The Botnet Ecosystem: Why it Exists
As the final approach to the botnet series becomes imminent, let us reflect on what we have learned. We discussed what a botnet is, botnet operational tactics, in "Do Botnets Needs Windows?", and finally how botnets use servers of all kinds to host content and fan-out. There's no better way to round out our knowledge of the Botnet Ecosystem than to try and figure out what the point to all this is.
In a word: money. Botnets, as we've written about numerous times, are used for a few main purposes: DDoS blackmail, spam, and the spamming of Web applications. All of these activities themselves can be extremely lucrative, but botnets enable all of the above—at the same time.
Distributed Denial of Service (DDoS) attacks are the same as a DoS attack, in that someone is simply sending you packets as fast as possible, but DDoS attacks can come from thousands of computers at once. Many people believe that botnets were engineered with this sole purpose in mind.
Back in 2005 we wrote about how most people do not realize how effective DDoS attacks can really be. Companies that have fallen victim to an attack know firsthand that they're helpless, and the word started spreading. Bot herders have been demonstrating their DDoS capabilities, even recently, and there's still some money to be made. One can only imagine how many dollars companies pay each year to organized crime groups to sustain their Internet presence. The numbers, I think, would surprise us all.
It is, fortunately, risky to blackmail companies. There's no doubt it still happens, but the majority of botnet usage seems to have shifted.
The Global Spam Level increased by 30% in 2006. Taking down a single botnet in 2007 supposedly decreased spam by a third. In August 2007 we saw another 30% increase in spam due to pump-and-dump stock scandals. Ok, everybody likes to claim a 30% change, but the point is that spam is ever increasing, and botnets are the main source.
Spam certainly is profitable, even though most people reading this cannot fathom the idea of someone clicking on links that come in spam. An extremely small percentage do, but it's still enough to make unsolicited e-mail marketing an extremely profitable industry.
Web Site Spam
Botnets are being used to twiddle with SEO, or Search Engine Optimization. SEO is used to attract higher quality, relevant traffic to a site. In short: to give a better page ranking, and therefore priority appearance in Google search results.
Botnets are used to "spread the word" about certain sites and boost their page rankings. In the truely organic—almost artificial intelligence-like fashion—botnets use SEO to get malware at the top of search results. Very recently, tons of blogs were created to include search engine friendly phrases and lead people to malicious sites. These sites ask you to download a "codec" to view the content, which is actually a ZLOB virus variant. Yes, botnets use botnets to spread.
We have seen malware hosted on compromised Web sites before; this is nothing new. It is generally trying to exploit some browser vulnerability, which means it must attract attention to itself. To have a new evil site appear in search results, a botnet must first make the site appear relevant to Google. Generally this is done by creating tons of links from page with the appropriate keywords in the metadata. Once it has done so successfully, the botnet naturally begins to expand.
Botnet Web site spam is used for more than just self-replication, though. SEO is, of course, big business. Companies pay top dollar to Web Analysts who spend their time figuring out how a visitor arrived at a site, among other things. Bot herders have figured out a few tricks, like the blog-creation one above, to quickly get their Web site of choice highly-ranked in the search engines.
Whether it's a phishing site trying to con people into entering private information, or a "legitimate" business trying to sell drugs, botnets are very useful in gaining these operations visibility. Vulberable PHP applications, especially the popular CMSes and blogs, get exploited en-mass at regular intervals. As soon as a new vulnerability is discovered, nearly every instance of the application on the Internet seems to spring up new page chock full of links.
Universities, and all .edu sites, are a prime target. Google ranks content from them higher in search results, so a Web pages full of links to pharmaceutical dealers does wonders to help their search engine visability. Just now, a search for "viagara" in google yields as the first result a shady-looking Web site that offers to sell it to you without a prescription. You'd think that the first search result would be a Wikipedia article, or perhaps even some medical information site. Nearly the entire first page of search results is some Web site offering to sell you the drug. Some may be legitimate (as much as you can be, illegally selling drugs), and some may just be pharming credit card information.
People who run questionable businesses will pay top dollar to bot herders who can increase their sales. That's what spam is all about, and effecting search engine ranking is just as powerful.
Botnets are capable of so much. In a few short year's time we've seen them evolve from spam-generating, DDoS spewing simpletons into highly-evolved ecosystems. They can have a tremendous impact on search engine results via various convoluted methods, exploit new machines and grow organically, and most importantly, botnets cannot be stopped.
We keep coming up with new way to block their communication channel, so they evolve. The botnet of today was build with high availability in mind, and it can evolve at the push of a button. While their fan-out seems unwieldy, the bot herders control at least today's botnet functionality. I'm not looking forward to the day they start making decisions on their own. Do not laugh; some innocuous-seeming self-survival code change (i.e. making decisions about which exploits to run), quickly spreading to millions of bot clients whom upgrade themselves instantly, may be the undoing of the Internet; or worse.