BOTNET
BOTNET
1
Victim machine: is the compromised internet host
on which the malicious bot is installed after the When a bot signs in for duty, it does so to an IRC server
attacker has exploited an application or operating which is running a specific channel [2] for the bots and bot
system vulnerability or has duped the user into masters to log in to. Typically these ‘bot’ channels will
executing a malicious program. Once infected the hidden as much as possible to stop the IRC server
target host are also referred to as Zombies. owner/admin from finding the botnet channel and killing it.
To do this the bot master will almost use the following
Attacker: is the one that configures the bot, it modes for the channel at the very minimum:
comprises a machine to install a malicious bot, +s (Mark the channel as secret so that it cannot be
controls & directs the bots once it joins the seen in channels list)
designated IRC channel. +u (Hide the userlist)
+m (Make the channel moderated. So that a user
Control channel: is a private (IRC /HTTP) channel cannot send text to that channel unless they have
at server side created by the attacker as rendezvous operator @ access or +v voice)
point for all the bots to join once they are installed +k (Make the channel password protected).
on infected machine & are online, it comprises of a Botnets usually use dynamic DNS names from any of the
channel name & a password ‘key’ to authenticate. providers that offer free dynamic DNS services. These when
configured are setup with a very short TTL (Time-to-live),
Server: is a system which provides services to its so if the botnet‘s current IRC server gets disconnected the
users or clients, this could be a legitimate public botnet is headless [command and control disabled] only for
service provider like DALNET etc. or another a short while until a new IRC server is specified or the
attacker’s compromised machine. original comes back on-line on a new IP address. Other IRC
commands may well, in the case of private IRC servers,
Botnet: All the bots once connected to control have been removed and discourage anyone who finds the
channel form a botnets i.e. network of bots, server, or to warn the botnet owner that their server has been
awaiting the attacker command. found.
B. Botnet working: So, once the ‘zombie’ system signs on for duty to the IRC
Most modern bots are controlled via IRC. IRC servers by control channel, it will almost certainly receive some
default use Port 6667.IRC Servers also usually listen on instructions, these may well be to firstly try and find other
several other ports by default including 6660, 6661, 6662, ‘victims’ to press-gang into service as partof the botnet it
6663, 6664, 6665, 6666, 6668, 6669 and 7000. These other has joined.
ports are often used so that the more commonly known Port
6667 is not shown in Netstat as a remote port that the Figure 4, shows number of ways that a bot can get installed
computer is connected to. Many IRC servers used by on a new victim system.
botherders are modified and may run on almost any port.[2]
2
IRC networks or build their own. Private IRC servers can be
Other than scanning for new victims to infect, the zombie collocated at “bullet proof”[a] (BP) hosting providers that
may be requested to update the bot executable or install new guarantee uptime, or the software can be installed on one of
components.Any bot infected system can become the master the compromised systems.
command and control IRC server. This makes it quite
difficult to ‘behead’ a botnet, as in reality it can ‘re-grow’ a The IRC channel topic can instruct compromised systems
new head almost at will. within the botnet to perform a specified action. The channel
topic shown in Figure 6 directs the system to perform the
Prime Targets/Victims following functions:[5]
The most desired profile of victims by the botherders are the
one connected to internet, thereby most vulnerable to bots
infection are less monitored, high bandwidth, home
computers or university servers[4].
High bandwidth: one of the most sorts after
internet hosts by attackers are machines connected
to internet by broadband access, giving attackers
large cumulative attack bandwidth to target servers
for DDoS or host pirated files or software.
Location: the attacker target machines, which are • .advscan – botnet command to scan for
geographically far away from their own location & vulnerable systems
with relatively low probability of law enforcement • lsass_445 – attempt to exploit vulnerable hosts
officers being able to trace the bots back to using VU#753212
attacker. • 150 – the number of concurrent threads
• 3 – the number of seconds to delay between
Thus the most likely profile of the victims is that of a scans
residential broadband connection or university servers those • 9999 – specified amount of time to perform the
are connected to internet via broadband connection & are scanning activity
most of the time available i.e. ‘on’. The attackers generally • -r – the IP addresses it attempts to scan should
target residential broadband connectivity providing ISP be generated randomly
subnets or university subnets that have low or no access • -s – the scan should be silent and not report its
control devices, with minimal monitoring of internet findings back in the channel
connection.
