In the News
@cybercrimeuk on Twitter

Spam Emails and Botnets

A botnet is a collection of compromised computers that are connected to the internet, generally for malicious purposes such as sending out spam emails. People with compromised machines are normally not aware that their machine have been infected and the botnet is controlled by a "herder" over a networking protocol such as IRC or http. Infection is usually transmitted by the user installing a program containing the botnet client (Trojan Horse) without their knowledge or is downloaded without their consent (e.g. via a software vulnerability).

A infected computer is sometimes referred to as a bot, hence the name "botnet". Most bots will connect to a specific IRC channel on an IRC server waiting for commands from the herder. TCP ports 445 and 135 are often targeted by botnets when scanning large network for computers with vulnerabilities, in order to spread.

Common Botnet Uses:

  • DDOS Attack - One of the traditional uses of botnets is to direct traffic at a particular website. With many bots is possible to launch a distributed denial of service (DDoS) attack to bring a website down by overloading it with requests. Botnets can grow to immense sizes and even a small botnet consisting of 1000 machines have the potential to achieve this. With a 1000 machines each with a upstream 128KBit/s (small considering todays standards), you will have a botnet that can upload at a rate of more than 100MBit/s.
  • Spam Emails - A SOCKS v4/v5 proxy (Internet protocol that routes network packets between a client and server through a proxy server) can be opened by some bots which allows infected machines to be used to send spam. Spam is a major use of such a system and it has been increasingly common for "herders" to rent out botnets to distribute spam. As there is a diverse distribution of available IP addresses due to the nature of a botnet, it makes it difficult filter. A report released by Symantec indicates that 70.5% of all emails are spam and that it is the lowest it has been for 3 years. It is suggested that the decrease is likely due to the botnet Rustock being taken offline. Additionally with improved botnet detection techniques, botnets have tried to keep spam message numbers to below a certain threshold in an attempt avoid detection.
  • Information Harvesting - Bots are also able to report private information back to the "herder" including passwords and credit card numbers. Packet sniffing can be used, keys logged and files can be searched to acquire this. This information can be potentially used by criminals for fraudulent activities.

Botnet Rankings:

It is estimated that approximately 15% of all internet-connected computer are part of a botnet. Botnets are difficult to accurately measure as they can be distributed across multiple IRC servers. An approximation of the biggest botnets based on their percentage of victims is below. Most of these botnets been replaced by the time of writing as these are based on 2010 figures.

Quiz