The botnet world is divided between bot families that are closely controlled by individual groups of attackers and bot families that are produced by malware kits. These kits are collections of tools, sold and shared within the malware underground, that enable aspiring bot-herders to assemble their own botnet by creating and spreading customized malware variants.
Several malware kits are freely available for downloading and sharing; some have been published as open source code, which enables malware developers to create modified versions of the kits. Other kits are developed by individual groups and sold like legitimate commercial software products, sometimes even including support agreements. For example, variants in the Win32/Zbot family are built from a commercial malware kit called Zeus; Win32/Pushbot bots are built from a kit called Reptile.The existence of botnet malware kits is one of the reasons why it is difficult for security researchers to estimate the number and size of botnets currently in operation. Detections of malware samples from a family like Zbot, for example, do not necessarily represent a single large botnet controlled by one individual or group, but instead may indicate an unknown number of unrelated botnets controlled by different people, some of which might encompass just a handful of controlled computers.
Bot operators use several tactics to attack organizations, companies, and individuals in an effort to achieve their goals. Botnets typically exhibit a variety of behaviors based on the purpose of the attacks and the tools used to establish them. Being aware of and understanding the different attacking mechanisms can help IT and security professionals gain a deeper understanding of the nature of the botnet, the purpose behind it, and sometimes even the origin of the attack.
Bots, like other kinds of malware, can be spread in a number of different ways. Three common ways that computers are successfully compromised involve the following tactics:
- · Exploiting weak or non-existent security policies.
- · Exploiting security vulnerabilities.
- · Using social engineering tactics to manipulate people into installing malware.
Some bots are designed to spread using these techniques directly, as worms; security researchers analyze the behavior of these self-replicating bots to learn more about how they spread. Other bots don’t spread themselves directly, and are delivered by other malware families as payloads.
Many attackers and types of malware attempt to exploit weak or non-existent security policies. The most common examples of such exploits are attackers taking advantage of weak passwords and/or unprotected file shares. A threat that gains control of a user’s account credentials could perform all of the actions the user is allowed to perform, which could include accessing or modifying resources as a local or domain administrator.
Other types of malware attempt to exploit security vulnerabilities to gain unauthorized access to computer systems. This type of attack is more successful on older operating systems than on newer systems that are designed with security as a core requirement. An analysis of infections reported by the Microsoft Malicious Software Removal Tool (MSRT) during the second quarter of 2010 (2Q10) reveals that infection rates for computers around the world are significantly lower on newer versions of the Windows operating system than on older versions.
Although these kinds of attacks remain a significant part of the threat landscape, improvements in software development practices and the increased availability and awareness of automatic software update mechanisms have greatly limited the kinds of technical exploit opportunities that are available to attackers. Instead, most attackers today rely heavily on social engineering techniques to mislead victims into unwittingly or even knowingly giving them information and access that would be much harder to take by force. Although media attention on social engineering attacks, such as phishing, have raised public awareness of this type of threat in recent years, attackers continue to find success with a variety of techniques for manipulating people.