Dedicated servers as parts of a botnet
Introduction
Bots and botnets have been discussed in several security articles during the years. The most recent was our article about using Twitter as a command and control center for controlling the bots.
In the security article this week we will discuss using a particular type of computers - dedicated servers - as part of a botnet.
Traditional botnets
It is more or less common knowledge that a botnet is a set of computers that are controlled by one person (or organization). Each computer participating in the botnet is normally compromised in some way, usually without the owner knowing that his computer is part of a network. The person who "owns" the botnet will usually go to great lengths to hide her origin, and may have "control devices" in several levels.
The traditional way to use a botnet was to perform a Distributed Denial of Service (DDoS) attack against another computer or network. In the past we have seen "spectacular" examples of successful attacks against well-known and popular Internet sites.
New trends
Not surprisingly the controllers of botnets soon discovered that these nets could be used for more lucrative purposes. A common way to utilize the botnets is therefore as spamming devices, sending millions of unsolicited emails to email accounts all over the world.
Botnets also quickly became popular as spreading instruments of malicious software using several different techniques (which is not the topic of this security article).
As the botnets have become more and more sophisticated, computers participating in one or several botnets have grown accordingly. It seems safe to assume that these days several million computers around the world are parts of one or more botnets. The botnets have also become more sophisticated, as it has become common to update the bots in the net with new functionality automatically.
A botnet's controller usually focuses on infecting computers regardless of these machines' purposes. She will normally attempt to take control of a computer for example by exploiting known vulnerabilities. When the computer eventually is part of the botnet, she will use it as best she can.
This approach - targeting vulnerable computers indiscriminately - may provide the botnet owner with several different types of computers at her disposal. Most will probably be home computers and computers operated by organizations with less strict security measures in place. This may have disadvantages, as it can be a problem to get the various parts of the botnets to perform the same tasks.
Focusing on dedicated computers
In a blog posting earlier this month, from the security site Unmask Parasites, the topic is that the blogger has discovered focused attacks on web servers to make this type of computers participating in a special botnet.
If the botnet owner has a set of dedicated servers (web servers in this case) under her control, this represents one obvious advantage: She can focus on these servers to perform special tasks - i.e. tasks that these computers are configured to do in the first place.
In the web server example, this would be serving web pages - with for example malicious content as defined by the botnet owner. The web servers will be computers that are initially set up as legitimate web servers, and the casual surfer will not be suspicious when he visits these sites.
Computers configured to server other tasks may of course be exploited in analogous manners. The advantages of having homogenous computers in the same botnet are that these computers are better equipped to perform special tasks, and their actions can be more targeted against a special audience, than any set of randomly compromised computers.
It remains to be seen if focusing in collecting dedicated servers in separate botnets is a new trend in the botnet technology race.
