At least a million computers around the world host bot software unwittingly and are controlled by individuals or groups using these "bot nets" to steal identities and install and distribute spyware, according to a new report by the Honeynet Project.
The March 13 report said combinations of functionalities in these bot nets can be used for large-scale identity theft, phishing, or spyware, with typical bots tied to ten thousand computers at a time using Internet Relay Chat (IRC) and similar networks for command and control, with plugin architecture allowing new features to be added quickly, according to report co-author Thorsten Holz.
Holz and other researchers tapped into over a hundred such bot nets since the summer of 2004, some of which had over 50,000 computers each and used them for denial-of-service attacks as well as ID theft and adware/spyware installation.
"Our research shows that some attackers are highly skilled and organized, potentially belonging to some well-organized crime structures," Holzsaid in the report. "Even in unskilled hands, it should be obvious that bot nets are a loaded and powerful weapon."
It’s believed that last summer's outage at Akamai Technologies, an Internet service provider, was caused by a bot net onslaught. Since then, Holz told reporters, bot nets have added other mischief to their repertoires aside from that described above—including stealing player character items, dropping them at predetermined cyberspace locations, and trying to sell them on eBay.
Holz said bot nets in the near future could move to the peer-to-peer world, since those communications are hard to intercept and close, while there is a concurrent trend toward smaller numbers in a bot net, which he said could make them harder to detect but just as damaging as the larger networks.
"Since the people who run botnets often share the same motives (DDoS attacks or other crimes) every bot family has its own set of commands to implement the same goals," said the Honeynet Project white paper. "Agobot is really nice here: Just (grab) the source for RegisterCommand and get the whole command-list with a complete description of all features. Due to the lack of clean design, the whole SDBot family is harder to analyze."
The Akamai takedown last year made Honeynet and other bot net watchers sensitive to possible large-value disruption or destruction, though Honeynet said no bot net attacks against government or military institutions had been detected as of this writing. "(T)ime will tell," Honeynet warned, "if this persists."
