Hi, in this video I want to talk to you about a construct, a hacking construct called the Botnet. I bet a lot of you have heard of this. I want to give you some background history and help you understand where this all comes from, and what it means, and how it plays. And we'll tell some stories and kind of give you a good feel for this, and we can see, and you'll see as we continue on that botnets play such a significant role for the cyber offense and become kind of the offensive weapon of choice lately. So let's go back to 1999. So in 99, you may remember, and some of you may not remember, the Y2K event was going on where we were worried that a lot of computers were going to break on the millennium change because of the date and so on and so forth. So a lot of projects going on all over the world trying to keep track of how things were going to turn out through the millennium change. So one of the things I worked on was a project here in the United States for the White House. So the White House was setting up a big center where we're going to collect all this data and keep track of what was coming and going in terms of the Y2K event. So, we set that all up, and in the months prior to setting this thing up, I got invited to a meeting at Carnegie Mellon University. So that's here in the United States in Pittsburgh. University has great tradition in computer science and security. It's invited us to meeting, and it told us about this thing that they called a zombie. I'll be honest with you, back in 1999, I really knew what a zombie was. I might have had a little bit of information I'd seen, but I didn't understand it totally. And here's what we were told. We're told that there were these pieces of code, malicious code, that could be dropped on your machine. Certain like a remote access to a reverse. How your computer has a remote access to client to connect to remote access server. Well, this would be the reverse where a piece of software's drop or someone out there can connect to your machine. So, basically like a little mini server, and they said in that it's sense to makes you like a zombie where someone can connect and then take control of your computer. And I thought, how is that going to work, right? I was kind of skeptical. I'm not really seen it in a while and they described it and they said that there was this protocol and maybe it would be using Internet relay chat, another types of application level utilities for communicating between whoever was doing this and not everyone's computer. And again, the emphasis was everyone's computer, and in those days in business for the most part would be a Windows computer. Today, maybe a little bit more heterogeneous distribution of Windows and Apple. But years ago it was almost entirely Microsoft Windows in every business and a lot of homes as well. So, it tells about the zombie thing it's view some signature that you can go look for meaning some file names and certain behaviors that might see in the operating system. So it got back to what was also working in a number of different labs at that time and [LAUGH] got back and look, I saw them everywhere not tell you this is profound. Like when you don't see something, that doesn't mean it's not there. I think that's an important sort of lesson for anybody, not just in cyber security but just in science. For example, I'm here in this studio filming and if you told me, is Radio Free Moscow here in the room with us, I would say, of course that makes no sense. And yet, if I had a radio and you could tune it and you flip it to the right sort of settings and it was sensitive enough, boom, there it is. You'd hear Radio Free Moscow. Now does that mean it's here? Yes, it does mean that and that's something as a scientist that you need to get use to. This idea that when you are staring at something, and in our case because we are computer scientists, we are staring at networks and systems and computer, computer applications and software and so on. Just because we don't see something doesn't mean it's not there, so I went back and I looked and saw that the zombie code was there because I'd been given the information to tune to that setting, to set the sensitivity in such a manner to actually see it was there. So it was a little frightening, because you really came to grips with the idea that this stuff might be there. Now, what does this have to do with the Y2K center? Well, the reason zombies were important is because they can play that reflection-amplification game, that I think we alluded to in an earlier video. The idea that my voice can go out one to many, to all of you listening. And it works as long as you are able to hear. My vocal cords make noise and it causes your ear drum to rattle a little bit. That's an amazing concept, one to many. Now, if I could make your eardrum reflect out and say reflect to one of your friends, then my voice to all of your ears reflects and hits one target. That's powerful concept because you can really build up a lot of traffic, a lot of volume that way. And furthermore, as I think we also alluded to in the previous video, amplification makes it even worse. Meaning if I cannot only hit all of your ears but have your ears amplify what comes out. I say one thing and thousands of things come out of all of your ears from all of you at one target. So that's what we were worried about with these zombie, we were calling them zombie nets, now we call the botnet. Back in 1999 for the Y2K center. Now think about this, Y2K center is one day, [LAUGH] right? The millenium changes a day. So, if everybody floods the Y2K center for one day, you got a bit of a problem, right? because we didn't know at the time how you would stop