The Botnet Business
by Vitaly Kamluk - Kaspersky Lab - Wednesday, 28 May 2008.
1. IRC-oriented. This is one of the very first types of botnet: bots were controlled via IRC (Internet Relay Chat) channels. Each infected computer connected to the IRC server indicated in the body of the bot program, and waited for commands from its master on a certain channel.

2. IM-oriented. This type of botnet is not particularly common. It differs from IRC-oriented botnets only in that it uses communication channels provided by IM (instant messaging) services such as AOL, MSN, ICQ etc. The reason for the relatively low popularity of such botnets lies in the difficulty of creating individual IM accounts for each bot. Bots should be connected to the network and remain online all the time. Since most IM services do not permit logging on to the system from more than one computer at a time while using the same account, each bot needs its own IM account. However, IM services try hard to prevent any kind of automatic account registration. As a result, owners of IM-oriented botnets only have a limited number of registered IM accounts at their disposal, which limits the number of bots that can be online at any one time. Of course, they can arrange for different bots to share the same account, come online at predefined times, send data to the owner's number and wait for a reply for a limited period of time, but this is inefficient: it takes such networks too long to respond to their masters' commands.

3. Web-oriented. This is a relatively new and rapidly evolving type of botnet designed to controlling zombie networks over the World Wide Web. A bot connects to a predefined web server, receives commands from it and transfers data to it in response. Such zombie networks are popular because they are relatively easy to create, there is no shortage of web servers on the Internet and a web interface can be used for easy management.

4. Other. In addition to the botnet types listed above, there are other types of botnets that communicate via their own protocol that is only based on the TCP/IP stack, i.e., they only use transport-layer protocols such as TCP, ICMP and UDP.

Botnet evolution

The history of botnets began in 1998 - 1999, when the first backdoor programs the notorious NetBus and BackOrifice2000 appeared. These were proof-of-concept Trojans, i.e. programs that implemented completely new technologies. NetBus and BackOrifice2000 were the first to include a complete set of functions that made it possible to remotely administer infected computers, enabling cybercriminals to perform file operations on remote machines, launch new programs, make screenshots, open or close CD-ROM drives, etc.

The backdoors, which are Trojan programs by nature, were designed to work without the user's knowledge or consent. To control an infected computer, a cybercriminal had to establish a connection with each infected machine individually. The first backdoors worked on local area networks based on the TCP/IP protocol stack and demonstrated, in essence, the possibilities to exploit the Windows API in order to control a remote machine. Even in the early 2000s, remote administration client programs were already able to control several machines at the same time. However, unlike today's backdoors, NetBus and BackOrifice2000 operated as network servers: they opened a predefined port and passively waited for the master to connect (the contemporary backdoors which are used to create botnets establish a connection on their own).

A malicious user then came up with the idea that computers infected with backdoors should establish connections themselves and that they should always be visible online (on the condition that the machine is switched on and working). This user must almost certainly have been a hacker, because new-generation bots employed a communication channel traditionally used by hackers IRC (Internet Relay Chat). It is also likely that the development of new bots was made easier by the fact that bots working in the IRC system were open source (even though these bots were not designed for remote administration purposes but to respond to user requests such as questions about the weather or when another user had last appeared in chat).


VPN protocol flaw allows attackers to discover users' true IP address

The team running the Perfect Privacy VPN service has discovered a serious vulnerability that affects all VPN providers that offer port forwarding, and which can be exploited to reveal the real IP address of users.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Nov 30th