The Creation and Detection of a Botnet
Stuart Henderson
Ethical Hacking White Paper
University of Abertay Dundee
B Sc Ethical Hacking &
Countermeasures
May 2013
Note that Information contained in this document is for educational purposes.
University of Abertay Dundee
ABSTRACT
In recent years, cyber crime has increased and is becoming a larger threat. This is aided by
botnets. A botnet is a series of compromised computers spread across the internet that fulfils the
task given to them by a single attacker. The bot could do a variety of things such as steal
personal information, send spam, DDoS websites and servers and anything the attackers wishes.
Anyone who has access to a root kit can make their own botnet and bring about their own army
of bots. A step by step list will be composed to demonstrate the actions taken to successfully
create a botnet, techniques to prevent a botnet infection will also be examined.
(i)
University of Abertay Dundee
TABLE OF CONTENTS
Introduction .......................................................................................................................... 1
Defining a Botnet ................................................................................................................... 2
Creating a Custom Botnet ...................................................................................................... 4
Botnet Discussion and Prevention ......................................................................................... 9
Conclusions ......................................................................................................................... 10
Bibliography ........................................................................................................................ 11
(ii)
University of Abertay Dundee
INTRODUCTION
Regular home computers and company networks are at risk and are highly sought after by
attackers on a regular basis. Years ago when the traditional virus was created it only served to
cause mischief and pranks. These viruses could have had capabilities to copy themselves to files
that would be carried over to another host computer unknown by the user. This type of virus is
easily detectable and can be removed safely. However nowadays the most dangerous and vicious
cyber threats come from a community of botnet networks and infected computers. Botnets can be
used to conduct cyber attacks and steal sensitive information from large businesses and
organisations. This could cause big financial losses to companies. The threat is so big, literally
millions of computers at this very moment are infected with a botnet unknown to the user. Could
such a threat be replicated by a regular attacker with little to no knowledge of how botnets work?
This report will outline the key steps required to create a botnet and will outline the basic
background and fundamentals of how a botnet functions.
(1)
University of Abertay Dundee
DEFINING A BOTNET
1.1 WHAT IS A BOTNET?
The word "Botnet" derives from the word "robot" and "network". In its most basic form a botnet
is a series of internet-connected applications that work together to accomplish a task. Malicious
hackers distribute malware that can turn a computer into a bot using various methods. These
malicious applications sit on a compromised host unknown to the user, waiting for commands to
be given from a third party botnet controller that issue them remotely through standard network
protocols such as IRC and HTTP. A mass of botnets can be also known as a "zombie army".
Most botnet infected computers are home-based. The task set to a botnet can be anything from a
legal task of managing IRC channels to an illegal task of a DDoS attack on a website causing it
to slow or close down. Until it receives a command from the botnet herder, it will stay hidden.
Many home users nowadays have a fast internet connection and fast computers that would serve
well under a botnet. Bots can propagate networks just like worms to infect a larger network on
computers. These computers form a botnet.
1.2 COMMAND AND CONTROL
Traditionally, botnets were controlled using IRC (Internet Relay Chat) because it was simple and
flexible to use although it is easy to spy on the botnet traffic this way as IRC sends in clear text.
The bot controllers don't control each botnet directly and have a main server to control and
command the botnets as a safeguard in case the server is investigated and have a somewhat
amount of protection using the TOR network to remain anonymous. Many botnets make use of
HTTP to fetch tasks from the server. The bot herder wouldn't have to send commands to the
botnets at all, the botnets would fetch the HTTP periodically. This method has an advantage of
not being blocked by firewalls as HTTP is a common protocol.
Figure 11
1
InfoSec Institute Resources – Botnets and cybercrime – Introduction. 2013. [ONLINE] Available at:
http://resources.infosecinstitute.com/botnets-and-cybercrime-introduction/. [Accessed 16 May 2013].
