Botnet

A botnet is a collection of compromised computers connected to the Internet (these are also known as 'bots'). When a computer becomes compromised, it becomes a part of a botnet. Botnets are usually controlled via standards based network protocols such as IRC and http.[1]

Contents

Background

Bots originated as a useful tool without any significant malicious overtone; they were originally developed as a virtual individual that could sit in an IRC channel and perform tasks while the user was too occupied to do so.[2] Soon after the release of the first IRC bot, a few worms which exploited vulnerabilities in IRC clients began to appear. Infected computers, or newly formed "bots", were then used to steal passwords, log keystrokes, and act as a proxy server to conceal the attackers identity.

Botnets were used for both recognition and financial gain -- indeed, the larger the botnet, the more ‘kudos’ the person ('bot herder') orchestrating the botnet could claim in underground online communities. The bot herder can also ‘rent out’ the services of the botnet to third parties, usually for sending out spam messages or performing a denial of service attack against a remote target. Due to the large numbers of compromised machines within the botnet, huge volumes of traffic (either email or denial of service) can be generated. However, in recent times, the volume of spam originating from a single compromised host has dropped in order to thwart anti-spam detection algorithms – a larger number of compromised hosts send a smaller number of messages in order to evade detection by anti-spam techniques.

Botnets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Often, a botnet will include a variety of connections and network types. Sometimes a controller will hide an IRC server installation on an educational or corporate site where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently.

Several botnets have been found and removed from the Internet. The Dutch police found a 1.5 million node botnet[3] and the Norwegian ISP Telenor disbanded a 10,000-node botnet.[4] In July 2010, the FBI arrested a 23-year old Slovenian said to have integrated an estimated 12 million computers into a botnet. [5] Large coordinated international efforts to shut down botnets have also been initiated.[6] It has been estimated that botnets control up to 15% of computers worldwide that are connected to the internet.[7] Conficker is one of the largest known botnets, with an estimated 1 million to 10 million infected machines. It attempts to sell fake antivirus software to its victims.[8]

Recruitment

Computers are recruited into a botnet by running malicious software. This may be achieved by a drive-by download exploiting web browser vulnerabilities, or by tricking the user into running a Trojan horse program, possibly in an email attachment. As with any malware, there is no general rule; the software controls the computer and can do anything. It will typically install modules which allow the computer to be commanded and controlled by the botnet's owner. The Trojan may delete itself, or may remain present to update and maintain the modules.

The public warez scene is used to spread malicious software for the recruitment of new bots. Some websites have the malicious software embedded in all their available downloads. There is a false belief among some users, who think that infected keygens are flagged as malicious software by anti-virus programs for only the illegal aspect of the software.

Organization

While botnets are often named after their malicious software name, there are typically multiple botnets in operation using the same malicious software families, but operated by different criminal entities.[9]

While the term "botnet" can be used to refer to any group of bots, such as IRC bots, this word is generally used to refer to a collection of computers (called zombie computers) which have been recruited by running malicious software.

A botnet's originator (aka "bot herder" or "bot master") can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command-and-control takes place via an IRC server or a specific channel on a public IRC network. This server is known as the command-and-control server ("C&C"). Though rare, more experienced botnet operators program their own command protocols from scratch. The constituents of these protocols include a server program, a client program for operation, and the program that embeds itself on the victim's machine (bot). All three of these usually communicate with each other over a network using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet network.

A bot typically runs hidden and uses a covert channel (e.g. the RFC 1459 (IRC) standard, Twitter, or IM) to communicate with its C&C server. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping."

Botnet servers will often liaise with other botnet servers, such that a group may contain 20 or more individual cracked high-speed connected machines as servers, linked together for purposes of greater redundancy. Actual botnet communities usually consist of one or several controllers that rarely have highly-developed command hierarchies between themselves; they rely on individual friend-to-friend relationships.[10]

The architecture of botnets has evolved over time, and not all botnets exhibit the same topology for command and control. Depending upon the topology implemented by the botnet, it may make it more resilient to shutdown, enumeration, or command and control location discovery. However, some of these topologies limit the saleability and rental potential of the botnet to other third-party operators.[11] Typical botnet topologies are:

To thwart detection, some botnets are scaling back in size. As of 2006, the average size of a network was estimated at 20,000 computers, although larger networks continued to operate.[12]

Formation and exploitation

This example illustrates how a botnet is created and used to send email spam.

