Posted on 08/16/2006 9:06:17 AM PDT by zeugma
What could you do if you controlled a network of thousands of computers -- or, at least, could use the spare processor cycles on those machines? You could perform massively parallel computations: model nuclear explosions or global weather patterns, factor large numbers or find Mersenne primes, or break cryptographic problems.
All of these are legitimate applications. And you can visit distributed.net and download software that allows you to donate your spare computer cycles to some of these projects. (You can help search for Optimal Golomb Rulers -- even if you have no idea what they are.) You've got a lot of cycles to spare. There's no reason that your computer can't help search for extraterrestrial life as it, for example, sits idly waiting for you to read this essay.
The reason these things work is that they are consensual; none of these projects download software onto your computer without your knowledge. None of these projects control your computer without your consent. But there are lots of software programs that do just that.
The term used for a computer remotely controlled by someone else is a "bot". A group of computers -- thousands or even millions -- controlled by someone else is a bot network. Estimates are that millions of computers on the internet today are part of bot networks, and the largest bot networks have over 1.5 million machines.
Initially, bot networks were used for just one thing: denial-of-service attacks. Hackers would use them against each other, fighting hacker feuds in cyberspace by attacking each other's computers. The first widely publicized use of a distributed intruder tool -- technically not a botnet, but practically the same thing -- was in February 2000, when Canadian hacker Mafiaboy directed an army of compromised computers to flood CNN.com, Amazon.com, eBay, Dell Computer and other sites with debilitating volumes of traffic. Every newspaper carried that story.
These days, bot networks are more likely to be controlled by criminals than by hackers. The important difference is the motive: profit. Networks are being used to send phishing e-mails and other spam. They're being used for click fraud. They're being used as an extortion tool: Pay up or we'll DDoS you!
Mostly, they're being used to collect personal data for fraud -- commonly called "identity theft." Modern bot software doesn't just attack other computers; it attacks its hosts as well. The malware is packed with keystroke loggers to steal passwords and account numbers. In fact, many bots automatically hunt for financial information, and some botnets have been built solely for this purpose -- to gather credit card numbers, online banking passwords, PayPal accounts, and so on, from compromised hosts.
Swindlers are also using bot networks for click fraud. Google's anti-fraud systems are sophisticated enough to detect thousands of clicks by one computer; it's much harder to determine if a single click by each of thousands of computers is fraud, or just popularity.
And, of course, most bots constantly search for other computers that can be infected and added to the bot network. (A 1.5 million-node bot network was discovered in the Netherlands last year. The command-and-control system was dismantled, but some of the bots are still active, infecting other computers and adding them to this defunct network.)
Modern bot networks are remotely upgradeable, so the operators can add new functionality to the bots at any time, or switch from one bot program to another. Bot authors regularly upgrade their botnets during development, or to evade detection by anti-virus and malware cleanup tools.
One application of bot networks that we haven't seen all that much of is to launch a fast-spreading worm. Much has been written about "flash worms" that can saturate the internet in 15 minutes or less. The situation gets even worse if 10 thousand bots synchronize their watches and release the worm at exactly the same time. Why haven't we seen more of this? My guess is because there isn't any profit in it.
There's no real solution to the botnet problem, because there's no single problem. There are many different bot networks, controlled in many different ways, consisting of computers infected through many different vulnerabilities. Really, a bot network is nothing more than an attacker taking advantage of 1) one or more software vulnerabilities, and 2) the economies of scale that computer networks bring. It's the same thing as distributed.net or SETI@home, only the attacker doesn't ask your permission first.
As long as networked computers have vulnerabilities -- and that'll be for the foreseeable future -- there'll be bot networks. It's a natural side-effect of a computer network with bugs.
This essay originally appeared on Wired.com:
http://www.wired.com/news/columns/0,71471-0.html
Distributed.net:
http://www.distributed.net
SETI@home:
http://setiathome.berkeley.edu
MafiaBoy:
http://www.infoworld.com/articles/hn/xml/01/01/18/...
1.5-million-node bot network:
http://www.techweb.com/wire/security/172303160
Join the FreeRepublic Folding Team!
One has to wonder why more effort is not made to shut down these botnets. unfortunately, with so many MS-Windows connected to the net that are owned by people clueless about security, there will always be lots of easy targets.
Hey! that's us!
Very interesting article. As soon as I get my tinfoil hat fastened, I'm going to go look for a good cave to live in.
Unfortunately, most of the control points seem to be located in Russia, and the local authorities aren't very cooperative in helping to get them shut down. Lots more infomation on botnets, including the efforts being made to identify them and shut them down can be had at www.sans.org.
But we can all help by searching for canonical lists of IP numbers in Russia and China, put them in our deny tables and hosts files, and get them off the web, practically speaking.
Maybe some day, ISP's will offer a Pesthole-Free service feature so that a good part of the Pacific Rim (Excepting Oz and NZ), as well as other nests such as Nigeria, CN,FM,SG are unreachable.
It is a shame..I had some high hopes that after the FSU fell, we would be talking to lots of friendly Russians who would be glad to "Join the World" like all my Aussie friends have.
But if a place is a "High Crime" neighborhood, then they can be walled off. Then perhaps the kleptocracies running these places would take a hint...Or maybe even start their own internet for masochists who enjoy having their bank accounts cleaned out, or who like losing their internet connection because they are loaded with trojans that turn their machines into spam hydrants.
I already do. Whenever I go to the beach or a public park, I take along my metal detector. I've found a couple of brass belt buckles and a gold tooth, plus Ted Kennedy's car keys. I've never even found a Marginal Golomb Ruler, let alone one of the good ones. But I'll keep looking.
Acronyms, abbreviations and mnemonics are and have always been a barrier to communications.
This author assumes everybody knows their arcane language.
Not too bad for only a week or so.
I've done this at home for certain addresses. If I have someone hitting my box repeatedly from a compromised host, I blackhole them at the firewall. Same goes for certain other sites and addresses, like all networks owned by Microsoft.
Not too bad for only a week or so.
Keep working it newbie. I'm in the top 25 now :-)
Of course, noone is going to be able to keep up with our #1 fellow.
A process I like to refer to as "route to ground".
Windows Genuine Advantage?
What kills me is that ISPs could do something about this if they really wanted to. I'm still getting pings against my webserver from MS-Windows hosts that were hacked years ago.
LOL. Yeah.
Now that's an interesting business idea .....
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.