Navigation



Productive Botnets

Last updated: September 9, 2015 | 3,812 views

We all know what botnets are (think so), but anyway let’s see a proper definition of botnets taken from shadowserver… and I quote:

A botnet is a collection of computers, connected to the internet, that interact to accomplish some distributed task. Although such a collection of computers can be used for useful and constructive applications, the term botnet typically refers to such a system designed and used for illegal purposes. Such systems are composed of compromised machines that are assimilated without their owner’s knowlege.

Among the DDoS usage of botnets there are also know usages like:

Keylogging

Keylogging is perhaps the most threatening botnet feature to an individual’s privacy. Many bots listen for keyboard activity and report the keystrokes upstream to the bot herder. Some bots have builtin triggers to look for web visits to particular websites where passwords or bank account information is entered. This gives the herder unprecendented ability to gain access to personal information and accounts belonging to thousands of people.

Warez

Botnets can be used to steal, store, or propogate warez. Warez constitutes any illegally obtained and/or pirated software. Bots can search hard drives for software and licenses installed on a victims machine, and the herder can easily transfer it off for duplication and distribution. Furthermore, drones are used to archive copies of warez found from other sources. As a whole, a botnet has a great deal of storage capacity.

Spam

Botnets often are used as a mechanism of propogating spam. Compromised drones can forward spam emails or phish scams to many 3rd party victims. Furthermore, instant messaging accounts can be utilized to forward malicious links or advertisements to every contact in the victim’s address book. By spreading spam-related materials through a botnet, a herder can mitigate the threat of being caught as it is thousands of individual computers that are taking on the brunt of the dirty work.

and the one I’m gonna focus on (well, something derived from it) -> Click Fraud

Botnets can be used to engage in Click Fraud, where the bot software is used to visit web pages and automatically “click” on advertisement banners. Herders have been using this mechanism to steal large sums of money from online advertising firms that pay a small reward for each page visit. With a botnet of thousands of drones, each clicking only a few times, the returns can be quite large. Since the clicks are each coming from seperate machines scattered accross the globe, it looks like legitimate traffic to the untrained investigator.

My point is that many herders (botnet organizers) use a pretty raw Click Fraud mechanism, mainly just issue the command to the bot to retrieve the page and it’s advertisement and rebuild a query string to the advertisers website with the referer header set… as mentioned in the definition this may seem sometimes legitimate traffic to some, but big advertising companies would notice that something isn’t right, stuff like hundreds of clicks at (almost) the same time and similar scenario’s…

The new approach (better) would be to generate only website traffic at random hours because highly visited websites use pay-per-post campaigns (more info about pay-per-post)… and there are also other advertising systems like simple banner/ad placement on the website/blog and via the traffic stats you get paid…

How could botnets help? Well botnets would act as general users/viewers of the blog/website thus making legitimate traffic… masked by a randomized visit system… a general scenario:

  • the herder issues the command to visit a website
  • each bot receives the command, enters a random delay before executing it (in minutes) (ex: rand(60))
  • the bot finally executes the visit and resets the delay time before revisit adding a day to it also

A very raw implementation could be easily implemented but varying from botnets to botnets, because some botnets are simple IRC based while others not…

So many live hits and no subscribers? Nooooo, I think that netvibes got the solution to this issue…

It’s unethical… to whom?! to advertising companies only…

Share
Tweet
Share
Buffer
WhatsApp
Email
0 Shares
Posted in: Malware, Spammers & Scammers

, , , , ,


Latest Posts:


Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
July 7, 2021 - 72 Shares
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
May 27, 2021 - 213 Shares
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
May 7, 2021 - 93 Shares
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
April 19, 2021 - 203 Shares
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
March 5, 2021 - 229 Shares
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc
February 3, 2021 - 157 Shares


5 Responses to Productive Botnets

  1. Morgan Storey September 3, 2008 at 1:18 am #

    Another one to add to the list is de-hashing and de-crypting. I have seen some tools that a hearder can deploy to their botnet from a central web server that allow distributed brute forcing and even building rainbow tables.
    It is incredible when you put this kind of computing power in the hands of essentially a skiddie, if power corrupts, and they are already corrupt then it leads to the un-thinkable. /drama

  2. backbone September 3, 2008 at 7:40 am #

    yes I’ve seen that kinds of botnets also, but they are not productive… I mean what are you going to do? sell rainbow tables ? (grin)…
    where spam, warez, click fraud and DDoS can get very profitable very fast…

  3. Morgan Storey September 4, 2008 at 12:34 am #

    They are productive, it may not be monetary, all though if you have some captured encrypted data that can be sold, decrypt it and it could be worth more than thousands of credit cards, see industrial espionage.

  4. backbone September 4, 2008 at 7:15 am #

    very true, but such scenarios may be rather rare… imho

  5. Navin September 4, 2008 at 2:58 pm #

    Nice article….some Darkhatting after a pretty long time!! :)

    Its a nice picture u’ve painted there Morgan…..think abt it….Ur own computer may be part of a system whose sole aim is to decrypt Ur own data!! Speak about Ironies!