Bots and Botnets – The Automation of Computer Network Attack

Bot networks aggregate computers that have been compromised with trojans, allowing them to be remotely controlled by hackers. In the past year, the proliferation of e-mail borne viruses and auto-downloading trojans has dramatically increased the number and size of botnets, which now have economic value as Spam engines and tools in DDoS blackmail schemes. Compromised "zombie" machines were recently found on the networks of the U.S. Defense Department and Senate.

IRC (Internet Relay Chat) is a live chat system that allows users to create private discussion rooms. While IRC has a lengthy history of legitimate use, it is also a medium for discreet communication between hackers. In February the FBI shut down a large IRC provider, Ohio-based CIT/Foonet, saying it was operating a DDoS-for-hire scam. CIT operator Jay Echouafni is now a fugitive, charged with paying hackers to use botnets of between 5,000 and 10,000 hosts to launch crippling digital attacks on the websites of business rivals.

The CIT case demonstrates the difficulty of defending against DDoS attacks from huge botnets. One of the victims, WeaKnees.com, shifted its hosting to Rackspace, which has touted its ability to defend against DDoS attacks. The attackers subsequently changed tactics and launched an attack that kept WeaKnees offline for two weeks, according to affidavits filed with the court case.

This presentation explores the history of IRC "bots" and bot networks, their development, and current feature set. Dave will discuss how botnets are set up and used in computer network attack, illustrating the concepts from news articles, contents of compromised hosts, and samples of real network traffic.

David Dittrich is an Information Assurance Researcher for the Information School at the University of Washington and the University of Washington Center for Information Assurance and Cybersecurity (designed by the NSA as a Center of Academic Excellence in Information Assurance Education). He is also a member of the Honeynet Project and Seattle's "agora" security group. Dave is most widely known for his research into Distributed Denial of Service (DDoS) attack tools and host & network forensics. He has presented talks and courses at dozens of computer security conferences, workshops, and government/private organizations world wide.