Botnet, the virus that kills the web

March 4, 2012
by Maurizio Agazzi

Botnet is malware with a head that is both intelligent and adaptive. It is remote controlled through a Distributed Command Control Machine (DCCM) by the botmaster. This malware may be compared to a cybernetic missile that has more than one module that are capable of killing the websites it targets.

BOTNET, THE VIRUS THAT KILLS THE WEB. The botnet malware may be compared to a cybernetic missile with more than one module. (1)The “pave tacker” guides the bot and selectively searches out its prey based on the desired payback. (2)The targeting system is adaptive. (3)Once it has penetrated the server, the bot-vector composes itself, based on the context that it finds, by downloading specialised virus modules from the Internet. (4)The intelligent robot, which resides in the head of the bot, explores the system, identifies and uses the vulnerabilities it finds that have not yet been noted (zero-day). (5)The bot then downloads more viruses from the Internet, disabling the defences erected by the antivirus and firewall. (6)Here, the bot opens backdoors by using socket connections. (7)The payload is then downloaded, this last being an arsenal of viruses. (8) The bot then scans the system so that it can then infect other systems.

The “pave tacker” is what guides the bot and selectively searches out its prey based on the desired payback. So, if the criminal organisation wants to clone credit cards, the pave tacker targets users that buy and sell online, while the bot targets remote banking users in the event that the criminal organisation is looking for online accounts to move and launder dirty money. That doesn’t mean, however, there can’t be multiple targets or that the bot won’t be subsequently populated with new objectives. It may even occur that an alliance between criminal cyber organisations leads to a condition where the botnet is shared. In alliances of this type, the payload of the bot is made up of dozens of viruses specialised in various activities, including the theft of credit cards, the extraction of sensitive data, identity theft, password theft, and email theft. Some groups of hackers load the modules necessary to unleash a DDOS storm in the payload of the bot. The DDOS, of Distributed Denial-of-Service, is a strategy to deny access to specific targeted sites and is used by criminal and terrorist organisations. A DDOS attack may act as a diversion to hide other more important actions. It so happens that in cyberspace just like in the real world, in a cyber-war just like in war, the enemy of your enemy becomes your ally through an alliance constituted with P2P (peer-to-peer) networking via socket connections. When the payback is interesting, the alliances formed between groups of hackers help to write off the production costs of the bot, and the botnet evolves more rapidly thus increasing the threat levels in cyberspace.


Once it has penetrated the server, the vector of the bot automatically assembles itself by downloading modules of specialised viruses from the Internet according to the context in which it finds itself. The intelligent robot that is placed in the head of the bot first explores the system, then by exploiting vulnerabilities in the system that have not yet been detected (zero-day) it downloads more viruses from the Internet. Once it has done this, the bot disables the defences of the anti-virus and the firewall, opening the backdoor. The launch of the bot-vector, however, is not an end in an of itself; the payload is then unleashed on the target with an entire arsenal of viruses. Lastly, the bot scans the system to search for new servers to infect.


The Internet, with over a billion users, offers the bot-master an incredibly elevated number of servers that are active 24-7. Once they have been recruited, the servers, unbeknownst to the system administrator, are methodically specialised. The particularly reduced dimensions of the “warhead” and the encryption of the bot practically render it invisible to the protection systems that are in place (anti-viruses and firewalls). But it is the gap that exists between the attackers and the defenders that makes the difference. The criminal cyber organisations have exploited the rapid evolution of their sort, which has also been bolstered by the growing demand in the illegal economy and underground world of the Internet. The business companies that produce IT security have essentially been suffocated by a system of laws created to protect the patent-office and copyrights, the budgets of which suffer from the costly and extenuating court cases that between the corporate sector and the IT sector, are brought against them. As a result, the future of cyber security has been mortgaged to the hilt with the attempt to maintain the usability of copyrights of other players in the IT sector. Moreover, the cyber security industry has itself been the target of cyber attacks. When the theft of codes and source codes occurs, negative effects spread over into the financial assets because years of investments in research and development must be thrown out the window.

Although it was avant-guard hackers that released the first botnets in 2005, it is the signature contained in the software that still guides the anti-virus today. Because of this, hackers with only a few modifications to the malware code (this includes rebuilding) are able to place variations of the botnet virus into circulation that are able to elude the antivirus scans. This is because the activity of the anti-virus is based on the knowledge of historical viruses, but the IT attacks of today involve new aspects that escape the notice of the systems of protection. In systems where Enterprise (EAS) is used, when there are suspicions of an attack it is preferable to absorb the costs of rebooting or reinstalling the entire system to prevent that the passpartout remains in the hands of the attacker, because the anti-virus is not able to seal the cracks that the bot opened in the system.