When you think botnet, your first response is to associate them with the usual menu of attacks such as spam generation, denial of service attacks (DoS), worms, Trojans, or phishing. There are many articles that detail typical botnet usage including illegally installing adware or spyware (attackers get paid on a per-install basis), hosting fraudulent banking Websites, and extortion (attackers can either threaten to unleash a DoS on a company’s Website unless a ransom is paid or hold a company’s files hostage and threaten to destroy them).
A botnet is typically a network of hijacked computers used to conduct attacks, usually for personal gain. One of the advantages of a botnet is that it can be used in a distributed computing attack. A large problem can be broken up into smaller, more manageable parts and distributed to many computers where they work on the problem in parallel. Distributing the workload to many computers is a very effective and dangerous way of mounting attacks. And since attackers are using someone else’s bandwidth and resources, such as power consumption, it costs only pennies to mount attacks. (Incidentally,while attackers use botnets for these purposes, there are also other,less malicious, ways of employing botnets. Examples of socially beneficial botnets include volunteer-supported, distributed computing projects such as SETI@home, Folding@home, and distributed.net.)
With a conservative botnet size of say, 10,000 computers, what else can an attacker use it for? One popular approach (understandably so) is to use the botnet to make easy money. Advertising networks, such as Google Ad-Sense, pay publishers of banner ads on a per-click basis.Depending on the advertising network, prices start as low as $0.01 per click and go as high as $0.50. An attacker can unleash their botnet on a banner ad page consisting of, say, 200 ads, and at $0.01 per click they can easily make a $20,000 profit. Obviously, the larger the botnet, the larger the potential profit. Moreover, if attackers find they have more than enough bots, they can rent out their botnet on the black market for as much as five cents per bot, per hour.
Attackers can also conduct brute-force attacks to find sensitive information such as encryption keys or account information. Recently, a botnet was credited for using a brute-force attack to steal eBay accounts.Distributed computing is effective in brute-force attacks since thousands or even millions of keys can be tried at the same time. This was the method distributed.net used to crack DES-IIIin 22 hours, where thousands of volunteers downloaded software from distributed.net that ran a client server program on their computers,which connected them to distributed.net’s key server. The key server assigned blocks of DES-III keys for each computer to test if it would decrypt the contest cipher text. Due to the large number of computers working concurrently, the solution was found in less than a day.
If an attacker wants to increase the size of their botnet, they can do it the old-fashioned way by hijacking. It is much easier to quickly expand by stealing than by building up. Since some bots may be part of more than one botnet, an attacker can use that bot to try to hijack other botnets. This may be more difficult these days than in recent years as turf wars have been reported and many herders have been “securing” their botnets.
Finally, an attacker can use their botnet to influence online voting. Since each bot in the network has a unique IP address, each vote is valid. Many universities are already using e-voting to conduct student elections and earlier this year, Estonia became the first country in the world to feature a national election with online voting.The United Kingdom, France, Holland and the United States have been conducting trails for online voting. With more and more countries interested in online voting, the potential threat of manipulation is great. On a lighter note, an attacker can place a bet on who will become the next American Idol and manipulate the voting to have their contestant win. Could you imagine the cultural fallout if Sanjaya won and all the little girls mimicked his hairstyle?
Now, if botnets could only pick winning lottery numbers.