Productive Botnets


We all know what botnets are (think so), but anyway let’s see a proper definition of botnets taken from shadowserver… and I quote:

A botnet is a collection of computers, connected to the internet, that interact to accomplish some distributed task. Although such a collection of computers can be used for useful and constructive applications, the term botnet typically refers to such a system designed and used for illegal purposes. Such systems are composed of compromised machines that are assimilated without their owner’s knowlege.

Among the DDoS usage of botnets there are also know usages like:

Keylogging

Keylogging is perhaps the most threatening botnet feature to an individual’s privacy. Many bots listen for keyboard activity and report the keystrokes upstream to the bot herder. Some bots have builtin triggers to look for web visits to particular websites where passwords or bank account information is entered. This gives the herder unprecendented ability to gain access to personal information and accounts belonging to thousands of people.

Warez

Botnets can be used to steal, store, or propogate warez. Warez constitutes any illegally obtained and/or pirated software. Bots can search hard drives for software and licenses installed on a victims machine, and the herder can easily transfer it off for duplication and distribution. Furthermore, drones are used to archive copies of warez found from other sources. As a whole, a botnet has a great deal of storage capacity.

Spam

Botnets often are used as a mechanism of propogating spam. Compromised drones can forward spam emails or phish scams to many 3rd party victims. Furthermore, instant messaging accounts can be utilized to forward malicious links or advertisements to every contact in the victim’s address book. By spreading spam-related materials through a botnet, a herder can mitigate the threat of being caught as it is thousands of individual computers that are taking on the brunt of the dirty work.

and the one I’m gonna focus on (well, something derived from it) -> Click Fraud

Botnets can be used to engage in Click Fraud, where the bot software is used to visit web pages and automatically “click” on advertisement banners. Herders have been using this mechanism to steal large sums of money from online advertising firms that pay a small reward for each page visit. With a botnet of thousands of drones, each clicking only a few times, the returns can be quite large. Since the clicks are each coming from seperate machines scattered accross the globe, it looks like legitimate traffic to the untrained investigator.

My point is that many herders (botnet organizers) use a pretty raw Click Fraud mechanism, mainly just issue the command to the bot to retrieve the page and it’s advertisement and rebuild a query string to the advertisers website with the referer header set… as mentioned in the definition this may seem sometimes legitimate traffic to some, but big advertising companies would notice that something isn’t right, stuff like hundreds of clicks at (almost) the same time and similar scenario’s…

The new approach (better) would be to generate only website traffic at random hours because highly visited websites use pay-per-post campaigns (more info about pay-per-post)… and there are also other advertising systems like simple banner/ad placement on the website/blog and via the traffic stats you get paid…

How could botnets help? Well botnets would act as general users/viewers of the blog/website thus making legitimate traffic… masked by a randomized visit system… a general scenario:

  • the herder issues the command to visit a website
  • each bot receives the command, enters a random delay before executing it (in minutes) (ex: rand(60))
  • the bot finally executes the visit and resets the delay time before revisit adding a day to it also

A very raw implementation could be easily implemented but varying from botnets to botnets, because some botnets are simple IRC based while others not…

So many live hits and no subscribers? Nooooo, I think that netvibes got the solution to this issue…

It’s unethical… to whom?! to advertising companies only…

Posted in: Malware, Spammers & Scammers

, , , , ,


Latest Posts:


LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
HiddenWall - Create Hidden Kernel Modules HiddenWall – Create Hidden Kernel Modules
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers.
Anteater - CI/CD Security Gate Check Framework Anteater – CI/CD Security Gate Check Framework
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of filenames, binaries, deprecated functions, staging variables and more.
Stardox - Github Stargazers Information Gathering Tool Stardox – Github Stargazers Information Gathering Tool
Stardox is a Python-based GitHub stargazers information gathering tool, it scrapes Github for information and displays them in a list tree view.
ZigDiggity - ZigBee Hacking Toolkit ZigDiggity – ZigBee Hacking Toolkit
ZigDiggity a ZigBee Hacking Toolkit is a Python-based IoT (Internet of Things) penetration testing framework targeting the ZigBee smart home protocol.


5 Responses to Productive Botnets

  1. Morgan Storey September 3, 2008 at 1:18 am #

    Another one to add to the list is de-hashing and de-crypting. I have seen some tools that a hearder can deploy to their botnet from a central web server that allow distributed brute forcing and even building rainbow tables.
    It is incredible when you put this kind of computing power in the hands of essentially a skiddie, if power corrupts, and they are already corrupt then it leads to the un-thinkable. /drama

  2. backbone September 3, 2008 at 7:40 am #

    yes I’ve seen that kinds of botnets also, but they are not productive… I mean what are you going to do? sell rainbow tables ? (grin)…
    where spam, warez, click fraud and DDoS can get very profitable very fast…

  3. Morgan Storey September 4, 2008 at 12:34 am #

    They are productive, it may not be monetary, all though if you have some captured encrypted data that can be sold, decrypt it and it could be worth more than thousands of credit cards, see industrial espionage.

  4. backbone September 4, 2008 at 7:15 am #

    very true, but such scenarios may be rather rare… imho

  5. Navin September 4, 2008 at 2:58 pm #

    Nice article….some Darkhatting after a pretty long time!! :)

    Its a nice picture u’ve painted there Morgan…..think abt it….Ur own computer may be part of a system whose sole aim is to decrypt Ur own data!! Speak about Ironies!