  1. A botnet operator sends out viruses or worms, infecting ordinary users' computers, whose payload is a malicious application—the bot.
  2. The bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server).
  3. A spammer purchases the services of the botnet from the operator.
  4. The spammer provides the spam messages to the operator, who instructs the compromised machines via the IRC server, causing them to send out spam messages.

Botnets are exploited for various purposes, including denial-of-service attacks, creation or misuse of SMTP mail relays for spam (see Spambot), click fraud, spamdexing and the theft of application serial numbers, login IDs, and financial information such as credit card numbers.

The botnet controller community features a constant and continuous struggle over who has the most bots, the highest overall bandwidth, and the most "high-quality" infected machines, like university, corporate, and even government machines.[13]

Types of attacks

Preventive measures

If a machine receives a denial-of-service attack from a botnet, few choices exist. Given the general geographic dispersal of botnets, it becomes difficult to identify a pattern of offending machines, and the sheer volume of IP addresses does not lend itself to the filtering of individual cases. Passive OS fingerprinting can identify attacks originating from a botnet: network administrators can configure newer firewall equipment to take action on a botnet attack by using information obtained from passive OS fingerprinting. The most serious preventive measures utilize rate-based intrusion prevention systems implemented with specialized hardware. A network based intrusion detection system (NIDS) will be an effective approach when detecting any activities approaching botnet attacks. NIDS monitors a network, it sees protected hosts in terms of the external interfaces to the rest of the network, rather than as a single system, and get most of its results by network packet analysis.[17]

Some botnets use free DNS hosting services such as DynDns.org, No-IP.com, and Afraid.org to point a subdomain towards an IRC server that will harbor the bots. While these free DNS services do not themselves host attacks, they provide reference points (often hard-coded into the botnet executable). Removing such services can cripple an entire botnet. Recently, these companies have undertaken efforts to purge their domains of these subdomains. The botnet community refers to such efforts as "nullrouting", because the DNS hosting services usually re-direct the offending subdomains to an inaccessible IP address. Similarly, some botnets implement custom versions of well-known protocols. The implementation differences can be used for fingerprint-based detection of botnets. For example, Mega-D features a slightly modified SMTP protocol implementation for testing the spam capability. Bringing down the Mega-D's SMTP server disables the entire pool of bots that rely upon the same SMTP server.[18]

The botnet server structure mentioned above has inherent vulnerabilities and problems. For example, if one was to find one server with one botnet channel, often all other servers, as well as other bots themselves, will be revealed. If a botnet server structure lacks redundancy, the disconnection of one server will cause the entire botnet to collapse, at least until the controller(s) decide on a new hosting space. However, more recent IRC server software includes features to mask other connected servers and bots, so that a discovery of one channel will not lead to disruption of the botnet.

Several security companies such as Afferent Security Labs, Symantec, Trend Micro, FireEye, Umbra Data and Damballa have announced offerings to stop botnets. While some, like Norton AntiBot (discontinued), are aimed at consumers, most are aimed to protect enterprises and/or ISPs. The host-based techniques use heuristics to try to identify bot behavior that has bypassed conventional anti-virus software. Network-based approaches tend to use the techniques described above; shutting down C&C servers, nullrouting DNS entries, or completely shutting down IRC servers.

Newer botnets are almost entirely P2P, with command-and-control embedded into the botnet itself. By being dynamically updateable and variable they can evade having any single point of failure. Commanders can be identified solely through secure keys and all data except the binary itself can be encrypted. For example a spyware program may encrypt all suspected passwords with a public key hard coded or distributed into the bot software. Only with the private key, which only the commander has, can the data that the bot has captured be read.