B. Web-based command and control
Another method attackers use to control a botnet is HTTP.
III. COMMAND AND CONTROL TECHNOLOGIES Attackers most commonly configure bot malware to instruct
the compromised system to access a PHP script on a web
A. IRC servers for command and control site with its system-identifying information embedded in the
The most commonly used C&C server type is internet relay URL. A web interface can be created to track and control
chat (IRC). These servers are the botnet.
favored because they require very minimal effort and
administration for use in C&C. Attackers can use public [a] The term “bullet broof” hosting means that the services
offered can not be shutdown. These facilities tend to be
3
located overseas or offshore where laws may not be present
or as strict. The cmd.php page shown in Figure 7 is an example of a
Figures 6 and 7 present web-based C&C interface views. web page used by bot herders to
Attackers use the interface to send commands to an send commands to compromised systems within the botnet.
individual system or to the entire botnet via the HTTP These commands are entered into the page and, upon
responses. A more covert way for the malware to receive its submission, a command file is created(cmd.txt).The
commands is for it to query a web site under the attacker’s compromised systems query for the cmd.txt file every 5
control. The malware knows what information to expect and seconds and then perform any of the commands issued to
how to interpret it into valid commands. them. Some of these commands direct bots to
4
A. Exploitation scanning tools first check for open ports. Then they take the
The life of a botnet client, or botclient, begins from its list of systems with open ports and use vulnerability-specific
exploitation. This exploitation to botclient can be done in scanning tools to scan those systems with open ports
different ways. Some of methods are as follows associated with known vulnerabilities. Botnets scan for host
systems that have one of a set of vulnerabilities that, when
Malicious Code compromised, permit remote control of the vulnerable host.
Exploitation through malicious code may cause various A fairly new development is the use of Google to search for
types of vulnerabilities including: vulnerable systems
■ Phishing e-mails, which lure the user to a Web site that
installs malicious code in the background, The hacker community is counting on millions of users that
■ Enticing Web sites with Trojan code (“Click here to see do not update their computers promptly. Modular botnets
the Dancing Monkeys!”). are able to incorporate new exploits in their scanning tools
■ E-mail attachments that when opened, execute malicious almost overnight. Diligent patching is the best prevention
code. www.syngress.com against this type of attack. If it involves a network protocol
■ Spam in instant messaging (SPIM). An instant message is that one don’t normally use, a host-based firewall can
sent to someone by some know person with a message like protect against this attack vector.
“You got to see this!” followed by a link to a Web site that
downloads and executes malicious code on victims However, if it is a protocol that one must keep open it will
computer. need intrusion detection/protection capabilities.
Unfortunately there is usually a lag of some time from when
the patch comes out until the intrusion detection/protection
updates are released. Sometime antivirus software may be
able to detect the exploit after it happens, if it detects the
code before the code hides from the A/V tool or worse,
turns it off.
5
has the ability to control another computer without the denial all firewall setup. Only open up ports that need to be
knowledge of the owner. They are easy to use because only open for internet access. This will help not just in tackling
few skilled users deploy them in their default bots but malicious software in general. Firewall logs [and
configurations,which causes anyone, who knows the default DNS, Proxy, SMTP, etc.] should be reviewed regularly to
password can take over the Trojan’ed PC. ensure that any bot and botnet traffic can be analysed,
infected systems remediated and further defences can be
SDBot exploits the following backdoors: considered or existing ones fortified by tightening
■ Optix backdoor (port 3140) configurations, etc.
