Security Academy – Course 105 : Botnets Part 1

Check other parts here:

Imagine that the internet is a city, it would be the most crowded city in the world, but it would be incredibly seedy and dangerous. You can find all types of criminals out there waiting to infect you with malwares.

Inside this city, you would also discover that not everyone is who they seem to be – even yourself. You might find out that you’ve been misbehaving, although you don’t remember it. You discover you’ve been doing someone else’s bidding, and you have no idea how to stop it.

An attacker can infect a computer to become (Zombie Computer) and use it to do illegal activities. The user generally remains unaware that his computer has been taken over – he can still use it, though it might slow down considerably. As his computer begins to either send out massive amounts of spam or attack Web pages, he becomes the focal point for any investigations involving his computer’s suspicious activities.


The term Bot is a short of robot.

A Bot is nothing than a malware that allows attacker to take control over an affected machine. Home computers are the biggest candidate for such malware type. Multiple infected machines with this type of malware are called Botnet or Zombie Army.

The cybercriminals that control these bots are called botherders or botmasters.


Size and spread

Some botnets might have a few hundred or a couple thousand computers, but others have tens and even hundreds of thousands of zombies at their disposal. Many of these computers are infected without their owners’ knowledge.

A recently discovered attacker has a botnet with 1.5 million infected machines with a rate of 75,000 infected machines in the first 30 minutes!

According to the Symantec Internet Security Threat Report, through the first six months of 2006, there were 4,696,903 active botnet computers.

Attackers may use Skype and other instant messaging (IM) applications to spread malware that transforms computers into zombie computers.

Botnet Spread

How they get to you

Bots sneak onto a person’s computer in many ways. Bots often spread themselves across the Internet by searching for vulnerable, unprotected computers to infect or an open port. They infect a computer by leaving a Trojan horse program that can be used for future activation. When an infected computer is on the Internet the bot can then start up an IRC client and connect to an IRC server created by the botmaster. Their goal is then to stay hidden until they are instructed to carry out a task.

Attackers find new ways to deliver their programs. Have you ever seen a pop-up ad that included a “No Thanks” button? Hopefully you didn’t click on it — those buttons are often just decoys. Instead of dismissing the annoying pop-up ad, they activate a download of malicious software.

Once the victim receives the program, he has to activate it. In most cases, the user thinks the program is something else. It might appear to be a picture file, an MPEG or some other recognizable file format. When the user chooses to run the program, nothing seems to happen. For some people, this raises alarm bells and they immediately follow up with a flurry of virus and spyware scanner activity. Unfortunately, some users simply think they received a bad file and leave it at that.

Meanwhile, the activated program attaches itself to an element of the user’s operating system so that every time the user turns on his computer, the program becomes active. Attackers don’t always use the same segment of an operating system’s initializing sequence, which makes detection tricky for the average user.

7 comments on “Security Academy – Course 105 : Botnets Part 1

  1. Pingback: Security Academy – Course 101: Know Your Enemy | Ammar Hasayen - Blog

  2. Pingback: Security Academy – Course 102: Types of Network Damage | Ammar Hasayen - Blog

  3. Pingback: Security Academy – Course 103 : Why in the heck do I get attacked? | Ammar Hasayen - Blog

  4. Pingback: Security Academy – Course 104 : Malware Part 1 | Ammar Hasayen - Blog

  5. Pingback: Security Academy – Course 104 : Malware Part 2 | Ammar Hasayen - Blog

  6. Pingback: Security Academy – Course 104 : Malware Part 3 | Ammar Hasayen - Blog

  7. Pingback: Security Academy – Course 105 : Botnets Part 2 | Ammar Hasayen - Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s