System iNetwork

The paper's authors, CERT staffers Nicholas Ianelli and Aaron Hackworth, start out by describing why botnets are such a big draw for hackers. The main reason is one you likely haven't considered: A botnet is essentially a very large, highly distributed, supercomputer. With a botnet, a hacker commands a vast computing resource that rivals those of even the largest government agencies (unless, of course, those agencies themselves are using botnets). Hackers use this computational powerhouse to crack passwords, distribute warez (stolen software), and attack other networks.

Next, the paper details how a hacker starts up a botnet. The valuable information here is that you can greatly reduce your vulnerability to botnets by ensuring that a few well-known, but readily countered exploits do not exist in your network: The Windows RPC, LSA, and DLL buffer overflow bugs. You can block the other common infiltration technique -- social engineering -- by educating your users about phishing and e-mail attachment dangers. The reason that botnets flourish is that the vast majority of Internet users and education and home broadband users fail to invoke these protections.

The authors then dive into a detailed description of various botnet mechanisms, including autorooting and exploit scanning, port redirection, registry mining, key logging, screen capturing, and IRC bouncing. The breadth and depth of botnet tools is sobering, and illustrates how serious the botnet problem has become. The technical discussion also shows how botnet command and control mechanisms work, giving you a fascinating hackers-eye view of botnet manipulation.

Put this on your professional development reading schedule immediately.

http://www.cert.org/archive/pdf/Botnets.pdf