Newer botnets have even been capable of detecting and reacting to attempts to figure out how they work. A large botnet that can detect that it is being studied can even DDoS those studying it off the internet.

There is an effort by researchers at Sandia National Laboratories to analyze the behavior of these botnets by simultaneously running one million Linux kernels as virtual machines on a 4,480-node Dell high-performance computer cluster.[19]

Historical list of botnets

Date created Date dismantled Name Estimated no. of bots Spam capacity Aliases
1999 !a 999,999,999 100000 !a
2009 (May) BredoLab 30,000,00030,000,000[20] 3.6 billion/day Oficla
2008 (around) Mariposa 12,000,000[21] 0 ?
0? Conficker 10,500,000+[22] 10 billion/day DownUp, DownAndUp, DownAdUp, Kido
2010 (around) TDL4 4,500,000[23] 0 ? TDSS, Alureon
0? Zeus 3,600,000 (US Only) [24] -1n/a Zbot, PRG, Wsnpoem, Gorhax, Kneber
2007 (Around) Cutwail 1,500,000 [25] 74 billion/day Pandex, Mutant (related to: Wigon, Pushdo)
0? Grum 560,000 [26] 39.9 billion/day Tedroo
0? Mega-D 509,000 [27] 10 billion/day Ozdok
0? Kraken 495,000 [28] 9 billion/day Kracken
2007 (March) Srizbi 450,000[29] 60 billion/day Cbeplay, Exchanger
0? Lethic 260,000 [30] 2 billion/day none
2004 (Early) Bagle 230,000[30] 5.7 billion/day Beagle, Mitglieder, Lodeight
0? Bobax 185,000[30] 9 billion/day Bobic, Oderoor, Cotmonger, Hacktool.Spammer, Kraken
0? Torpig 180,000 [31] -1 n/a Sinowal, Anserin
0? Storm 160,000 [32] 3 billion/day Nuwar, Peacomm, Zhelatin
2006 (Around) Rustock 150,000 [33] 30 billion/day RKRustok, Costrat
0? Donbot 125,000 [34] 0.8 billion/day Buzus, Bachsoy
2008 (November) Waledac 80,000 [35] 1.5 billion/day Waled, Waledpak
0? Maazben 50,000 [30] 0.5 billion/day None
0? Onewordsub 40,000 [36] 1.8 billion/day 0?
0? Gheg 30,000 [30] 0.24 billion/day Tofsee, Mondera
0?  ?? 20,000 [36] 5 billion/day Loosky, Locksky
0? Wopla 20,000 [36] 0.6 billion/day Pokier, Slogger, Cryptic
2008 (Around) Asprox 15,000 [37] 0 ? Danmec, Hydraflux
0 Spamthru 12,000 [36] 0.35 billion/day Spam-DComServ, Covesmer, Xmiler
2010 (January) LowSec 11,000+ [30] 0.5 billion/day LowSecurity, FreeMoney, Ring0.Tools
0? Xarvester 10,000 [30] 0.15 billion/day Rlsloup, Pixoliz
2009 (August) Festi 0 ? 2.25 billion/day none
2008 (Around) Gumblar 0 ? 0 ? None
2007 Akbot 1,300,000 [38] 0 ? None
2100 z! -100,000,000 -99999 z!

