One reason organizations implement honeypots is to identify malicious botnets.  A honeypot, which is a fake network, is designed to attract and analyze botnet activity. In order for the honeypots to educate us with data, we need to develop a better understanding of how botnets achieve their missions. Let’s review potential activities performed by some of the various types of botnets.

1. Distributing Malware
Many times botnets are used to quickly distribute new bots on open networks. For our botnet friends this is actually not very hard to accomplish. The reason this is easy is due to bots being able to potentially implement scripts for downloading and executing any file via HTTP or FTP. This is exactly how email viruses are spread using a replicating botnet. In a very short period of time a self replicating botnet can hook into 10,000 computer hosts. This sets up a staging platform for exponentially spreading a mail virus around the world, in a very short period of time.

2. Eliminating Competition with Google AdSense
Companies pay Google a pay-per-click fee for each time their ad receives a mouse click. These clicks are supposed to increase traffic to a company web site, which should result in more sales. Companies on a limited budget can potentially go broke, if the number of clicks on their Google ad is more than the actual sales generated. It is a known fact that unscrupulous companies have previously eliminated competition by artificially inflating their Google ad sense clicks. This type of attack leverages botnets to automatically and continuously click on these Google advertisements. Google has since implemented security measures to makes this type of botnet attack infrequent.

3. Large Scale Identity Theft
Botnets can quickly generate those famous phishing emails.  So large numbers of people are fooled into visiting bogus web sites, because the emails appear to be from legitimate companies (i.e. Paypal, eBay).  These botnets kick out massive amounts of emails to lure people into going online to submit personal information. These fraudulent emails are created and sent by bots via a programmed spamming algorithm. These same bots can also host multiple fake brand name websites to harvest identity information. Just as quickly as one of these fake sites is shut down, another one can pop up.

4. Traffic Sniffers
Using a legitimate packet sniffer, bots can search for interesting clear text (unencrypted) data being passed back and forth by a compromised computer. These sniffers are solely focused on retrieving sensitive information, such as user name and password. The data found through this sniffing process can also stumble across other interesting information. If a computer is compromised multiple times, while also being a host for more than one botnet, data packet sniffing can also allow for gathering additional sensitive information from another botnet. So it’s possible for one botnet to steal from another botnet or even take over that botnet.

5. Keyloggers
If the compromised machine uses encrypted communication channels, such as Secure POP3 or HTTPS, simple botnet sniffing of network packets on a target computer will not work. The reason why sniffing will not work is the appropriate decryption key for the packets is unavailable. Of course there are other bots that do offer features to provide a malicious work around in this situation. With the help of keylogger bots retrieving sensitive information is now a piece of cake for attackers. On top of that bots can be programmed with a selecting filtering mechanism that looks only for certain of key strokes. For example the bot can be programmed to look for key strokes sequences near the keyword “ebay.com”. This expedites stealing what people may believe to be secret information. Now imagine this single keylogger botnet running on thousands of infiltrated computers. Then throw in the fact these computers are all running simultaneously to quickly retrieve personal account information to harvest back to the initiating attacker.