Tip

Evolution: Rise of the bots

Channel wars
Bots were created in the early 1990s by IRC users who wanted to protect and defend against "net split" attacks, among other tasks. While attackers were using bots to knock IRC users out of their favorite channels and deny them access to their user names, the users fought back with their own bots to preserve the integrity of user names and to keep channel access open.

Open floodgates
By 1999, an arsenal of nascent

    Requires Free Membership to View

DDoS tools had emerged: Trinoo, Tribe Flood Network, Stacheldraht and Shaft. These tools, which were used to launch attacks against IRC hosts, were only semi-automatic, required significant manual tuning, and didn't use IRC for communications. Canadian hacker MafiaBoy used these types of tools in his 2000 attacks that brought down Yahoo!, eBay, CNN and Amazon.com Web sites.

Automated animation
In 2000, the need for automation and larger compromised networks led bot developers to merge their DDoS tools with worms and Trojan kits. For example, Stacheldraht was bundled with versions of the t0rnkit rootkit and a variant of the Ramen worm, and the Lion worm included the TFN2K agent. This convergence enabled attackers to compromise vast numbers of machines faster.

Command and control
By 2002, DDoS attackers transitioned to IRC-controlled bots that implemented with greater efficiency the same attacks as Stacheldraht. Since many attackers were familiar with IRC and bot programming, it made sense to stick with IRC-based DDoS bots. Today, the majority of DDoS tools use IRC as a communication protocol and means of control (even if not directly using IRC networks as control channels).

Dangerous convergence
Since 2003, bot creators have focused on truly blended threats -- malware, spam, spyware, DDoS -- that use IRC channels as control mechanisms. Modern bots, such as Phatbot and Agobot, use viruses and worms to build networks of hundreds of thousands of machines. The 2004 Witty worm was launched simultaneously without warning from 4,200 points, making it nearly impossible to trace.


MORE INFORMATION:

About the author
David Dittrich is an Information Assurance researcher at the University of Washington Information School, and has over 20 years of programming, system administration and information security-related experience. Dittrich is also a founding member of the Honeynet Project and co-author of "Internet Denial of Service: Attack and Defense Mechanisms."

Note: This article originally appeared on Information Security magazine.

This was first published in March 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.