Botnets, networks of thousands of computers working in tandem, have become one of the most pervasive threats on the Internet – a tool used by criminals for extortion, spamming and identity theft – but also by hacktivist groups that want attention.
And they are the weapons of choice for “Anonymous,” the loosely affiliated global cybermilitia that has been waging retaliatory attacks on major corporations in defense of WikiLeaks and its embattled founder, Julian Assange.
Typically, building botnets requires using malicious software to invade thousands of poorly guarded computers, take them over, and thus make them "zombies." Each zombie can fire thousands of requests per second at a target website. Thousands of zombies collected by a "bot-herder" then become a botnet.
But Anonymous has taken a different approach with Operation Payback, the name it has given its bid to avenge efforts to shut down WikiLeaks. It is building its own home-grown "voluntary" botnet, attracting people to put the botnet software on their own computers. About 2,200 or more people have done so by one count.
The cost of botnet technology is cheap. Anyone who wants to buy a "botnet kit" to build their own can do so for less than $1,000, says Derek Manky, a botnet expert at Fortinet, a Sunnyvale, Calif., Internet security firm.
To be sure, shutting down Visa or Mastercard would require a massive "high horsepower engine" with many botnets controlling hundreds of thousands of computers, he says. Or just maybe, with many far smaller botnets working together, it might still be possible to clog even a big website by making millions of virtual requests for information simultaneously. A sort of grass-roots cyberblockade.
The availability of botnet kits means even the technically unsophisticated can do it for fun and maybe a little illegal profit.
In 2009 Symantec, the big antivirus company, reported it had detected nearly 7 million botnets on the Internet. Others say the number is far higher than that. No matter how many there are, the main function of an involuntary botnet has been to make money through extortion from companies – like online casinos – by requiring them to pay or be shut down by a botnet-directed distributed denial of service (DDoS) attack.
Operation Payback's hybrid approach
By harnessing the power of social media – Twitter, Facebook, and Internet message boards like 4chan – Anonymous has apparently convinced a number of other botnet operators to join in the attacks, botnet experts say.
"When you get a whole bunch of people who happen to have say, only 10,000 machines under their control or less, none may be individually capable of building a really big botnet," says David Dittrich, an expert in denial of service attacks at the University of Washington. "But if someone can get them all on the same page through blogging and twittering, and get them at the same time instead of dispersed, you get effectiveness of a much larger botnet."
Anonymous members have essentially posted virtual handbills across the Internet to rally new participants. Twitter posts have been used to organize, time, and target their attacks.
"We will fire at anyone or anything that tries to censor WikiLeaks, including multi-billion [dollar] corporations such as Paypal. Twitter, you're next for censoring #WikiLeaks discussion," reads a virtual handbill circulated on the Internet Monday prior to a second DDoS attack on Paypal, according to Panda Labs, an Internet security research firm.
The same cyberposter that announced an attack on PayPal also advertises how to locate and use Anonymous's homegrown cyberattack weapon, dubbed the Low Orbit Ion Cannon (LOIC). That fanciful name (accompanied by equally fanciful graphics of a space-laser-like weapon come hovering above the Earth in another file), is essentially about organizing a botnet or group of computers for DDoS attacks.
Social networks spread the word
"We're seeing more and more instances where social networks are allowing a message to spread to large number of people very quickly," says Professor Dittrich. "So it's representative of what we've seen before, but at a far larger scale and moving more rapidly than anything we've seen."
The Anonymous LOIC botnet is voluntary. Likeminded individuals can visit a website or other Internet location and get the electronic files needed to turn their computer into a larger weapon that attacks various sites. By Wednesday morning, Panda Labs reported roughly 2,200 computers at one point joining the LOIC attacks.
But the LOIC could be primarily a public relations smokescreen, a figleaf intended to convey an uprising of morally outraged masses, experts say. By itself it is not nearly powerful enough to bring down a large robust website. Even a botnet with 10,000 computers would not be nearly enough to cause serious trouble to Visa or Mastercard, Dittrich says. It requires getting many botnet operators or bot-herders to participate of their own free will, he says.
Operation Payback may be novel in scale, but not in approach. At a World trade organization meeting in Seattle in 1999, a group calling itself the "Electronic Disruption Theater" offered software code that would run on individual computers, so that DDoS attacks on the websites for the meeting would appear to come from thousands of volunteers that didn't like WTO and wanted to protest. The Anonymous attack appears to be the same, but far larger – and drawing in other bot-herders, too, Dittrich says.
"Anonymous now has a bunch of people using a bunch of different types of attacks," he says. "Whatever they have on hand."
"I am of the firm opinion that bot herders (botnet administrators) are lending a few hours of their botnet time," writes Faisal Khan, CEO of Net Access Communication Systems, an expert in denial of service attacks. Small botnets with just 250 to 500 machines "are sooooo common that 16-year-old kids are herding such a bot."
There are literally tens of thousands of such-sized bots, he writes. So when news hits that Paypal is under a DDoS, many small botnet herders may just decide to spend an hours worth of their botnet time hammering it, too. "Add a couple of hundred bot nets doing this and PayPal will have a very hard time staying up," he says.