What is a bot?

The user generally remains unaware that his computer has been taken over because it can still be used, although it might slow down considerably. As this computer begins to either send out massive amounts of spam or attack Web pages, he becomes the focal point for any investigations involving his computer's suspicious activities.

The user might find that their Internet Service Provider (ISP) has cancelled their service, or even that they are under investigation for criminal activity. Meanwhile, the hacker shrugs off the loss of one of his bots because he has more. Sometimes, he has a lot more ' one investigation allegedly discovered that a hacker's single computer controlled a network of more than 1.5 million computers.

Hackers transform computers into zombies by using small programs that exploit weaknesses in a computer's operating system. You might think that these hackers are cutting-edge Internet criminal masterminds, but in truth, many have little to no programming experience or knowledge. People call some of these hackers "script kiddies" because they are young and show no proficiency in writing script or code. Investigators who monitor botnets say that the programs these hackers use are primitive and poorly programmed. Despite the ham-handed approach, these programs do what the hackers intended them to do ' convert computers into bots.

In order to infect a computer, the hacker must first get the installation program to the victim. Hackers can do this through e-mail, peer-to-peer networks or even on a regular Web site. Most of the time, hackers disguise the malicious program with a name and file extension so that the victi think they are getting something entirely different. As users become smarter about Internet attacks, hackers find new ways to deliver their programs. Have you ever seen a pop-up ad that included a "No Thanks" button? Hopefully you didn't click on it because those buttons are often just decoys. Instead of dismissing the annoying pop-up ad, they activate a download of malicious software.

Once the victims receive the program, they have to activate it. In most cases, the user thinks the program is something else. It might appear to be a picture file, an MPEG or some other recognizable file format. When the user chooses to run the program, nothing seems to happen. For some people, this raises alarm bells and they immediately follow up with a flurry of virus and spyware scanner activity. Unfortunately, some users simply think they received a bad file and leave it at that.

Meanwhile, the activated program attaches itself to an element of the user's operating system so that every time the user turns on his computer, the program becomes active. Hackers don't always use the same segment of an operating system's initializing sequence, which makes detection tricky for the average user.

The program either contains specific instructions to carry out a task at a particular time, or it allows the hacker to directly control the user's Internet activity. Many of these programs work over an Internet Relay Chat, and in fact there are botnet communities on IRC networks where fellow hackers can help one another out – or attempt to steal another hacker's botnet.

Once a user's computer is compromised, the hacker pretty much has free reign to do whatever he likes. Most hackers try to stay below the radar of users' awareness. If a hacker alerts a user to his presence, the hacker risks losing a bot. For some hackers, this isn't much of a problem since some networks number in the hundreds of thousands of bots.

Bots and Spam
Spam continues to be a huge problem. It's a frustrating experience to open your e-mail and sort through dozens of examples of junk mail. Where does all that spam come from? According to FBI estimates, a large percentage of it comes from networked bot computers.

If spam came from one centralized source, it would be relatively easy to track it down and either demand the corresponding ISP shut down that computer's access to the Internet or charge the user for sending out illegal spam. To get around these pitfalls, hackers rely on bots. The bot becomes a proxy, meaning the hacker is one step removed from the origin of spam e-mails. A hacker with a large botnet can send millions of spam messages every day.

Hackers might set up a spam botnet to deliver a computer virus or Trojan program to as many computers as possible. They also can use spam to send phishing messages, which are attempts to trick users into sharing personal information.

When sending out ads in spam mail, the hacker either sets up the botnet specifically for a client or he rents it out on an hourly basis. Clients who wish to advertise their products, and who don't care how intrusive or illegal their advertisements might be, pay the hackers to send out e-mail to thousands of people.

The majority of e-mail recipients usually can't figure out where the spam is coming from. They might block one source only to receive the same spam from a different zombie in the botnet. If the e-mail includes a message that says something like "Click here to be removed from this e-mail list", they might fall prey to exposing their computer to even more spam. Users savvy enough to track the e-mail back may not notice that the sender's computer is part of a larger network of compromised machines. For someone who knows what he's doing, it's not always impossible to figure out if a sender is a single user sending out spam or if a hacker is controlling the computer remotely. It is, however, time consuming.

A bot-computer owner might realize a hacker is controlling his machine remotely if spam recipients write to complain about the junk mail or if his own e-mail outbox is full of messages he didn't write. Otherwise, the owner is likely to remain blissfully unaware that he's part of a ring of spammers. Some users don't seem to care if their machines are being used to spread spam mail as if it were someone else's problem and many more don't take the necessary precautions to avoid becoming part of a botnet.

