Bots & Cybercrime

It's difficult to exaggerate how large a role bots play in cybercrime today. From spamming to hosting fraudulent Web sites, modern cybercrime at some point will make use of a botnet. Symantec has protected customers from bots for many years and has tracked the evolution of bots from basic threats to very complex crimeware. In recent years, Symantec has seen an alarming increase in the amount of bots assaulting the Internet with their automated attacks in search of new victims. Symantec reported nearly 9,000 different variations of the three most popular bots (Spybot, Gaobot, Randex) in the first half of 2005 alone. This amounts to at least 50 new criminally motivated bots a day scouring the Internet for unprotected computers. These new bots are almost always members of an existing "family" of bot software and as such are not entirely new. Minor changes are made to try and sneak past security software, trick a user with a new tactic, or exploit a newly discovered vulnerability.

Much like the rest of crimeware and cybercrime in general, bots are a global problem. The map below shows the geographic locations of active bot command and control servers (the heart of a botnet) in late 2005.


Bots and botnets are the multi-purpose "swiss army knives" of cybercrime. Bots play a role in nearly every type of popular cybercrime today. The botnet owners rent out their illicit networks for a fee to other criminals or use the bots themselves in order to commit numerous types of crimes. The table below provides a few of the most common examples of how bots and botnets are used to enable cybercrime.


Crime Use of Bots and Botnets
Denial of Service Dating back to the late 1990s, networks of zombie machines have been used to try and knock Web sites offline, making them unusable by their customers – often times preventing e-commerce. Sometimes denial-of-service attacks are mere Internet "joyrides" and other times they are orchestrated by competitors.
Extortion While some denial-of-service attacks are executed by zombie machines against an unsuspecting Web site or other online service, some are warned in advance in what is known as a protection racket or extortion. In such schemes, the criminal threatens to knock the company's Web site or online service off the Internet for a period of time if they are not paid, usually at a peak hour that would be the most noticeable and do the most damage (i.e. as frustrated customers take their business elsewhere).
Identity Theft While bots are typically part of an identity theft, sometimes they play the main and supporting role by not only infecting a computer, but also stealing personal information from the victim and sending it to the criminal.
Spam Botnets operate at the heart of today's spam industry—bots both harvest email addresses for spammers and are also used to spam messages out. Sending spam through botnets is particularly common since it makes spammers more difficult to detect as they can send messages from many machines (all the infected machines in the botnet) rather than through a single machine. This tactic has become so common that in the first half of 2005, 64 percent of the top threats Symantec saw were capable of being used for sending spam.
Fraud ("Phishing") In nearly every phisher's toolbox is an army of bots. Much like spammers, phisher's use bots to identify potential victims and send fraudulent emails, which appear to come from a legitimate organization such as the user's bank. Bots are also used by phishers to host the phony Web sites, which are used to steal people's personal information and serve as collection points ("dead drop" or "egg drop" servers) for stolen data. An animated overview of online fraud is available that explains the different components of a phishing operation.


Bots perform many jobs for cybercriminals. For example, the bot below works as an assistant for identity thieves on the blackmarket. The bot has been specifically created for an online forum for cybercriminals to help perform basic identity theft tasks, such as determining whether stolen credit cards are valid, the credit card limits, and additional data such as the CVV2 code and expiration date. The following are some examples of the bot performing routine tasks for different identity thieves:

<redeyezz> !cclimit 4854xxxxxxxxxxxx
<Forumbot> redeyezz I found limit for your Visa
   (4854xxxxxxxxxxxx): 7.536 $

An identity thief named "redeyezz" asks the bot the limit of a presumably stolen credit card using the command "!cclimit" and the credit card number.

<Vietnamhack> !chk 4158xxxxxxxxxxxx xx0x
<Forumbot> Vietnamhack 4158xxxxxxxxxxxx : xx0x (Valid cc)

<jyde> !chk 6011xxxxxxxxxxxx xx0x
<Forumbot> jyde 6011xxxxxxxxxxxx : xx0x (You're Card Is
   Declined)

Two identity thieves check the validity of 2 different credit cards, one which is still valid and another which is no longer valid and therefore declined.

Bot software is created by professional crimeware authors. While much of the source code (the "raw" code for the bot's design) is freely available, specially created versions of bot software are available for purchase from crimeware professionals for several hundred dollars if not more. Crimeware authors will market their bot programs with claims that they can evade security software and avoid detection.