See also

References

  1. ^ Ramneek, Puri (2003-08-08). "Bots &; Botnet: An Overview" (PDF). SANS Institute. http://www.sans.org/reading_room/whitepapers/malicious/bots-botnet-overview_1299. Retrieved 2011-06-21. 
  2. ^ al.], Craig A. Schiller ... [et (2007). "1". Botnets the killer web app ([Online-Ausg.] ed.). Rockland, MA: Syngress Publishing. p. 6. ISBN 9781597491358. 
  3. ^ Botnet operation controlled 1.5m PCs by Tom Sanders, vnunet.com.
  4. ^ Telenor takes down 'massive' botnet by John Leyden, The Register.
  5. ^ "FBI — FBI, Slovenian and Spanish Police Arrest Mariposa Botnet Creator, Operators". Fbi.gov. http://www.fbi.gov/news/pressrel/press-releases/fbi-slovenian-and-spanish-police-arrest-mariposa-botnet-creator-operators. Retrieved 2011-11-10. 
  6. ^ ISPs urged to throttle spam zombies by John Leyden, The Register.
  7. ^ http://chronicle.com/article/Top-10-Threats-to-Computer/23469/
  8. ^ Messmer, Ellen. "The botnet world is booming". Network World. http://www.networkworld.com/news/2009/070909-botnets-increasing.html. Retrieved 6 April 2011. 
  9. ^ Many-to-Many Botnet Relationships, Damballa, 8 June 2009.
  10. ^ "what is a Botnet trojan?". DSL Reports. http://www.dslreports.com/faq/14158. Retrieved 7 April 2011. 
  11. ^ Botnet Communication Topologies, Damballa, 10 June 2009.
  12. ^ "Hackers Strengthen Malicious Botnets by Shrinking Them" (PDF). Computer (IEEE Computer Society). April 2006. http://csdl2.computer.org/comp/mags/co/2006/04/r4017.pdf. Retrieved 2010-10-22. "The size of bot networks peaked in mid-2004, with many using more than 100,000 infected machines, according to Mark Sunner, chief technology officer at MessageLabs...The average botnet size is now about 20,000 computers, he said." 
  13. ^ "Trojan horse, and Virus FAQ". DSLReports. http://www.broadbandreports.com/faq/trojans/1.0_Trojan_horses. Retrieved 7 April 2011. 
  14. ^ "Operation Aurora — The Command Structure". Damballa.com. http://www.damballa.com/research/aurora/. Retrieved 2010-07-30. 
  15. ^ Larkin, Erik (2009-02-10). "Fake Infection Warnings Can Be Real Trouble". PCWorld. http://www.pcworld.com/article/159316/fake_infection_warnings_can_be_real_trouble.html. Retrieved 2011-11-10. 
  16. ^ 8 Jul 2010 (2010-07-08). "Korean Poker Hackers Arrested". Poker.gamingsupermarket.com. http://poker.gamingsupermarket.com/news/4660/korean-poker-hackers-arrested. Retrieved 2011-11-10. 
  17. ^ al.], Craig A. Schiller ... [et (2007). "5". Botnets the killer web app ([Online-Ausg.] ed.). Rockland, MA: Syngress Publishing. p. 156. ISBN 9781597491358. 
  18. ^ C.Y. Cho, D. Babic, R. Shin, and D. Song. Inference and Analysis of Formal Models of Botnet Command and Control Protocols, 2010 ACM Conference on Computer and Communications Security.
  19. ^ "Researchers Boot Million Linux Kernels to Help Botnet Research". IT Security & Network Security News. 2009-08-12. http://www.eweek.com/c/a/Security/Researchers-Boot-Million-Linux-Kernels-to-Help-Botnet-Research-550216/?kc=EWKNLLIN08182009STR2. Retrieved 2011-04-23. 
  20. ^ "Infosecurity (UK) - BredoLab downed botnet linked with Spamit.com". .canada.com. http://www2.canada.com/topics/technology/story.html?id=3333655. Retrieved 2011-11-10. 
  21. ^ "Suspected 'Mariposa Botnet' creator arrested". .canada.com. http://infoaleph.wordpress.com/2011/07/03/como-detectar-y-borrar-el-rootkit-tdl4-tdssalureon/. Retrieved 2010-07-30. 
  22. ^ "Calculating the Size of the Downadup Outbreak — F-Secure Weblog : News from the Lab". F-secure.com. 2009-01-16. http://www.f-secure.com/weblog/archives/00001584.html. Retrieved 2010-04-24. 
