Instead of writing their own code from scratch, botnet creators are simply modifying the widely available source code for the Sdbot and Gaobot families of bots, according to Luis Corrons, the technical director of PandaLabs.

“Any criminals that want to make a bot can simply base it on the source code of these threats, making any modifications they choose. Essentially, this saves them a lot of work,” said Corrons.

This explains why the Sdbot and Gaobot families were accounted for 80% of detections related to bots during the first quarter of 2007, according to PandaLabs.

Botnets are networks made up of computers, called zombies, that are infected with bots. Bots often reach computers in emails that use social engineering or exploit system vulnerabilities. The aim is for them to be installed silently and to operate for long periods of time without users or security companies realizing.

Botnets have become a lucrative business model, and according to Pandalabs, there is an underground market for renting bots in order to send spam or install spyware or adware for example.

In 2006, bots accounted for 13 percent of all new threats detected by PandaLabs. Of those, 74 percent belonged to the Sdbot and Gaobot families. As bots are expanding, the way they are controlled is changing. Until now, most of them were controlled through IRC servers.

This allows attackers to send orders while hiding behind the anonymity of these chat servers. However, now there are bots that can be controlled through Web consoles using HTTP.

“Control through IRC is useful for controlling isolated computers. However, this system is not so useful when it comes to botnets. By using HTTP, bot herders can control many more computers at the same time, and can even see when one of them is online or if the commands have been executed correctly,” explained Corrons.

Related:

Entry was posted on Wednesday, April 11th, 2007 at 1:07 pm under Security, Spam.

Read more entries by John Pospisil.
Stumble It!