A robot network or “botnet” is a collection of compromised computers connected to the Internet that are used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet. Typically, the owners of these compromised computers (also called robots or “bots”) are unaware that they have been compromised, and the computers are often used to forward transmissions, including spam or viruses, to other computers on the Internet.
A bot is often landed to the victim through an Internet port that has been left open and through which a small Trojan horse program can be left for future activation. At a certain time, the botnet “controller” can unleash the effects of the army by sending a single command, possibly from an Internet Relay Channel (IRC) site.
The computers that form a botnet can be programmed to redirect transmissions to a specific computer, such as a Web site that can be closed down by having to handle too much traffic—a distributed denial-of-service (DDoS) attack—or, in the case of spam distribution, to many computers. The motivation for a botnet controller who creates a DDoS attack may be to cripple a competitor. The motivation for a botnet controller sending spam is in the money to be made. Both of them rely on unprotected computers that can be turned into bots.
Botnets can be difficult to detect and block. One technique commonly used is to set up a honeypot. A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers. Attracted by the seemingly valuable resource of system weaknesses, the attackers may try to launch attacks against the honeypot, wherein the malicious content such as executable bot clients can be captured. The captive bot client can then be reverse engineered or emulated in the isolated environment to determine how it works. A tool can then be generated to remove the bot client. This process, however, takes time and is highly dependent on how effective the honeypot is in luring the malware source.
What is needed is a solution that improves upon prior art systems.