■ Bagle backdoor (port 2745)
■ Kuang backdoor (port 17300) B. Application Firewalls (Proxies)
■ Mydoom backdoor (port 3127) Where possible proxy all traffic destined for the Internet,
■ NetDevil backdoor (port 903) this that can be setup to use a proxy server. All traffic for
■ SubSeven backdoor (port 27347) these protocols including IRC, HTTP, FTP and any other
protocol or application that do not use the proxies should be
B. Rallying and Securing the Botnet Client blocked. All application can run using proxy server like
Rallying is the initial phase of the life of a new botnet Netcat, SocksCap, and HTTP-Tunnel so one should be
client.. Rallying is the term given for the first time a botnet aware that proxy is secured and enable logging so that user
client logins into a C&C server. The login may use some can review the logs to look for any IRC traffic which has
form of encryption or authentication to limit the ability of passed through the proxy server.
others to eavesdrop on the communications. Some botnets
are beginning to encrypt the communicated data. At this C. DNS
point the new botnet client may request updates. The Setup local DNS records for known botnet control sites, so
updates could be updated exploit software, an updated list of that the command and control for these botnets are disabled.
C&C server names, IP addresses, and/or channel This is commonly called "nullrouting" or a “sink hole”,
names.This will assure that the botnet client can be because the DNS entries direct the offending domain or
managed. The next task of Botherder is to secure the new subdomains to an inaccessible IP address. Some examples
client from removal.The client can request location of the of IRC botnet names that can be neutralised in this way
latest anti-antivirus (Anti-A/V) tool from the C&C server. includes:[12]
The newly controlled botclient would download this • bleh.darkacidonline.us
software and execute it to remove the A/V tool, hide from it, • blackcarder.net
or render it ineffective. The botnet also start its rootkit • pod2004.dyndns.dk
detector and hide and launch the password collection • metalhead2005.info
programs.[10] • d66.myleftnut.info
• m3t4lh34d.info
C. Waiting for Orders and Retrieving the Payload
After securing the botnet client, it will listen to the C&C D. SMTP
communications channel. Now onwards it is the Botherder Only ‘official’ SMTP servers are allowed to route mail to
who sends some commands to Botclients, in order to the internet, all other SMTP traffic that does not use the
perform some operation. ‘official’ SMTP servers should be logged and/or dropped as
it is the result of malware, either trying to spread itself or
The botnet client will then request the task or functions to be sending SPAM, Phishing or Scam emails. These include file
done. These function can change at any time through extension such as in table 1.There are almost certainly a
modular design. Updates can be sent prior to the execution number of other extensions/file types that should be blocked
of any assigned task.The function of the botnet client can be and a number of those on the list have caveats associated
changed simply by downloading new payload software, with their use.
designating the target(s), scheduling the execution, and the E. IDS and IPS
desired duration of the action. IDS is a system that tries to identify attempts to hack or
break into a computer system or to misuse it. IDSs may
V. BOTNET MITIGATION TECHNOLOGIES monitor packets passing over the network, monitor system
files, monitor log files, or set up deception systems that
A. Perimeter and Network Firewalls attempt to trap hackers”. IDS has two variants: [13]
To help minimise the chances of infected systems ‘phoning-
home’ once successfully infected by a bot one should ensure (a) NIDS [Network based Intrusion Detection
to ‘‘deny-all’ policy on firewalls; both at the perimeter and Systems] and
also on other firewalls used to partition the network. The (b) HIDS [Host based Intrusion Detection
same goes for all other network aware applications that need Systems]
[or want] to connect to the internet or across network, use a and they both use in the fight against bots and botnets.
6
Network based Intrusion Detection Systems: G. Anti-Rootkit Tools
NIDS monitors all network traffic passing on the segment Rootkit- A rootkit is a collection of tools an intruder brings
where the agent is installed, reacting to any anomaly or along to a victim computer after gaining initial access,
signature based activity. Basically this is a packet sniffer usually via hacking into the box manually or by getting a
with attitude.They analyse every packet for suspected user to execute a Trojan or Worm which will install a
nefarious activity, most will also look for anomalies within backdoor for them to slither onto the system in the first
the protocol. place. A rootkit generally contains network sniffers, log-
There are many NIDS products on the market, probably the cleaning scripts, and trojaned replacements of core system
best known are: utilities.
