Chat. Most bots—including those in the large Phatbot/Agobot and Sdbot/ Rbot families—use IRC as a way to communicate with and receive commands from hackers. However, many of these bots—which have tiny, built-in IRC clients—can also use other attack methods.
IRC has built-in multicast capabilities, which lets attackers quickly and easily send commands to all parts of a botnet. IRC thus lets hackers work with multicast capabilities without writing new code for the bot, noted Ed Skoudis, SANS instructor and consultant with Intelguardians, an IT security provider.
Peer-to-peer. Many bots, including some that can also work with IRC, are able to use peer-to-peer communications. These bots include P2P clients.
They connect to a server that uses Gnutella, an open-source file-sharing technology, and work with the WASTE file-sharing protocol. Rather than use a directory on a central server, WASTE has a distributed directory, which lets bots easily find and communicate with one another.
They can thus exchange hacker commands or other attack-related information among themselves. An attacker can initiate the process by serving as a peer in a P2P network and sending commands to one bot, which can then pass them on to the others.
Thus, hackers don't have to communicate with bots via IRC multicasting. Decentralized P2P-based bot systems are harder for security officials to trace or shut down than systems using a single IRC source.
If security officials discover and disable some of the bots in a sophisticated P2P system, Skoudis said, the bots can communicate this to one another and the attacker and then start spreading again to compensate for the losses. Each bot carries the software necessary to create and spread more bots.
Botnets. Hackers can install bots on multiple computers simultaneously—via such methods as e-mail attachments or IRC multicasts—to form a network. The bots can then act in unison via hackers' commands.
In a botnet, bots can communicate with one another or the hacker via IRC or P2P. Attackers can also set up an interface on infected machines and use it to remotely send commands to the computers. Hackers can also program bots to contact a Web server, which they set up to issue attack commands, said Skoudis.
"In one sense, botnets are a more dangerous problem than worms and viruses," the Internet Storm Center's Ullrich said, "They're an easy way to control 10,000 systems."
Hackers have used botnets to distribute large quantities of spam, noted Fred Cohen, managing director of the Fred Cohen & Associates security consultancy. Hackers can also use botnets to launch DDoS attacks by sending large numbers of messages to a target system.
Hackers generally used the early botnets for such attacks but now usually use them to send spam, noted Eugene Spafford, professor and executive director of Purdue University's Center for Education and Research in Information Assurance and Security.
Some bots can install keystroke loggers on victims' machines and capture passwords, credit card numbers, financial records, and other private information, added Rob Murawski, a technical staff member with the CERT Coordination Center, an Internet-security organization. The bots send the logged keystrokes back to hackers via e-mail or a Web server.
According to the UK's London Metropolitan Police (also known as Scotland Yard), "Small groups of young people creating a resource out of a 10,000- to 30,000-computer network are renting them out to anybody who has the money." Most of the people who control the rental botnets are from Eastern Europe.
"A typical botnet might go for as little as $20," said Trend Micro's Perry.
Hybrid threats. Hackers can write worms into bot software to create hybrid threats. Bots don't replicate or spread on their own, but they can use the worms' functionality to do so. In fact, hackers can spread bots more quickly with worms than with other methods. In addition, botnets can spread worms faster than worms can spread on their own.
Symantec's Security Response Team said 2004's Witty worm, which infected and crashed tens of thousands of servers, was probably launched by a botnet, according to Huger.
"We saw Witty break out more or less at the same time from 100 or more machines. The machines were all over the world, but they had something in common: They were on our bot list [of] compromised computers," he noted.
Bots and spam. "The preferred method of spamming is now via botnets," said Mark Sunner, chief technology officer at security company MessageLabs.
This is because botnets can send out large volumes of unsolicited e-mail and also hide the senders' identity, explained Trend Micro's Hartmann. Spam sent by botnets looks like it came from the infected computers, not the hacker's computer.
Bots let spammers send unsolicited e-mail via small SMTP servers they install on victims' computers.
Several recent high-profile viruses, including Sobig and MyDoom, infected computers with bots that helped spread spam.