Problem solve Get help with specific problems with your technologies, process and projects.

Evolution: Rise of the bots

Learn how bots evolved into botnets and the blended threat model used today.

Channel wars
Bots were created in the early 1990s by IRC users who wanted to protect and defend against "net split" attacks, among other tasks. While attackers were using bots to knock IRC users out of their favorite channels and deny them access to their user names, the users fought back with their own bots to preserve the integrity of user names and to keep channel access open.

Open floodgates
By 1999, an arsenal of nascent DDoS tools had emerged: Trinoo, Tribe Flood Network, Stacheldraht and Shaft. These tools, which were used to launch attacks against IRC hosts, were only semi-automatic, required significant manual tuning, and didn't use IRC for communications. Canadian hacker MafiaBoy used these types of tools in his 2000 attacks that brought down Yahoo!, eBay, CNN and Web sites.

Automated animation
In 2000, the need for automation and larger compromised networks led bot developers to merge their DDoS tools with worms and Trojan kits. For example, Stacheldraht was bundled with versions of the t0rnkit rootkit and a variant of the Ramen worm, and the Lion worm included the TFN2K agent. This convergence enabled attackers to compromise vast numbers of machines faster.

Command and control
By 2002, DDoS attackers transitioned to IRC-controlled bots that implemented with greater efficiency the same attacks as Stacheldraht. Since many attackers were familiar with IRC and bot programming, it made sense to stick with IRC-based DDoS bots. Today, the majority of DDoS tools use IRC as a communication protocol and means of control (even if not directly using IRC networks as control channels).

Dangerous convergence
Since 2003, bot creators have focused on truly blended threats -- malware, spam, spyware, DDoS -- that use IRC channels as control mechanisms. Modern bots, such as Phatbot and Agobot, use viruses and worms to build networks of hundreds of thousands of machines. The 2004 Witty worm was launched simultaneously without warning from 4,200 points, making it nearly impossible to trace.


About the author
David Dittrich is an Information Assurance researcher at the University of Washington Information School, and has over 20 years of programming, system administration and information security-related experience. Dittrich is also a founding member of the Honeynet Project and co-author of "Internet Denial of Service: Attack and Defense Mechanisms."

Note: This article originally appeared on Information Security magazine.

This was last published in March 2005

Dig Deeper on Emerging cyberattacks and threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.