about botnets on a much larger scale?
| If one has access to 1,000 computers worldwide, one also has access to the computing power of 1,000 computers. |
What about password cracking?
By far the scariest potential use of a botnet was reported in David Berlind's ZDNet blog last week. If one has access to 1,000 computers worldwide, one also has access to the computing power of 1,000 computers. David's point is simple: using the example of cracking someone's Wi-Fi passphrase that's seven alphanumeric characters long, Berlind writes, "it would take .01 year (3.65 days) to crack your passphrase if a hacker had 1,000 computers noodling on the problem." Whoa. There's your use for a 1,000-computer botnet: a supercomputer. Berlind backs this up with a quote from a Gartner analyst who reminds us that back in 1997, a team from Distributed.net used thousands of linked computers to crack a 56-bit DES-encrypted key to win a $10,000 RSA Challenge in 1998. The RSA Challenge was a distributed computing use (not a botnet) designed to crack a known encryption standard, but you can see where this could also be applied for far more nefarious purposes.
Get a firewall -- get it now
The best way to keep your computer out of a botnet army is to install a good two-way firewall such as that from ZoneAlarm, or even McAfee or Norton. The Microsoft Firewall is only one-way and won't protect data leaving your computer without your permission. A good two-way firewall will thwart RATs and most spyware and keep your PC from enlisting in the zombie armies already conscripted for botnet service.
If you had remote access to thousands of PCs, how would you use that power? Talk back to me