(2)
University of Abertay Dundee
1.3 THE MANY USES OF A BOTNET
The larger the botnet, the more impact it can have on the internet. There are lots of variations of
a botnet. One botnet called "Zeus" which was first identified in July 2007 was used to steal
banking credentials by using key logging and form grabbing exploits. It will report back to the
master herder of the botnet bank credentials of the infected user. It can appear on a user's
computer by certain methods such as drive-by downloads and phishing. The primary target for
this Trojan was computers containing a Windows operating system. In 2012 it was discovered
that there were variants of Zeus that also targeted BlackBerry and Android phone operating
systems. This new mobile version of Zeus dubbed "Eurograbber" was able to steal $47 million in
2012.2 There are botnets that sometimes have the single purpose of spamming. Spamming emails
from the attackers own computer isn't efficient as when they are discovered, their ISP will
prevent them from sending emails. So to bypass this they changed tactics and adopted sending
spam from someone else's computer using a botnet. One noteworthy botnet that focused on
spamming pharmaceutical emails "Grum" was shutdown on the 19th of July 2012. It was
mentioned that this bot alone was responsible for 18% of the worldwide spam traffic.3 There are
botnets that are specifically designed for launching denial of service attacks on specific websites.
If the bot controller were to accumulate a large number of bots and commanded them
collectively to flood a specific site with DDoS attacks, it would cripple the website and render it
unusable. Cyber criminals can sell these Trojan botnets for a fee or extort a company for money
to stop a DDoS attack that would possibly cost them millions per day in revenue. For example, to
rent a DDoS botnet attack to take out possible competitor websites is one way to earn money in
the botnet market. It quotes the price range of how long you would like a DDoS attack a website
for. " 1 hour or DDoS attack is $5" up to "1 month of persistent DDoS attack is $900".4 Discount
is even offered to prospective customers. To facilitate a DDoS for the purpose of bringing down
a website there are 2 main methods. Firstly is the HTTP GET request which would request a
page from the website numerous times over in only a second over and over again. Combined
with a large amount of botnets it could be successful in disrupting and bringing down a website.
Then the second method which is the classic SYN flood which involves initiating a 3 way
handshake but not responding to the SYN-ACK at all and continuously initiating the handshake
from the beginning. The user of the bot controller holds a massive amount of power that could
disrupt major companies and businesses and cause huge loss in revenue. The cybercrime
ecosystem thrives from competitive businesses.
2
Zeus Botnet Eurograbber Steals $47 Million - Security - . 2013. [ONLINE] Available at:
http://www.informationweek.co.uk/security/attacks/zeus-botnet-eurograbber-steals-47-millio/240143837. [Accessed
16 May 2013].
3
BBC News - Huge spam botnet Grum is taken out by security researchers. 2013. [ONLINE] Available at:
http://www.bbc.co.uk/news/technology-18898971. [Accessed 16 May 2013].
4
DDoS for hire services offering to ‘take down your competitor’s web sites’ going mainstream | Webroot Threat
Blog - Internet Security Threat Updates from Around the World. 2013. | Webroot Threat Blog - Internet Security
Threat Updates from Around the World. [ONLINE] Available at: http://blog.webroot.com/2012/06/06/ddos-for-
hire-services-offering-to-take-down-your-competitors-web-sites-going-mainstream/. [Accessed 16 May 2013].
(3)
University of Abertay Dundee
CREATING A BOTNET
To build and administer our botnet we will be using the popular Zeus toolkit (also known as
Zbot, Wsnpoem, Gorhax and Kneber).5 A control panel will be used to control and maintain the
botnet. Using a builder tool, it will allow the attacker to create the executables that will be used
to infect the victims machine. The ZeuS public toolkit creator is distributed freely so there are
many variations of the Zeus botnet. There is also a commercial version of the botnet that
includes more features than the public botnet. The commercial version of Zeus can sell on the
web anywhere from "$40 to $4000".The commercial version also has piracy protection
integrated to prevent it becoming public.5 For this purpose we will be using the freely distributed
public botnet. The Zeus botnet is known as a huge commercial banking Trojan used for
capturing key strokes and form information. In October 2010 a ring of cyber criminals were able
to steal up to $70 million using the Zeus toolkit. 5
2.1 CREATION OF A BOTNET - STEP BY STEP GUIDE
Two machines are set up. One machine contains the Windows Xp Service Pack 3 operating
system while the other also contains Windows Xp Service Pack 3. The botnet creation and
command and control server will be held one machine (Attacker) while the other will hold a
botnet(Victim).
1. To begin a local server is set up on the Attackers machine by installing XAMPP, an open
source web server package. The botnet builder is downloaded and contained within the
builder we are using is files that are configured to work with XAMPP.
Within the "conf" folder of the Zeus builder folder, there is a "httpd.conf" file that needs
to be edited. An IP address needs to be changed to the bot controllers IP address. In this
case the controller IP address is 10.0.0.26.
Figure 2
2. The "conf" folder and all its contents are copied to "C:\XAMPP\apache" . The "1" folder
is copied over to "C:\XAMPP\htdocs\xampp".
3. Next XAMPP is run and "Apache" and "MySql" is started. Both of these are allowed and
unblocked through the firewall.
4. The web browser is launched (in this case Google Chrome) and the IP address of the
controller is put in the address bar to navigate to the XAMPP page.
5. Navigate to "Security" and set the password to "password".
5
Attack Toolkit Business Gaining Legitimacy | Security News. 2013 [ONLINE] Available at:
http://www.pctools.com/security-news/attack-toolkits/. [Accessed 16 May 2013].
4
University of Abertay Dundee
6. Navigate to "phpMyAdmin" and log in using the credentials "root" and "password". The
SQL configurations page should be displayed.
7. Create a new database called "bssnet".
Figure 3
8. Once the database has been created, click "import" and "choose file" and navigate to the
file "bssnet.sql" and click go. The import should have been successful.
9. Next navigate to "10.0.0.26/xampp/1/install/index.php". This will take you to a control
panel installer (Figure 4). The user name and password for the first section can be to the
attackers choosing. In this case the user is "admin" and the password is "qwerty123". The
MySql server section will be the same username and password that was set up for the
security page. In this case it is "root" and "password". Finally it needs an encryption key.
This can be found in the config.txt file in the ZeuS builder folder. Once all fields are
correct click "install".
Figure 4
10. Once this has been completed the attacker is now able to login to the control panel that
manages the botnets. Navigate to "10.0.0.26/xampp/1/cp.php?m=login". Enter the
credentials "admin" and "qwerty123".
Figure 5
11. This will next take the attacker to the botnet control panel.(Figure 6) From here the user
can view information such as how many botnets are in circulation, what operating
5
University of Abertay Dundee
systems are certain botnets being ran under and information that botnets have captured.
There is also options to update the bots to the most recent version of the botnet and to
send scripts to all botnets in circulation.
Figure 6
The next step is to make the virus itself which will be placed on the victims machine.
1. In the config.txt file in the directory of the ZeuS builder, edit the IP addresses to match
the botnet controllers IP address.
2. Next launch "zsb.exe" - this is the ZeuS builder(Figure 7). Click the builder tab.
Figure 7
3. Click "Build config" and save the configuration file to the desktop.
6
University of Abertay Dundee
4. Next click "Build loader". Save the "bt.exe" executable to the same location as the config
file previously built. Once these 2 files are created from the ZeuS builder you no longer
need the program so you can close it.
5. Copy the 2 files from the Desktop to the "C:\XAMPP\htdocs\xampp\1" folder.
Figure 8
6. Once this is completed the next task is to put the "bt.exe" virus on the victims machine
and run the program.
Once the program has been executed on the victims side, testing can begin to ensure that our
botnet is fully functional.
Using Play.com as an example shopping site the victim will sign in to purchase goods. Signing
in with a non-existing account "fake@fake.com" and a password of "racecar99". Going back to
the attackers computer, from the control panel we can see a recent entry to the database. The
recent entry shows the login details captured from the victims computer.
Figure 9
It was next tested on the PayPal register form. It successfully captured all the information
entered by the user into the form including the password, "catanddog1".
7
University of Abertay Dundee
Figure 10
It was next tested on the bank Lloyds TSB, the user attempted to login and the data was
successfully captured.
Figure 11
Script commands were then tested to ensure that the attacker holds some control over the
compromised computer. A simple “reboot” command was sent to the botnet on the victims pc
and the computer was restarted without the victims prompt or input. There are more commands
that issue various tasks to the botnet.
