Botnets (also known as zombie-nets) are collections of compromised computers that are remotely controlled by a malevolent party. A compromised computer is connected to the Internet, usually with an “always-on” broadband connection, and is running software introduced by the malevolent party. Malevolent software can be introduced through a number of channels; they include clicking on a link that takes the user to a certain Web page, downloading an attachment that executes a program, forcing entry into a computer through an unprotected port (e.g., one typically used for file sharing across the Internet), and so on. Using up-to-date security software such as antivirus programs and firewalls helps to reduce the threat of such “malware,” but today most personal computers—even protected ones—are at least somewhat vulnerable to such threats.
An individual compromised computer (a zombie or a bot) can be used for many purposes, but the threat from botnets arises from the sheer number of computers that a single malevolent party can control—often tens of thousands and as many as a million. (Note also that an individual unprotected computer may be part of multiple botnets as the result of multiple compromises.) When the zombied computers are connected to the Internet through broadband connections, the aggregate bandwidth of the botnets is enormous (e.g., a small botnet of 1,000 zombies times a 300 kilobit Digital Subscriber Line connection is 300 megabits per second). A further property of botnets is that they can be controlled remotely by an adversary, which means that the apparent perpetrator of a hostile act is a zombie computer—making it difficult to trace a hostile act to its initiator. Indeed, an adversary may be located in a nation other than the home country of the zombies.
Typically, an adversary builds a botnet by finding a few machines to compromise. The first hostile action that these initial zombies take is to find other machines to compromise—a task that can be undertaken in an automatic manner. But botnets are capable of undertaking a variety of other actions that have significant impact on the botnet operator’s target(s). For example, botnets can be used to conduct the following actions: