The structure of a typical botnet comprises numerous stages. From the outset it is important to understand what is meant by an IRC client, program and server (as this is integral to the botnet functioning successfully). The IRC client is a program that runs on a computer and sends and receives messages to and from an IRC server. The IRC server, in turn, is responsible for making sure that all messages are broadcast to everyone participating in a discussion.
- Firstly, an attacker spreads a ‘trojan horse’, which infects various hosts. These hosts become ‘zombies’ that go on to connect to the IRC server in order to receiver further instructions for the attacker that is controlling the botnet.
- Secondly, the IRC server can either be a public machine in one of the IRC network or a dedicated server installed by the attacker on one of the compromised hosts.
- Finally, bots run on compromised computers, thus forming a botnet.
Moreover, it is possible to analyse the creation of a botnet in terms of different themes:
- Creation – The creation stage is largely dependent upon the skills of the individual attacker and the requirements of the context. An attacker can decide whether to write their own bot code or simply extend or customise an existing one.
- Configuration – The configuration stage involves supplying IRC server and channel information. Once installed on the compromised machine, the bot will connect to the selected host.
- Infection - The infection stage involves using various techniques to spread the bots – both direct and indirect. - Direct techniques – Direct techniques include exploiting vulnerabilities of the operating system of services. - Indirect techniques – Indirect techniques employ other software for the ‘dirty work’.
- Control – The control stage arises as a result of the aforementioned stages being complete, thus provided the attacker with effective control of the compromised computer.
It is interesting to note that the usage of botnets can be cited on a global scale. The existence of botnets has been documented across the United States, Europe, Russia and the Ukraine, China, Korea, Japan and South America.
As alluded to at the outset, botnets act as a major source of crime on the Internet. Moreover, it has been noted that some botnet operations ‘rent’ their botnets by the hour to individuals that wish to issue spam. Although Internet Service Providers have attempted to prohibit the act of spamming, when thousands or even hundreds of thousands of machines send five or ten pieces of spam, the spammer is able to escape notice. Furthermore, any spam that is successfully sent through a botnet is tracked back to the compromised computer, not (importantly) to the individual spammer.
Another notable use of botnets is with regard to ‘click fraud’. The basis for ‘click fraud’ is the simple fact that advertisers commonly pay a small fee for every click on an advertised link that is featured on a webpage. In light of this, a botnet operator with an advertising contract on a person domain can send a command to the computers in the compromised network to automatically click an advertising link whenever a browser is opened. Due to the simple fact that a botnet can be very large, click fraud poses a considerable problem for advertisers.