conservatively, 128Kbps broadband upload speed
can produce approximately
1.3 gigabits of data per second. With this kind of power, two or three large
(one million plus) botnets could, according to McAfee, “threaten the national
infrastructure of most countries.” Individually, these large botnets are probably
powerful enough to take down most of the Fortune 500 companies.
A Conceptual History of Botnets
Like many things
on the Internet today, bots began as a useful tool without
malicious overtones. Bots were originally developed as a virtual individual
that could sit on an IRC channel and do things for its owner while the
owner was busy elsewhere. IRC was invented in August of 1988 by Jarkko
“WiZ” Oikarinen of the University of Oulu, Finland.
Figure 1.1 traces the
evolution of bot technology.
Figure 1.1
The Evolution of Bot Technology
www.syngress.com
6
Chapter 1 • Botnets: A Call to Action
1988
2006
1989 1990 1991 1992 1993 1994
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006
Friday, December 29, 2006
Evolution of Bot Technology Timeline
A timeline showing the introduction of Bots and Bot Technology
2004
PolyBot
A derivative of AgoBot with
Polymorphic abilty. Changes the
look of its code on every infection
1988
Invention of IRC
1989
Greg Lindahl invents GM the first Bot,
GM plays “Hunt the Wumpus” with IRC users
1999
Pretty
Park discovered
first worm to use an IRC server
as a means of remote control
1999
SubSeven trojan/bot
A remote control trojan
added control via IRC
2000
GT Bot, mIRC based
Runs scripts in response to
IRC server events
Supports raw TCP and UDP
Socket
connections
2002
SDBot, written in C++
Source code available
to hacker community
Small single binary
2002
AgoBot, Gaobot
Introduces modular design
1st module breaks-in
downloads 2nd module
2nd module turns off anti virus
Hides
from detection,
downloads 3rd module
Module 3 has attack
engines/payload
2005
MYTOB
My Doom
mass emailing worm
with Bot IRC C&C
2003
SpyBot
Spyware capabilities
(keylogging,
data mining for email addresses
lists of URLs, etc.)
2003
RBot
Most Prevalent Bot today
Spreads through
weak passwords,
easily modifiable,
Uses
packaging software
427_Bot_01.qxd 1/8/07 11:53 AM Page 6
GM
The original IRC bot (or robot user), called GM according to Wikipedia, was
developed the next year, in 1989, by Greg Lindahl, an IRC server operator.
This benevolent bot would play a game of Hunt the Wumpus with IRC
users.The first bots were truly robot users that appeared to other IRC neti-
zens as other users. Unlike today’s bot net clients (robots), these robots were
created to help a user enjoy and manage their own IRC connections.
From this simple example, other programmers realized they could create
robot users to perform many tasks currently done
by humans for both users
and the IRC operator, such as handling tedious 24-hour-a-day requests from
many users. An important bot development was the use of bots to keep a
channel open and prevent malicious users from taking over the channel when
the operator was busy doing other things. In order to assist the IRC operator,
bots needed to be able to operate as a channel operator.The bots had evolved
from being code that helps a single user to code that manages and runs IRC
channels as well as code that provides services for all users.
Service
is
the term
used for functionality that is offered by server-side bots as opposed to client-
side bots. Around this time, some IRC servers and bots began offering the
capability to make OS shell accounts available to users. The shell account
permits users to run commands on the IRC host. Wikipedia notes that “a lot
of shell providers disappear very fast because of abusive behavior of their
members.”
Pretty Park
In May 1999, Pretty Park, a bot client written in Delphi, was discovered.
PrettyPark, according to “The Evolution of Malicious IRC Bots,” a Symantec
white
paper authored by John Canavan, had several functions and concepts
that are common in today’s bots, including:
■
The capability to retrieve the computer name, OS version, user infor-
mation, and other basic system information.
■
The capability to search for and retrieve e-mail addresses and ICQ
login names
Do'stlaringiz bilan baham: