“bot” is a small software program that is often used on Internet Relay Chat (IRC) channels to gather information or interact with human users. Some bots on IRC are used by hackers to control “botnets,” or a series of tens of thousands of compromised computers, according to Know Your Enemy: Tracking Botnets, a paper from The Honeynet Project & Research Alliance.

Botnets pose a huge threat because they can be used to launch distributed denial-of-service (DDoS) attacks on any chosen target. The paper explains that even a “relatively small botnet with only 1,000 bots” can carry out an effective DDoS attack because home PCs have enough combined bandwidth to overwhelm “the Internet connection of most corporate systems.”

Botnets can also be used to facilitate spamming and to sniff traffic to look for clear-text data that passes by a compromised machine. In addition, they can be programmed to carry out keylogging, to attack other IRC channels, and to perform other malicious behavior.

The Honeynet researchers used only three machines located in Germany to collect information on how bots work and how they are used to control botnets.

Once they learned the IP address of a botnet server or an IRC channel name and password from the captured packets, they could “connect to the botnet and observe all the commands issued by the hacker.” They even were able to see botnet owners discussing their networks, and learned that “even unskilled people can run and leverage a botnet.”

Some of the paper becomes highly technical, with demonstrations of IRC commands used to launch a DDoS attack. But it also provides an excellent overview of different types of bots and the variety of threats they pose to corporate networks, valuable information for security pros to know.

@   The Honeynet Project’s paper [1] is available through SM Online.