How Does Botnets Work? Botnet Creation

The first step for the prospective botnet operator is acquiring the necessary software. Professional criminal organizations with the resources to build the largest botnets may create or commission their own proprietary software, but most prospective bot-herders are likely to seek out software and services from an online black market forum.

This approach doesn’t require a great deal of technical sophistication, and in fact some researchers have observed the programming skills of low-level bot-herders to be quite limited. With the tools and assistance available on the black market, however, prospective bot-herders have access to all the information they need to create, maintain, and profit from a botnet.

Unless the botnet software uses a P2P control mechanism, which is still relatively rare, bot-herders must also find a home for the C&C server. A bot-herder who has access to a compromised computer in advance may install the IRC server software on it for C&C use.

Alternatively, the bot-herder might open an account with a "bulletproof” provider that is resistant to efforts to disconnect lawbreakers.
Other choices include establishing secret channels on public IRC servers (inexpensive, but risky) or setting up servers on their own computers (which gives them the most control, but can be expensive, and also risks termination by their upstream providers).

Most bot-herders choose to register domain names for hosting their C&C servers. Although it is technically possible to control a botnet without a domain name by configuring its bots to connect directly to the IP address of the server, this approach has significant disadvantages.

If bot-herders find it necessary to quickly move a server to a different provider to avoid detection or in response to a termination of services, they might not have time to reconfigure the bots to connect to a new IP address, and will lose control of them entirely.

Bot-herders might choose to register domain names directly with one of the many registrars around the world, or open accounts with a dynamic DNS service, which provides stable hostnames for resources that change IP addresses frequently.

Using a domain name incurs a risk that the domain’s DNS provider might terminate service to the server, which is one reason P2P mechanisms have become more popular recently.

The server software for some bots can be quite complex, offering functionality such as geographic segmentation and task maintenance, although most kit–based bot servers are relatively simple and can be controlled through an ordinary IRC client or web browser.

Bot-herders often use the same IRC server packages as legitimate IRC operators, with open source programs like UnrealIRCd being among the most popular.

IRC server software is often minimized and modified by the botnet owner or the kit developer. Common modifications include removing JOIN, PART, and QUIT messages on channels to avoid unnecessary traffic.

In addition, the functionality provided by the WHOIS (information about specific users), WHO (host details about specific users), LUSERS (information about number of connected clients), and RPL_ISUPPORT (information about the features the server supports) commands is removed to hide the identity of the bots that join the channel and to conceal the size of the botnet from unauthorized people who connect to the IRC server.

In an effort to block unauthorized people such as security researchers and rival bot-herders from entering the channel and seizing control of the bots, botnet owners typically secure the channel using standard IRC commands such as the following:

/mode #channel +k [password]. This command password-protects the channel. The bot client must be configured to supply the correct password when attempting to access the channel. (Some herders choose to password-protect the whole server as well.)

/mode #channel +q. This command marks the channel as quiet. System messages such as JOINs, PARTs, and nickname ("nick”) changes are not broadcast, which makes it appear to each client as if that client is the only one on the channel.

/mode #channel +s. This command marks the channel as secret, so it will not appear in channel listings. Users who are outside the channel will not be able to discover the names of the channel participants.

/mode #channel +t. This command locks the channel topic so only channel operators can change it. Channel topics are often used to send commands to bots as they enter the channel.

/mode #channel +u. This command puts the channel into auditorium mode, in which channel operators are the only participants who can see the names of all of the clients connected to the channel.

Along with +q, this mode makes it difficult for investigators and others to measure the size of the botnet.

After the server and channel are set up, bot-herders can build and distribute the bots. Technically sophisticated bot-herders might choose to code their bots themselves; others build bots using malware creation kits, or simply hire someone to do it for them on the black market.

For IRC botnets, bot-herders configure the bots with the name or IP address of the server to connect to, the channel name, and any passwords they will need to connect.


Published by:

siavash's picture