Botnets: How to get rooted in one easy lesson

In discussions about botnets, how and why a computer becomes part of a botnet are two questions that get asked quite often. Like most things in life, the answers aren't simple. Michael Kassner sets out to provide some answers about the origins of botnets.


I noticed a trend in the comment section of my article "Botnets: Bigger Isn't Always Better." People wanted to know how a computer becomes a bot and why it's so hard to detect when it happens. Thinking about this must have put me in one of my moods (often mistaken for daydreaming), because my son asked me what was wrong. I explained my quandary, and in his infinite wisdom, he said, "Well, why don't you (looking at me with that dahh expression) write about it, and then everyone will know." Hmmm, I knew that.

Botnet or rootkit, which came first?

Becoming part of a botnet requires the installation of a remotely accessible command and control application on the computer under attack. The application of choice for this operation is the infamous rootkit, due to its ability to hide and run programs efficiently. For more detail about the inner-workings of rootkits, please refer to my article "10+ Things You Should Know about Rootkits."

In that article, I didn't spend much time on the propagation process, and I'd like to correct that now. Malware that propagates the rootkit is called a blended threat, because it consists of three parts: the dropper, loader, and rootkit. I'd like to focus on the dropper, since it's where much of the confusion lies.

Dropper program

The dropper is a program whose whole purpose is to sneak past security and antivirus applications. I liken droppers to the transformer toys my son used to play with: droppers try to make themselves and their payload (the loader and rootkit) appear as benign snippets of code. That usually happens by encrypting, compressing, or some type of encoding, making it difficult for malware scanners to detect them. The only way scanner applications could possibly detect the malware is by having a signature for the transformation package or by guessing through the use of heuristics.

Dropper versus trojan

Many experts consider dropper programs to be reverse-connect trojans. Trojans typically consist of two parts: client and server. Originally the server (listening portion) was placed on the computer being attacked and the client was on the attacker's computer. The attacker would then try to communicate with the server via the client application. All was good in the attacker's world.

Then NAT started to be widely used. Causing the original style of trojan to stop working, NAT would break the connection between the client and server. Being clever, the attackers decided to reverse the connection process and totally avoid the problem created by NAT, hence reverse-connect trojans. All is good in the attacker's world again.

The reason experts consider droppers to be trojans is their use of trickery. Simply stated, trojans and droppers are malware that appear to be something they're not (ala the original Trojan Horse). For example, one of the earliest methods used to get malware installed on computers was to offer free screensavers. The trouble is that the screensaver was that in name only. In reality, it's a trojan that's now installed on the computer, with the user none-the-wiser.

Dropper's cat-and-mouse game

You can see how it has turned into a proverbial cat-and-mouse game between attackers and computer users. By design, this type of game eventual leads to the discovery of the scam. So instead of discussing specific examples that may already be out-of-date, I'd rather describe the generic approaches being used by attackers today, with a great deal of success, I might add. Once the attack vectors are understood, it should become easier to spot specific examples of how a computer becomes a bot:

  • Drive-by download: This method is the scary one. In many cases the attacker designs a malicious Web site to leverage some unpatched vulnerability or operating system bug. All the user has to do is visit the Web site, and the dropper is automatically loaded on the computer.
  • User interaction: This method pertains to a whole host of possible attack vectors: from simply opening a malicious attachment to clicking on a link that sends the Web browser to a malicious Web site. A good example of a cutting-edge exploit that requires user interaction is clickjacking as explained in my recent article "Clickjacking: Potentially Harmful Web Browser Exploit."

These are the two methods used by most dropper programs presently. Hopefully knowing this will raise a red flag if something you're doing on your computer just doesn't feel right.

Exploit definitions

There are a few more terms that I'd like to look at. By doing so, I hope to dissipate some FUD and allow everyone to make educated judgments when determining how seriously to take malware warnings. On many occasions, security pundits get a bit overzealous, reasoning that it's better to error on that side. Only problem is that most users can't react that fast and ignore the warning. Then if nothing happens they feel the expert was crying wolf yet again. So here they are:

  • Proof-of-Concept: Proof of Concept (PoC) is a mechanism or application used to prove whether a concept is viable or not. A good example of this is the clickjacking exploit. Clickjacking was known to be an issue for a long time, but it didn't have any clout until researchers released a PoC. What does this mean to users? Well, there's some breathing room. If it's interesting enough and easy to assemble, malware developers will be all over it in short order though.
  • Zero-day exploit: Is often confused with zero-day malware, but they are two entirely different concepts. Zero-day exploits try to leverage an unknown/undisclosed application or operating system vulnerability. Just remember that you have zero days to patch the computer, because there's an exploit in play already.
  • Zero-day malware: This refers to active malware strains that are so new security and antivirus applications are without signatures for them. This is a real problem, especially since attackers like to keep zero-day malware quiet for as long as possible. You may remember my run in with Rustock.B and my mentioning that experts are almost positive that Rustock D is out as well, yet no one knows anything about it. So Rustock.D would be considered zero-day malware, and there's precious little users can do about it.
  • In the wild: This is self-explanatory to some extent and the exact opposite of PoC. If you hear mention that some malware is in the wild, that means many attackers are using it to leverage some sort of malicious activity. The following diagram (courtesy of shows the growth of just rootkits in the wild:


Final thoughts

I hope that I was able to provide some answers for those who were wondering how a computer gets rooted and why it's so hard to detect the process. Logically my next step is to provide solutions for detecting rootkits and removing them. I'd like everyone to stay tuned as it should get interesting.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic's Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!


Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks

Free Newsletters, In your Inbox