  23. ^ "Cómo detectar y borrar el rootkit TDL4 (TDSS/Alureon)". kasperskytienda.es. 2011-07-03. http://infoaleph.wordpress.com/2011/07/03/como-detectar-y-borrar-el-rootkit-tdl4-tdssalureon/. Retrieved 2011-07-11. 
  24. ^ "America's 10 most wanted botnets". Networkworld.com. 2009-07-22. http://www.networkworld.com/news/2009/072209-botnets.html. Retrieved 2011-11-10. 
  25. ^ "Pushdo Botnet — New DDOS attacks on major web sites — Harry Waldron — IT Security". Msmvps.com. 2010-02-02. http://msmvps.com/blogs/harrywaldron/archive/2010/02/02/pushdo-botnet-new-ddos-attacks-on-major-web-sites.aspx. Retrieved 2010-07-30. 
  26. ^ "Research: Small DIY botnets prevalent in enterprise networks". ZDNet. http://www.zdnet.com/blog/security/research-small-diy-botnets-prevalent-in-enterprise-networks/4485. Retrieved 2010-07-30. 
  27. ^ Warner, Gary (2010-12-02). "Oleg Nikolaenko, Mega-D Botmaster to Stand Trial". CyberCrime & Doing Time. http://garwarner.blogspot.com/2010/12/oleg-nikolaenko-mega-d-botmaster-to.html. Retrieved 2010-12-06. 
  28. ^ "New Massive Botnet Twice the Size of Storm — Security/Perimeter". DarkReading. http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=211201307. Retrieved 2010-07-30. 
  29. ^ "Technology | Spam on rise after brief reprieve". BBC News. 2008-11-26. http://news.bbc.co.uk/2/hi/technology/7749835.stm. Retrieved 2010-04-24. 
  30. ^ a b c d e f g http://www.messagelabs.com/mlireport/MLI_2010_04_Apr_FINAL_EN.pdf
  31. ^ Chuck Miller (2009-05-05). "Researchers hijack control of Torpig botnet". SC Magazine US. http://www.scmagazineus.com/researchers-hijack-control-of-torpig-botnet/article/136207/. Retrieved 2011-11-10. 
  32. ^ "Storm Worm network shrinks to about one-tenth of its former size". Tech.Blorge.Com. 2007-10-21. http://tech.blorge.com/Structure:%20/2007/10/21/2483/. Retrieved 2010-07-30. 
  33. ^ Chuck Miller (2008-07-25). "The Rustock botnet spams again". SC Magazine US. http://www.scmagazineus.com/the-rustock-botnet-spams-again/article/112940/. Retrieved 2010-07-30. 
  34. ^ http://www.secureworks.com/research/threats/botnets2009/
  35. ^ "Waledac botnet 'decimated' by MS takedown". The Register. 2010-03-16. http://www.theregister.co.uk/2010/03/16/waledac_takedown_success/. Retrieved 2011-04-23. 
  36. ^ a b c d Gregg Keizer (2008-04-09). "Top botnets control 1M hijacked computers". Computerworld. http://www.computerworld.com/s/article/9076278/Top_botnets_control_1M_hijacked_computers. Retrieved 2011-04-23. 
  37. ^ "Botnet sics zombie soldiers on gimpy websites". The Register. 2008-05-14. http://www.theregister.co.uk/2008/05/14/asprox_attacks_websites/. Retrieved 2011-04-23. 
  38. ^ "New Zealand teenager accused of controlling botnet of 1.3 million computers". The H security. 2007-11-30. http://www.h-online.com/security/news/item/New-Zealand-teenager-accused-of-controlling-botnet-of-1-3-million-computers-734068.html. Retrieved 2011-11-12. 
  39. ^ Espiner, Tom (2011-03-08). "Botnet size may be exaggerated, says Enisa | Security Threats | ZDNet UK". Zdnet.co.uk. http://www.zdnet.co.uk/news/security-threats/2011/03/08/botnet-size-may-be-exaggerated-says-enisa-40092062/. Retrieved 2011-11-10. 

External links

Botnets
Notable botnets
Akbot · Asprox · Bagle · Bredolab · Cutwail · Conficker · Donbot · Grum · Gumblar  · Kraken · Lethic · Mariposa · Mega-D · Metulji · Rustock · Srizbi · Storm · Torpig · Waledac · Zeus
Main articles
Infectious malware
Concealment
Malware for profit
By operating system
Protection
Countermeasures