This article is the first in (I think) a three part series which will describe the chronology and evolution of the threat from botnets, please check back for further installments (wow, this feels like Saturday morning cinema!)
Two contenders vie for being the malware that started the botnet ball rolling; Sub7 and Pretty Park – a Trojan and a Worm respectively. They both introduced the concept of the victim machine connecting to an IRC channel to listen for malicious commands. These two pieces of malware (although that description would be challenged by the creator of Sub7, a certain “mobman”, he prefers the epithet Remote Administration Tool) both first surfaced in 1999 and botnet innovation has been constant since then.
Notable points along the botnet timeline are numerous. First up, the emergence of the Global Threat bot, or GTbot, in 2000. GTbot was based on the mIRC client, which meant that it could run custom scripts in response to IRC events and also importantly that it had access to raw TCP and UDP sockets, making it perfect for rudimentary Denial of Service attacks, some attacks went as far as scanning for Sub7 infected hosts and “updating” them to GTbots.
2002 saw a couple of notable evolutions in botnet technology with the release of both SDBot and Agobot. SDBot was a single small binary, written in C++. Its creator commercialised his “product” making the source code widely available and as a result many subsequent bots include code or ideas taken from SDbot. In the same year further new ground was broken by Agobot.
Agobot introduced the concept of a modular, staged attack as payloads were delivered sequentially. The initial attack installed a back door, the second attempted to disable antivirus software and the third blocked access to the websites of security vendors; all techniques that should be painfully familiar to anyone that has suffered from malware in the recent past.
These early bots were aimed at remote control and information theft, but the move toward modularisation and open sourcing began the huge increase in variants and the expansion of functionality. Malware authors gradually introduced encryption for ransomware, HTTP and SOCKS proxies allowing them to use their victims for onward connection or FTP servers for storing illegal content.
Spybot in 2003 was an evolution of the earlier SDbot but introduced some important new functionality such as keylogging, data mining, SPIM (Instant Messaging Spam). In the same year we also saw the rise of Rbot which introduced the SOCKS proxy, and included DDoS functionality and information stealing tools.
Rbot was also the first family of bots to use compression and encryption algorithms to try to evade detection. 2003 also saw the first manifestation of a peer-to-peer botnet by the name of Sinit, later on Agobot modules were developed to incorporate this peer-to-peer functionality. The following year another Agobot derivative, known as Polybot introduced polymorphism to try to evade detection by changing its appearance as often as possible.
Steadily botnets migrated away from the original IRC Command & Control channel, this port is seldom opened through firewalls and the protocol is easily identified in network traffic. Instead bots began to communicate over HTTP, ICMP and SSL ports, often using custom protocols. They have also continued the adoption and refinement of peer-to-peer communications, as would be demonstrated five years later by another famous botnet that went by the name of Conficker…
Look out for Part II (Rise of the criminal botnet) coming to a cinema near you soon…