Right, let's start off with a quote from Wikipedia. They explain what a botnet is far better than I ever could.
"Botnet is a jargon term for a collection of software robots, or bots, which run autonomously. This can also refer to the network of computers using distributed computing software.
While the term "botnet" can be used to refer to any group of bots, such as IRC bots, the word is generally used to refer to a collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. A botnet's originator can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command and control takes place via an IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the RFC 1459 (IRC) standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community."
Visit http://en.wikipedia.org/wiki/Botnet for more information.
Okay. So now you know what a botnet is (if you didn't already before...) I can now continue without confuzzling you.
As stated above, botnets are a group of rooted boxes running a trojan (backdoor) which all report to a central place (usually somewhere on IRC) where the 12 year old kid issues commands from. I say '12 year old kid' because these are usually the owners of botnets - usually IRC kiddies who want to flood channels, etc. These kiddies use them preliminary for this purpose - IRC mayhem. Another group of owners is the little more experienced kiddie. This kiddie will be using them for DDoS attacks. Finally, you then have the owners that are the lowest of the low, the spammers. The owners of these botnets will use them mainly for setting up hidden mail servers that act as open relays allowing them to send viagra pill e-mails and the like to your inbox. The spammers usually buy their botnets from these kiddies via paypal, etc... but enough of that for now.
Now, with all these different 'types' of owners operating botnets, this is where it gets interesting. Often these different types of people are sharing the same botnets and don't even realise it. However, some people do realise this. This is where the mayhem starts and turf wars begin. Imagine a drug dealer dealing crack on another drug dealer's turf. He isn't going to be a very happy bunny that the new drug dealer is taking away his business. This is almost exactly the same with botnets. The spammers wants to spam, he doesn't want to DDoS and isn't concerned with flooding IRC channels. The IRC kiddie simply wants to flood channels. The more experienced kiddie wants to DDoS people, however, his actions will get noticed and machines on the botnet will drop pretty quickly as they are patched. The spammer does not like this as it decreases the volume of spammage that he can send out, etc. Therefore, each of these different types of people hate each other for various reasons. Hence, the turf war begins.
This is what used to happen 'back in the day' when hackers ended up rooting the same boxes as each other. You'd have a hacker who would maybe have had root on a box for years. Suddenly, some kiddie comes along, roots it and wants to deface it. Almost certainly the hacker who has been there for years will lose his root as it will come to the company's attention that the box has been hacked. Now, you could say two things here. Firstly, the hacker who rooted it years ago should have secured it so the kiddie could not get on. Yup, that's a good idea. Secondly, who gives a shit, they both have illegal root access. Either way, I'm going a bit off topic. What I want to get across is there is an almost 24/7 turf war going on between illegal ownership of rooted boxes between all different groups of people.
Sounds like fun? Of course it does. That's why we should get involved. This is where the VMware comes in.
VMware is basically a piece of software that allows you to run a machine within a machine - a virtual machine. Think of it as a matrix within a matrix from the second matrix film if you're a matrix geek. Anyways, what this allows us to do is to play with these kiddies but not get our box raped in the process. In an essence, we're making a sandbox (much like Java infact) on our machine so anything that happens to the VMware virtual machine is independent of our own box.
Right... So we load up VMware. Build a virtual machine with Windows XP on it. However, do not patch it what so ever. We want to make it as easy as possible for them to exploit it. We are creating a honeypot in a way, however, it's sole purpose is not just for research. Right. Now you will have to mess about a little with internal bridging and networking (and even port forwarding) to get it so that if an attacker connects to say port 139 (netbios) on your external IP (which is obviously your box, not the VMware), that it forwards this to the VMware virtual machine on port 139. Once this is complete, we are almost ready to go. One more thing to do and that is to grab Ethereal (and the pCap plugin) and install it so we can sniff packets. Done that? Ready to set sail!
