The Anatomy of Bots and Botnets
 Bots and botnets have for some years been a threat to the Internet community. Their importance as tools for criminals as well as for cyber terrorists has however increased considerably recently. Information about Bots and BotnetsBots - or robots - are computers that are infected with a particular type of malware. This malware enables the bots to be controlled by other computers, called Command & Control (C&C) servers, which usually also are compromised computers. The C&C server or servers are controlled by a person, persons or an organization, often called the herder. Together these different elements form a botnet in its simplest form. The bot computers are often named zombies as they are controlled by someone else, the same way that popular myth zombies are controlled by another entity. This is the general anatomy of a botnet as shown in the illustration below.
Botnets can be used for different types of malicious activity. Some examples are:
Traditionally the Internet communication protocol IRC (Internet Relay Chat) was used for communication within the botnet. More and more often other types of communication methods are used, for example Hypertext Transfer Protocol (http) which is used for ordinary web communication, and which is usually not restricted by firewall rules etc. Most advanced botnets have capabilities to update the zombie computers with new functionality (program modules), which makes the botnet more dynamic and enables it to use new techniques to perform its deeds.  As the botnet explanation above shows, the botnet's herder is the crucial entity to get, in order to stop the person who ultimately controls the botnet. Experience shows however, that this is often difficult, as she may go to great length to protect herself, and will usually have several obfuscation mechanisms set up to conceal her identity. Successful disabling of botnets will therefore often involve much effort from different types of expertise, including security experts as well as police authorities. Even though the botnet's owner is caught, the bots will still be infected with the malicious bot software. It is therefore possible that the botnet can be reactivated at a later point in time. The bigger botnets may have a huge number of zombies in the network. Some of the most widespread are estimated to include millions of bots. The botnet herders are known to rent all or parts of the botnet(s) they control to different criminal elements to perform special tasks. Some of the more famous botnets are:
At this point in time botnets are among the most dangerous threats to the security of Internet users and Internet functionality. Norman SandBox® technology is useful to protect users from being parts of a botnet as well as analyzing existing botnets. This technology is included in all Norman's antimalware products and is instrumental in Norman's advanced forensic analysis tools. |
||
|
Solutions for Private users
|
Solutions for Organizations
|
Solutions for Forensics
|
