As we end our look at the botnet ecosystem, let us reflect on what we have learned. We discussed what a botnet is, we asked whether botnets require Windows to propagate, and finally how botnets use serversof all kinds to host content and spread. There’s no better way to round out our knowledge of the botnet ecosystem than to try and figure out what the point to all this is.
In a word: money.
Botnets, as we’ve written about numerous times, are used for a few main purposes: DDoS blackmail, spam, and the spamming of Web applications. All of these activities themselves can be extremely lucrative, but botnets enable all of the above—at the same time.
Distributed Denial of Service (DDoS) attacks are the same as a DoS attack in that someone is simply sending you packets as fast as possible, but DDoS attacks can come from thousands of computers at once. Many people believe that botnets were engineered with this sole purpose in mind.
Back in 2005 we noted that most people do not realize how effective DDoS attacks can really be. Organizations that have fallen victim to an attack know firsthand how helpless they are. After a few companies learned that lesson, the word started spreading. Even recently bot herders have been demonstrating their DDoS capabilities, and there’s still some money to be made using botnets as a tool for extortion. One can only guess how many dollars companies pay each year to organized crime groups to sustain their Internet presence. The numbers, I think, would surprise us all. As lucrative as extortion may be, though, it’s a risky endeavor, and the majority of botnet usage seems to have shifted to other purposes.
According to a 2006 report by CommTouch, the global spam level increased by 30 percent. In early 2007, security company SoftScan issued a press release suggesting that a broken botnet decreased spam by a third. In August 2007, security company Sophos claimed that a 30 percent increase in spam was due to pump-and-dump stock scams. OK, everybody likes to claim a 30 percent change, but the point is that spam is ever-increasing, and botnets are the main source.
Spam certainly is profitable. Even though most people reading this cannot fathom the idea of someone clicking on links that come in spam, an extremely small percentage of spam recipients do, making unsolicited e-mail marketing an extremely profitable industry.
Web Site Spam
Botnets are being used as an illegitimate form of search engine optimization (SEO). SEO is used to attract more search engine traffic to a site by appearing to provide the most relevant content for a search engine’s users. By enhancing SEO, Webmasters can boost their site’s priority in search results.
As the number one search engine, Google is the target of many SEO techniques, legitimate and illegitimate, all of which are designed to increase a site’s relevance to the search engine. Google’s name for the number it assigns to a site’s likely overall relevance is “PageRank.” Part of Google’s PageRank calculations include tallying the number of sites on the Web that link to a specific page or domain. The more inbound links a page has, the more likely Google’s search algorithms are to decide it’s relevant to searchers. The more relevant the words in a link to a site are to specific keywords, the more weight Google assigns to that site when presenting search results for those keywords. A number of links pointing to an online shoe store that include the word “shoes,” for instance, will cause Google’s search algorithms to consider that online shoe store a relevant result for its users when they search on the keyword “shoes.”
Botnets use SEO to “spread the word” about certain sites and boost their PageRank. Generally this is done by creating many keyword-appropriate inbound links from other sites using the appropriate SEO techniques. If you’ve ever wondered why your favorite blog’s comments section is peppered with links left behind by spam bots, that’s one reason: The more sites that link to a page, the more likely that page is to turn up high in search engine results.
Botnets or their operators also create seemingly innocuous blogs and Web pages to boost the inbound links to their malicious sites. Very recently, Sunbelt Security identified a number of blogs on Google’s own Blogger service that included search engine-friendly phrases linking to sites with malicious content. The sites claimed to offer multimedia files that required users to download a CODEC to view the content. The “CODEC” was actually a Trojan horse that delivered a ZLOB virus variant. Yes, botnets use botnets to spread.
We have seen malware hosted on compromised Web sites before. It is generally trying to exploit some browser vulnerability, which means it must attract attention to itself, so using SEO to attract victims is a logical technique. But SEO is, of course, a big business in its own right. Companies pay top dollar to analysts who spend their time figuring out how and why a visitor arrives at a site. Bot herders have figured out a few tricks, including the creation of bogus blogs, to quickly get their Web site of choice to the top of search engine results. Whether it’s a phishing site trying to con people into entering personal information, or a “legitimate” business trying to sell drugs, botnets are very useful in gaining visibility for these operations. People who run questionable businesses will pay top dollar to bot herders who can increase their sales. That’s what spam is all about, and affecting search engine ranking is just as powerful.
Vulnerable PHP applications, especially popular CMS and blogging software, are exploited en masseat regular intervals. As soon as a new vulnerability is discovered, nearly every instance of the application on the Internet seems to spring up a new page chock full of links. Universities, all .edu sites in general, are a prime target. Google ranks content from them higher in search results, so a university Web page full of links to pharmaceutical dealers does wonders to help that page’s search engine visibility.
You don’t have to look hard to see the effect of botnet SEO on Google itself. Just now, a search for the mildly misspelled “Viagara” in Google yields as the first result a shady-looking Web site that offers to sell it to you without a prescription. One might think that the first search result would be a Wikipedia article, or perhaps even some medical information site, but nearly the entire first page of search results is some Web site offering to sell the drug. Some may be legitimate (as much as a site can be when it’s illegally selling drugs), and some may just be pharming credit card information.
In a few short year’s time we’ve seen botnets evolve from spam-generating, DDoS spewing simpletons into highly-evolved ecosystems. We keep coming up with new ways to block their communication channels, so they evolve. The botnet of today was built with high availability in mind, and it can evolve at the push of a button. Because of the variety of methods they employ to compromise servers and clients alike, they’ve proven they won’t be easily stopped.
And while the sheer numbers of botnet zombies seem unwieldy, bot herders remain in control of their creations, perfecting their attacks.