8
University of Abertay Dundee
BOTNET PREVENTION
3.1 HOW CAN A USER PROTECT THEMSELVES?
Botnets prove to be very malicious to people who use banking online or do online shopping
regularly. Attackers may use botnets equip with key logging functions to gain personal financial
details from such users. In other cases a botnet may control your computer to aid spamming, to
host phishing sites and hold payloads that could infect other users. It is only obvious that there
needs to be a prevention and detection system in place to avoid being part of the botnet. Many
anti-viruses these days are updated periodically to protect the user from harmful files and attacks
from outside users. An anti-virus program is one of the key elements to botnet preventions. The
anti-virus application will detect any patterns that it knows to be malicious and prevent the virus
from executing. As long as the anti-virus is well maintained and up to date it should detect any
abnormalities inside your operating system. There are also Windows Updates that patch security
holes in the operating system to protect the user's computer and files from being exposed to
attacks and to make your system more secure and reliable. These updates are incredibly
important and it is crucial to keep up to date with the latest patches. The firewall also serves as a
blockade between the attacker and the victim. A firewall will regulate and control the network
traffic by analysing the network and data packets which will be determined if they will be
allowed through or not based on the firewalls rules. The firewall should be well maintained to
prevent malicious attacks. The browsers security features are just as important as the anti-virus
applications. Many sites are compromised and malicious JavaScript present underneath the
website will attempt to force malware onto the victims machine. They may use browser plug-in
exploits to gain access to your system and perform a "drive-by-download" which essentially
downloads files without the users consent or knowing that a file is being downloaded and will
install onto the system without a single prompt. Most of these drive-by-downloads are malicious
viruses like spyware and malware. Browser developers should patch their browsers regularly to
prevent this and block security holes. Plug-ins such as Java, Adobe Flash and Adobe Reader
should also be kept up to date. It is recommended that JavaScript be disabled on most websites
except on ones commonly used such as banking and shopping websites. The next step may be
obvious but avoid opening any email attachments that were received from unknown sources. It is
most certainly a file that is infected with some sort of worm or virus. Ensure your spam filter is
working correctly and if you do read the email, ensure it is in plain text. Finally the most
effective way of preventing a virus or botnet prevention is to use common sense. Don't download
files from suspicious sites and ensure you scan files before opening them.
Upon discovering a botnet is present on your machine you should disconnect the pc from the
network right away. This ensures it can't talk to the bot controller and stops it from executing any
task that it was given. The antivirus should be used to scan and clean the botnet, removing it
from the system completely.
9
University of Abertay Dundee
CONCLUSION
In conclusion a botnet can be very easy to create for the average "script kiddie" who doesn't fully
understand a botnet and the full destructive force it possesses by using a simple root kit builder.
Still now more than ever botnets still pose to be the most powerful weapon a cyber criminal can
possess. If the command and control servers that commanded a certain botnet were to be
captured and investigated there is a chance that the attacker will not get caught due to using an
anonymous connection such as TOR to talk to the server which makes it almost impossible to
backtrack to the real attack source. However it would mean that the botnets are no longer being
sent and are doing any more malicious tasks since the "brain" is shut down. Careful usage of
computers and the internet today would prove useful in the prevention of being infected by a
botnet. By ensuring everything is up to date there should be no security hole that a botnet can
exploit.
10
University of Abertay Dundee
BIBLIOGRAPHY
Fueled by super botnets, DDoS attacks grow meaner and ever-more powerful | Ars Technica.
2013. | Ars Technica. [ONLINE] Available at: http://arstechnica.com/security/2013/04/fueled-
by-super-botnets-ddos-attacks-grow-meaner-and-ever-more-powerful/. [Accessed 16 May 2013].
Alomari, Manickam, Gupta, Karuppayah, Alfaris, 2012. Botnet-based Distributed Denial of
Service (DDoS) Attacks on Web Servers: Classification and Art. International Journal of
Computer Applications, Volume - 49 No. 7, 9. [ONLINE] Available at:
http://arxiv.org/ftp/arxiv/papers/1208/1208.0403.pdf. [Accessed 16 May 2013].
What is botnet (zombie army)? - Definition from WhatIs.com. 2013. [ONLINE] Available at:
http://searchsecurity.techtarget.com/definition/botnet. [Accessed 16 May 2013].
Attack Toolkit Business Gaining Legitimacy | Security News. 2013. [ONLINE] Available at:
http://www.pctools.com/security-news/attack-toolkits/. [Accessed 16 May 2013].
Botnet Protection Measures PC Users Can Adopt. 2013. [ONLINE] Available at:
http://www.best-pc-security-software.com/botnet-protection.html. [Accessed 16 May 2013].
11