Beware the botnet
7 April 2009 (The Star)
By Syahrir Mat Ali

The Internet can be a dangerous place and botnets are becoming an increasingly widely-used technique by hackers.

Over the years, it appears that the motivation that drives these hackers has shifted from getting recognition from their peers in the hacker communities to one that is driven by financial gains. And one of the most recent, sophisticated and widely used technique is the manipulation of botnets.

Internet expert and co-developer of the TCP/IP, Vint Cerf, said that "of the 600 million computers currently on the Internet, between 100 and 150 million were already part of these botnets." And that was in 2007!

What is a botnet?

A bot refers to a compromised PC that may be under the control of a malicious remote user — someone who can be anywhere in the whole wide world and conveniently nicknamed the bot herder. A collection of bots is also commonly known as a botnet.

Imagine a scenario where a bot herder has somehow managed to install a malicious Trojan virus program on your PC.

The Trojan will install and propagate itself into the operating system and check to see if your PC is connected to the Internet.

If it is, the Trojan will create a "secure connection" back to its herder and he will then be able to communicate seamlessly with your PC. This is one of the ways of how a bot came to be.

The bot will then become one of the many nodes in the bot herder's army of bots.

Sometimes, it is also used to control other bots; which further deepens the hierarchy of domination.

The bot herder's PC will act as the command and control centre and all the computing power and Internet bandwidth of the bots will be at his disposal for exploits; this could include launching DoS (Denial of Service) attacks on websites, sending out spam e-mail and committing identity and financial information theft.

All these abuses could potentially take place without you even realising what is going on, until it is too late.

In a way, a botnet can also be considered a distributed computing effort similar to the one being carried out by the SETI@home project (setiathome.berkeley.edu).

However, unlike those hopeful extraterrestrial enthusiasts, these bot herders do not first ask for your participation or permission to use your computing resources and they are up to no good.

Symptoms of a bot infection

It is quite difficult to detect a bot infection as your PC may not show noticeable signs like those infected with worms and viruses.

performance degradation; which casual users will likely attribute to anything else.

However, if your Internet connection has been suspiciously sluggish and nowhere near the bandwidth you've subscribed to and you're sure that you are not downloading or uploading any huge files at the time, then there is a good chance that your PC might already be a bot.

In other words, your PC may have been compromised and you may no longer be the only one in control of it.

Or, you may be running your usual wordprocessing software or browsing the Internet and checking your e-mail; but you may also notice that your PC has been getting slower as if it is running lots of other programs simultaneously.

On top of that, you admittedly cannot remember the last time you updated your antivirus software (or if you even have one).

If any of these scenarios sound familiar, stop using your computer (especially for online transactions) and have your PC checked by a computer security professional.

Real bot cases

A famous example, the Storm botnet, linked each of its bots through the Storm Worm, a trojan program that spreads through spam e-mail. It was estimated that around one to 50 million PCs were enslaved to this botnet and used for a variety of online criminal activities.

In 2004, a network of more than 10,000 bot PCs were dismantled after security staff at Norwegian telco Telenor located and shut down its controlling server.

In June that same year, the huge Internet content and application delivery company Akamai, whose clients include Microsoft and Yahoo!, was attacked with a Distributed Denial of Service (DDoS) attack launched by a bot herder in Florida.

In 2005, three men were arrested in Holland for creating a super large botnet of about 1.5 million compromised computers.

A Dutch spammer, who was also arrested in the same year, had used around 600 to 700 bot PCs in his botnet to send around nine billion spam messages all over the world promoting pornographic websites and other advertisements.

Some bot herders are even known to sell or rent the access to the botnets under their control to interested cyber criminals and underground parties. That is how serious the botnet problem has become.

Preventive measures

However, all is not lost. Internet users still have a chance of preventing their PCs from becoming bots. Here are some of the preventive measures that you should adhere to in order to ensure your PC remains under your control:

1. Never open any e-mail attachment you receive from unknown and unsolicited sources.

2. Always update your antivirus software with the latest definitions and fixes.

3. Do not use pirated software as they often come with trojans preinstalled on them.

4. Do not run or install any JavaScript, ActiveX or similar applications from any website unless you are really sure of what you're doing.

5. Do not arbitrarily plug in any portable disk or thumbdrive that isn't yours without properly scanning it first.

Conclusion

There are a lot of bot removal tools available on the Internet. You can even get a highly effective and constantly updated Malicious Software Removal Tool for free from Microsoft (tinyurl.com/5lyxe).

Nevertheless, since bots are commonly initiated through trojan infections from within a user's PC, early prevention approaches are perhaps the best front line defence for now.

Syahrir Mat Ali is a senior executive at the Cyber Media Research Department of CyberSecurity Malaysia. The views expressed here are his personal views.