IE Focus | By Enrique Dans, Professor at IE Business School
You may not know this, but your computer could have a secret life of its own. It may form part of a network that takes advantage of chinks in your computer’s security system to commit fraud. Such a network is called a botnet.The news of the recent arrest of three Spanish citizens responsible for the “Butterfly Network”, described as one of the largest botnets in the world, was received with great interest by Spain’s technology sector. But exactly what is a botnet and what is it used for? What is a zombie computer? What are we talking about?
A botnet, or “robot network”, is a group of computers which, after being infected by a specific person or group, remain under his or its control and can be used for fraudulent purposes. The owners of the computers are usually unaware of the infection and do not know that their machine is being used, together with many more, for some type of generally criminal purpose. The person who manages to control a botnet has many options on the table: collecting sensitive user data, launching distributed denial-of-service attacks and even ordering the computers to click on websites with advertising contracted by a third party. The possibilities are manifold: the botmaster has an army of computers ready to execute a certain command at his/her will, with the profit resulting from any fraudulent behaviour being very difficult to identify as a result of the distribution.The infected computers, or zombies, are usually systems that run on Windows XP, often on pirate copies that are unable or find it difficult to receive the updates and security patches Microsoft publishes on the second Tuesday of every month (Patch Tuesday). The reason for attacking this type of system is based on statistics: it is still the operating system that is most widely installed in the world and it is obviously more profitable to launch an attack that targets the majority of the population. If we throw into the mix the obvious disadvantage of the “monoculture”, the fact that Windows security was never a tightly closed issue, and that many of the computers have versions of the system that can’t be updated because they are of “dubious” origin, then we have a recipe for disaster. If you have a pirate copy of Windows XP on your computer or if you have not updated it for some time, you might be part of a botnet.
What does a computer on a botnet do when its owner is not looking? The most obvious use is an attack against the user himself/herself: the botmaster could open the gateway to install a programme that forwards any data sent so that they can be analysed, or a keylogger programme that forwards keystrokes to a third party. These programmes work unseen and their activity cannot be detected. When they obtain useful information (a credit card number followed by the corresponding codes, for example) they do not use it, but rather resell it to international networks to put as much distance as possible between then and the causal chain: the person who eventually charges your credit card does not usually have anything to do with the person who initially controlled the network.
Another typical use is to hire the botnet for a distributed denial-of-service attack. Imagine the effect of thousands of computers trying to log on to a specific web page at the same time: when the server cannot cope with any more concurrent connections (something which is also difficult to block because they come from different places and cannot be differentiated from legitimate visits), the site becomes unavailable, with the consequent effects on the business that depends on it. These attacks are sometimes used as blackmail and payment is often demanded from the owner to avoid them.
Another common use is fraud: the criminal creates a number of pages, puts advertising on them that is paid for depending on the number of clicks received and then orders the computers that make up the botnet to click on the advertising. The result is a number of zero-efficiency clicks, an advertiser whose publicity has been useless and, as it is a distributed attack, it is not easily detected.
Botnets can be avoided by educating users. Understanding the risks and trying to have systems that are as safe as possible, up-to-date and which alert the user of any activity. Keep an eye on your computer: it might have a “secret life”.