Start up Ethereal and start sniffing. Start up mIRC on your virtual machine (or even any client of your choice...) and connect to a large IRC network (i.e. Undernet) and join some large IRC channels (i.e. #chat, #chatzone, etc.). When you join the channel you will be prompted with loads of DCC send requests from people like Lotta18f, etc. Lotta18f is a client (or bot) on a botnet which is attempting to infect other users when they join the channel in the hope they will accept the file. Lotta18f isn't infact 18, she isn't female and she is certainly not hot. It's all scripted and automated. The nick 'Lotta18f' exists in a textfile probably called randomnicks.txt on the compromised machine's box. Anyways, back to the task in hand... Normally, we wouldn't accept them as they are trojans. However, accept away.
Now, switch your attention to the Ethereal window now. You will see all kinds of packets going past. The trojan will be installing itself, visiting websites to update itself and grab more files, etc. It will also connect to the IRC server and IRC channel that the owner specified in the config file of the trojan, but it will do this in the background and within a hiddenwindow. You will not see the actual window and it will hide itself as some other system task within Windows. Anyways, we are not too bothered about this as we wanted to get infected. Look through the packets (even follow a TCP stream) until you see connections that look IRC related that are not the current IRC server you are on. For example, you connected to irc.undernet.org first of all. You will see your packets here. This is normal. What you will also see is packets relating to say irc.privateevilserver.org. This is not normal and this is the trojan doing it's job and connecting to the IRC server and channel talked about where the owner is in controlling the botnet. Investigate some of the packets, you will see things such as :PRIVMSG, :JOIN, etc. These are raw IRC commands being issued by the trojan in the background to communicate with the botnet.
This is where the fun starts!
From investigating the packets, you can note down (a) the IRC server its connecting to, (b) the channel (which is often secret and has a password (we will get the password from the packets), (c) activity in the channel, (d) the bot master (or owner) giving out commands to the botnet, etc. You could simply watch it from Ethereal. However, where is the fun in that! Now, go back to your main machine (not the VMware virtual machine). Open up mIRC and change some important details so we look like a bot in the botnet. For example, our nickname should be something like Mike22m, our "REALNAME" or "IDENT" should also mirror that of the bots in the botnet. For example, "~IDENT@host.com". Look at the initial bot that infected you on IRC via the /whois command and see what their details were. Now, once we have our diguise complete, we are ready to go once again.
Remember the scene from Independence Day where they took the recovered alien space ship back up to the mothership? It pulled them in automatically and assumed it was one of its own. Why wouldn't it? It looked the same, its technology and computer systems were the same, etc. I know, I know, it's only a film. The reason I am saying this is to get a point across. What we are doing is basically the same. We are going to join where the botnet resides. This is the mothership if we relate it back to the film. All alien ships (the bots in the botnet) will be sitting there waiting for commands to be issued by the owner. Now although the owner is not a green alien and doesn't have extremely large ears in this, he will be sitting in there with the bots which make up the botnet. So when we join the channel with our disguise, the owner will think it's a new box that's been compromised and is part of his botnet. All hail the new bot! Eh... or something like that. I know I keep saying this, but this is *really* where it starts getting fun. We sit and we watch. The owner will be typing commands for his botnet to carry out. Although we won't be responding to these commands as we are not actually an infected box, the chances are he probably won't know as there will be thousands of bots in the channel. You will see stuff like "!packet xxx.xxx.xxx.xxx", "!owner auth
At this point, you have two options.
You can pretend you're an FBI agent and paste loads of legal bullshit and shit him up and say he's about to get raided, or...
You can turn his botnet on him!
I won't explain how to turn his botnet on him, it's pretty easy if you think about it... *cough* issue commands. I'm not sure how things stand legally about doing this as you will be illegally operating machines that you do not own... so basically, you're just as bad as him. So maybe issue a command whereby you remove his ownership of the botnet, etc. would be a more ethical thing to do. Although you may have more fun with the FBI agent role playing route.
Either way, I do not incite pretending to be an FBI agent as this is of course against the law. I am merely giving suggestions as to some fun.
I suggest a good thing to do would be to "/who #channelname" which will show all the bots in the channel, with their IP addresses. Then paste this in a .txt file and e-mail to the appropriate abuse@ e-mail addresses and get something done. Of course, we're all human so I'll leave the decision up to you.