November 21, 2008
10 answers to your questions
By Michael Kassner
I recently asked TechRepublic members to submit questions about botnets, promising to forward them to the
experts at Arbor Networks. Dr. Jose Nazario volunteered to provide the following informative answers.
Could you define what a bot or zombie is and how they become part of a botnet?
A botnet is a collection of machines that have been compromised by software installed by the attacker so that
they now respond to commands sent by the attacker. This malcode can be installed by exploits on the base OS
(e.g., as in the Sasser worm), through browser exploits, or through Trojan horse activities such as fake games or
What are botnets used for—are they profitable?
Botnets are used by the attackers for a wide variety of tactics: spamming, hosting phishing sites, harvesting
information from the infected PCs for use or resale (such as credit card or banking information), denial of service
for pay or extortion, adware installations, etc. The botnet is a platform for the criminal underground, providing
unfettered access to the compromised PC and its resources -- disk, bandwidth, IP reputation, personal
information, etc. -- for the attacker. It's a way to load arbitrary software onto the machine, as well as to pull
arbitrary information off of the machine.
We see botnets used all over the world: the United States, Europe, Russia and the Ukraine, China, Korea, Japan,
South America -- all over. The main motivations in the past few years have become monetary, as opposed to
curiosity or joy riding.
If I understand correctly, there are different command and control philosophies used by
botnets. Could you explain how they work and their effectiveness?
The two main types of command and control structures used by botnets are a centralized mechanism and a
decentralized, peer-to-peer mechanism. There is also a third, hybrid approach. Command and control refers to
the server(s) that the infected hosts