ZOMBIE ARMIES AREN’T just invading movie screens these days. They’re also taking over the Internet in the form of massive botnets. A botnet is an army of computers, all infected with the same malware, that gives a bot herder remote control of these computers in order to surreptitiously commandeer them without their owners’ knowledge. The bot herder can send instructions to the network of computers from a command-and-control server to siphon credit card numbers and banking credentials from them or use them to launch DDoS attacks against web sites, deliver spam and other malware to victims, or conduct advertising click fraud.
Botnets came up this month in a Senate Judiciary hearing with FBI Director James Comey. Senator Sheldon Whitehouse, who has previously likened botnets to weeds that do “evil things,” asked Comey for his assessment of one of the Internet’s biggest scourges, and Comey replied that there was no such thing as a “good botnet.”
“Whether they’re coming at you or whether they’re standing still, it’s bad,” Comey replied. “I don’t know of a good purpose for an army of zombies.”
Botnets have been around for more than a decade and have become one of the most popular methods attackers use to hijack machines and make quick money. The security industry estimates that botnets, over time, have resulted in more than $110 billion in losses to victims globally. An estimated 500 million computers fall prey to botnet attackers annually, which comes down to about 18 victims infected per second.
The Morris worm, unleashed in 1988, is sometimes cited as the first botnet. But although that worm infected thousands of computers on the ARPAnet, the precursor to the Internet, it was not truly a botnet in the way we define such networks today. Robert Morris, Jr., who launched the worm, didn’t control the infected machines and never earned a penny from his operation; instead his worm simply spread uncontrollably.
Today’s botnets are well-oiled criminal enterprises often composed of millions of infected machines that can earn a bot herder or his customers millions of dollars.
Coreflood, for example, was a popular botnet that held strong for nearly a decade before law enforcement crippled it in 2011. One Coreflood control server seized by authorities commandeered more than 2 million infected machines and in a single year amassed more than 190 gigabytes of data from victim computers. The botnet allowed criminals to loot millions from victims, including $115,000 from the account of a real estate company in Michigan and $78,000 from a South Carolina law firm.
Quite often, attackers who control a botnet will not only use it for their own criminal schemes but will also rent it out to other attackers for DDoS or data-stealing operations.
The Bredolab botnet, which hijacked more than 30 million machines, is one example. Georgy Avanesov, a 27-year-old Russian citizen of Armenian descent, developed Bredolab in 2009 to siphon bank account passwords and other confidential information from infected computers. But authorities say Avenesov also earned about $125,000 a month from renting out access to compromised computers in his botnet to other criminals, who used the botnet to spread malware, distribute spam, and conduct DDoS attacks.
The SpyEye and Zeus botnets have also been extremely widespread and profitable for their commanders. Both steal banking credentials from victims and automate the process of siphoning money from accounts. The author or authors behind the Zeus botnet sold it to various criminal gangs who infected more than 13 million machines with it from 2008 on, and used it to steal more than $100 million.
In 2007, the FBI began cracking down on botnets through an operation it dubbed Bot Roast. A man named John Schiefer was charged and convicted in one of the first botnet criminal cases resulting from the operation. Though notably, he was charged under the wiretapping statute instead of the Computer Fraud and Abuse Act, the legislation usually used to prosecute hackers. His botnet malware infected some 250,000 machines and was used to siphon the PayPal usernames and passwords of computer owners.
The bureau’s methods for cracking down on botnets have not been without controversy. In 2011, for example, the FBI used a novel method to eliminate the Coreflood botnet. After the agency obtained a court order to seize control of servers used to command the botnet, the FBI sent code to the infected machines to disable the malicious software on them. A private security firm, under law enforcement supervision, did this by first hijacking communication between infected computers and the attackers’ command servers so that infected computers communicated with servers the company controlled instead. After collecting the IP addresses of every infected machine that contacted their server, they sent a remote “stop” command to disable the Coreflood malware on them. The Electronic Frontier Foundation called the technique an “extremely sketchy” move, since it was impossible to predict if the code might have an adverse affect on the machines. No adverse affects were reported, however, and according to figures released by the Feds, the action helped disable the botnet malware on some 700,000 machines in one week.
A different operation to take down botnets didn’t work so well for Microsoft. In 2014, the software giant obtained a court order to seize control of nearly two dozen domains that were being used by two different families of botnet malware known as Bladabindi (aka NJrat) and Jenxcus (aka NJw0rm). Microsoft didn’t send infected machines any commands, but in the process of simply seizing the malicious domains to disable the botnets’ command structure, Microsoft also seized many legitimate domains controlled by the DNS provider No-IP.com, thereby knocking the website addresses of millions of its customers offline. The software maker eventually recognized its mistake and reversed its actions to restore legitimate service to these customers, but the move highlighted how heavy-handed crackdowns on botnets can have unintended consequences.
Of all the botnets that have hit the internet over the last decade, one of the most famous remains an enduring mystery. The Conficker worm botnet infected an estimated 12 million machines beginning in 2008, and it’s still infecting machines today. The worm uses a sophisticated method that was somewhat novel at the time—dynamic DNS—to prevent its command structure from being taken down. Teams of security researchers worked for months to get ahead of the infection. But ultimately, for all the work the attackers put into their attack, Conficker proved to be fairly anticlimactic, and no one has ever been able to determine its original purpose. Code in the malware indicated that the botnet would activate on April 1, 2009, though no one knew what that meant. In the days leading up to that date, many people made dire predictions about how the Conficker attackers might use their massive army of computers to take down the Internet’s infrastructure. But the April 1st deadline passed without incident. In 2011, authorities in Ukraine, working in conjunction with US authorities, busted a $72 million cybercrime ring that had been using Conficker, though it’s unclear if they were behind the initial spread of Conficker or had simply hijacked Conficker-infected machines to install and spread other malware that allowed them to steal banking credentials from infected machines.
Despite the handful of successful operations that have taken down botnets over the years, there’s no sign of the zombie apocalypse waning. According to the industry’s estimated infection rates, in the few minutes it took you to read this article, more than 3,000 new machines joined the botnet army.