When Bots Attack
Sometimes a hacker uses a network of zombie computers to sabotage a specific Web site or server. The idea is pretty simple – a hacker tells all the computers on his botnet to contact a specific server or Web site repeatedly. The sudden increase in traffic can cause the site to load very slowly for legitimate users. Sometimes the traffic is enough to shut the site down completely. We call this kind of an attack a Distributed Denial of Service attack.

Some particularly tricky botnets use uncorrupted computers as part of the attack. Here's how it works: the hacker sends the command to initiate the attack to his bot army. Each computer within the army sends an electronic connection request to an innocent computer called a reflector. When the reflector receives the request, it looks like it originates not from the bots, but from the ultimate victim of the attack. The reflectors send information to the victim system, and eventually the system's performance suffers or it shuts down completely as it is inundated with multiple unsolicited responses from several computers at once.

From the perspective of the victim, it looks like the reflectors attacked the system. From the perspective of the reflectors, it seems like the victimized system requested the packets. The bot computers remain hidden, and even more out of sight is the hacker himself.

The list of DOS attack victims includes some pretty major names. Microsoft suffered an attack from a DOS called MyDoom. Hackers have targeted other major Internet players like Amazon, CNN, Yahoo and eBay. The DOS names range from mildly amusing to disturbing:

Ping of Death - bots create huge electronic packets and sends them on to victims

Mailbomb – bots send a massive amount of e-mail, crashing e-mail servers

Smurf Attack - bots send Internet Control Message Protocol (ICMP) messages to reflectors [see above illustration]

Teardrop – bots send pieces of an illegitimate packet; the victim system tries to recombine the pieces into a packet and crashes as a result. Once an army begins a DOS attack against a victim system, there are few things the system administrator can do to prevent catastrophe. He could choose to limit the amount of traffic allowed on his server, but this restricts legitimate Internet connections and zombies alike. If the administrator can determine the origin of the attacks, he can filter the traffic. Unfortunately, since many bot computers disguise (or spoof) their addresses, this isn't always easy to do.

Phishing and Cheating and Click Fraud
Some hackers aren't interested in using zombie computers to send spam or cripple a particular target. Many take control of computers as a method of phishing, which is where a hacker tries to uncover secret information, particularly identification information. Hackers might steal your credit card information or search through your files for other sources of profit. The hacker might use a key logging program to track everything you type, then use it to discover your passwords and other confidential information.

Sometimes hackers will use bots in ways that don't directly harm the victim of the initial attack or even the ultimate target, though the end goal is still pretty sneaky and unethical.

You've probably seen or even participated in several Internet-based polls. Perhaps you've even seen one where the results seemed unusual or counter-intuitive, particularly when it comes to a contest. While it's entirely possible the poll wasn't ever attacked, hackers have been known to use bots to commit click fraud. Click fraud refers to the practice of setting up a botnet to repeatedly click on a particular link. Sometimes, hackers will commit click fraud by targeting advertisers on their own Web sites. Since Web advertisers usually pay sites a certain amount of money for the number of clicks an ad gets, the hacker could stand to earn quite a few dollars from fraudulent site visits.

Bot computers and the hackers responsible for them are pretty scary. You could end up being the victim of identity theft or unknowingly participate in an attack on an important Web site. It's important to learn how to protect yourself from hackers as well as what you should do if you find out your computer has been compromised.

An Ounce of Prevention
You don't want your computer to become a bot, so what do you do to prevent it? The most important thing to remember is that prevention is an ongoing process – you can't just set everything up and expect to be protected forever. Also, it's important to remember that unless you employ common sense and prudent Internet habits, you're courting disaster.

Antivirus software is an absolute necessity. Whether you purchase a commercial package or download a free program, you need to activate it and make sure your version remains current. Some experts say that to be truly effective, an antivirus package would need to update on an hourly basis. That's not practical, but it does help stress the importance of making sure your software is as up to date as possible.

Install a firewall to protect your home network. Firewalls can be part of a software package or even incorporated into some hardware like routers or modems.

You should also make sure that your passwords are difficult or impossible to guess, and you shouldn't use the same password for multiple applications. This makes remembering all those passwords a pain, but it gives you an added layer of protection.

If your computer has already been infected and turned into a bot computer, there are only a few options open to you. If you have access to tech support who can work on your computer for you, that would be the best option. If not, you can try to run a virus removal program to kill the connection between your computer and the hacker. Unfortunately, sometimes the only option you have is to erase everything on your computer and reload its operating system, then starting from scratch. You should make backup disks of your hard drive on a regular basis just in case. Remember to scan those files with an antivirus program to make sure none of them are corrupted.

Your computer is a great resource. Sadly, hackers think the same thing – they want to make your computer their own resource.

[Source: HowStuffWorks]

Vanish.Org Copyright © 2006 All rights reserved