something like this. So, that was sort of the first time I started thinking about how we would actually stop this. Now if you're wondering how we did stop it, we didn't. It didn't happen. And I have to tell you, that's another profound concept that I want you to take from this, listen, it's important. When an attack doesn't occur, you should not and should never confuse the fact that it didn't occur with your own cleverness, because you may have absolutely nothing to do with it. And in the case of these attacks not happening it's not because of any steps that we took to mitigate, we got lucky. Few months later, March of 2000, the first big denial of service attacks from zombies or botnets occurred. Took out CNN and eBay and so on, Yahoo. So I remember feeling a little vindicated because I had been running around getting everybody all spun up, including President Clinton at the time. Got him very spun up that we were worried about this about this Y2K center. But anyway, what this has evolved to is a botnet. Now here are the components of a botnet, we've got a diagram here that shows sort of the geographic distribution of a botnet. First and obviously, it includes bots. Your computers, your mum's computer, your friend's computer, your boss's computer at work, computers scattered across the entire planet Earth are band to bot insertion. Now, that's also profound. To go back again, I keep on sort of liking it back to Internet history. Back in the 1990s, a typical local area network in a business would be running a protocol other than IP. It was a company called Novell, still around. Had a protocol called IPX as part of a product called NetWare, blah, blah, blah. But it was different than IP. So you weren't in band if a hacker is trying to hack a business that hit a gateway where there's a different protocol. Be like driving your car up to the edge of a road and now you have to be a bot to get any further. It was like that. Well now we don't have that. Now everything's running IP so the idea that you wan to push bot software out the PCs, piece of cake because everything is in band on IP, on TCP/IP. Has advantages, has disadvantages, and again I hope you learn as you're going through these videos and going through the material that security is one of the consequences of all the inoperability and all the utility and fun that we had with the Internet. Let's face it, the fact that we can do so much that's good, allows us unfortunately to be able to do a lot of things that are sort of bad. So, at any rate, so the first component is all these bots, the second would be these things called command and control elements. They're the monitoring and management of a botnet. It's incredible how they do this, because think of it almost like a pass the token kind of scheme using the domain name system, and here's what I mean. Bots are programmed to go callback to their command and control. And it's done via addresses, and it says, hey go to this domain and that's where you're going to get your instructions. But let's say that that command in control is knocked out. It's no longer available. Or the resilience that's programmed into a botnet is using an interesting capability. I'm not going to get too much into it but it's called fast flux DNS, and if you have sometime as additional learning, go off and Google it. Look up best flux, you'll see how it works but the bottom line is, is it basically repoints and repurposes your call back to a command and control element that might have been knocked out to a different node. Can you imagine? The thing learns and reprograms, and command and control is passed to other nodes. It's one of the most resilient structures we have in computer science. It's amazing! I hate to use terms like elegant, and well-designed and well-put around a piece of malware. But I don't know that you can use any other term. This is extremely elegant stuff. It's not written by little babies, these are not the kinds of malware designs [LAUGH] that come from somebody who just woke up yesterday figuring out how to do this. These are well designed pieces of software, network management. So you have bots, you have botnet controllers, and then you have drop sites. And there's all those ancillary features. But in your own mind, it's the bots and it's command and control. And that has become the attack as you are now sort of building on a theme I just alluded to. You know how we've been spending a lot of time talking about worms in previous videos, you might think, wow, how did we ever fix worms? Well, you know how we fixed it? The bad guys figured botnets are more powerful so they stop using worms. How's that sound? I mean, as much as I would like to say that it has our cleverness because we did start notifying people when we saw worms propagating and telling everybody, there's packets on UDP, TC, but whatever. The reality is, that it wasn't our cleverness that stopped these things, it's the fact that a better weapon came along so you don't see worm so much because botnets are easier, how does that make you feel? [LAUGH] Welcome to cyber security. So, again to summarize, botnets are the attack weapon of choice today for almost every cyber intruder and also for people who are doing things non-security related. A lot of clicking, fraudulent clicking on links and so on to drive up ad revenue. You see a lot of that as well. But in our context, in the context of cyber security, offense, defense of botnets are certainly the attack weapon of choice. So, in a subsequent video we'll talk about doing maybe some of the arithmetic and math on how this things can potentially cause some big problems. So, I hope this have been helpful, we'll see you in the next video.
