A botnet is a collection of compromised computers connected to the Internet (each compromised computer is known as a ‘bot’). When a computer is compromised by an attacker, there is often code within the malware that commands it to become part of a botnet. The “botmaster” or “bot herder” controls these compromised computers via standards based network protocols such as IRC and http.
Initially, bots (short for “robots”) were useful tools designed by computer programmers as a virtual individual that could remain idle in an IRC channel, and perform tasks during the user's absence. Soon after the release of the first IRC bot, a few worms which exploited vulnerabilities in IRC clients began to appear. Infected computers, or newly formed “bots”, were then used to steal passwords, log keystrokes, and act as a proxy server to conceal the attacker's identity.
Botnets were used for both recognition and financial gain. The larger the botnet, the more ‘kudos’ the person (‘bot herder’) orchestrating the botnet could claim in underground online communities. The bot herder can also ‘rent out’ the services of the botnet to third parties, usually for sending out spam messages or performing a denial of service attack against a remote target. Due to the large numbers of compromised machines within the botnet, huge volumes of traffic (either email or denial of service) can be generated. However, in recent times, the volume of spam originating from a single compromised host has dropped in order to thwart anti-spam detection algorithms—a larger number of compromised hosts send a smaller number of messages in order to evade detection by anti-spam techniques.
Botnets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Often, a botnet will include a variety of connections and network types. Sometimes a controller will hide an IRC server installation on an educational or corporate site where high-speed connections can support a large number of other bots. There are heretofore unaddressed needs with previous anti-virus botnet solutions.