• Snort
• RealSecure There are a number of tools available to be able to detect
and remove rootkits, some of these includes:
Host based Intrusion Detection Systems: • ChkRootkit
Most HIDS do one or more of the following to detect the • Rootkit
compromised systems • RootkitRevealer
1. Integrity checking • UnHackme
2. System Log monitoring
3. Policy driven behaviour blocking H. Personal Firewalls
4. Kernel wrapping These can be used to block unwanted applications from
5. Buffer overflow detection being able to connect to the network, effectively. This
means that the bot can’t join the botnet, it won’t get the
Intrusion Prevention Systems: orders that the bot-herder is issuing and therefore the risks
IPS is an intrusion prevention system is any device which are reduced.
exercises access control to protect computers from
exploitation. "Intrusion prevention" technology is
considered by some to be an extension of intrusion detection I. Anti-DDoS Products
(IDS) technology, but it is actually another form of access Number of vendors offer products/services which can be
control, like an application layer firewall. Intrusion used to filter or drop DDoS traffic on network perimeter.
prevention systems were invented by vendors who decided This is achieved by dropping traffic based on source IP
to make access control decisions based on application addresses and protocols. Many of these products/services
content, rather than IP address or ports as traditional work by looking for anomalous traffic, they achieve this by
firewalls had done. monitoring individual or aggregate traffic flows.
Intrusion prevention systems may also act at the host level Network level defences (used to detect and filter/stop
to deny potentially malicious activity.According to some floods)
researchers, IDS is dead and has been replaced by IPS • Arbor Networks [http://www.arbornetworks.com/]
[Intrusion Prevention Systems]. Examples of IPS products • CS3 [http://www.cs3-inc.com/]
include: IntruShield from McAfee, Proventia from Internet • Captus Networks
Security Systems and Attack Mitigator from Top Layer. Just [http://www.captusnetworks.com/]
like with IDS there are both Network and Host based • Cisco Systems [http://www.cisco.com
solutions available. The IPS possesses the capabilities to • Lanscope [http://www.lancope.com/]
stop malicious traffic it recognises in its tracks, thereby
• Mazu Networks [http://www.mazunetworks.com/]
stopping an infected system infecting others on the
• Riverhead Networks [http://www.riverhead.com/]
network.[14]
• Reactive Network Solutions
F. Anti-Virus [http://www.reactivenetwork.com/]
The use of anti-virus technologies as a detection method for • Top Layer [http://www.toplayer.com/]
bot infected systems is most prominent, as many of the bots • IntruShield [http://www.mcafee.com/]
are detected by anti-virus products. In some cases this • Host level defences (detect, stop handler/agent
functionality may well be the first to be deployed, as a installation)
dropper being spammed out. Once run the dropper lowers or • Entercept [http://www.mcafee.com/]
neutralises any local defences and then opens up the
backdoor, or just downloads more components as required • Tripwire [http://www.tripwire.com/]
to complete the infiltration. The anti-virus tools can only • AIDE [http://sourceforge.net/projects/aide]
[normally] detect malware they know about. New malware
variants may well be detected by heuristics.
7
Dynamic middlebox invocation is critical for deployability
because it ensures that during peace time (i.e., when there is
no ongoing DDoS activity) customer traffic does not have to
pay the penalty of triangular routing through the
middleboxes. Dynamic middlebox invocation is also
important for the defense system itself because it focuses all
defense resources only on the connections whose
destinations are under attack, leaving other customers
unaffected. The defense system can thus benefit from
statistical multiplexing and potentially protect many more
customer networks with the same available resources.
[1]. Bots & Botnet: An Overview published by Ramneek [8]. Additional information regarding WASTE can be
Puri,August 08, 2003 GSEC Practical located at: http://waste.sourceforge.net/.
Assignment Version 1.4b Option 1 – Research on Topics in
Information Security. [9]. Book on Botnet :BOTNETs –The killer Web App by
Craig A.Schiller, Jim Binkley, David Harley, Gadi Evron,
[2]. Know Your Enemy: Tracking Botnets – Tony Bradly
http://www.honeynet.org/papers/bots/
[10] Source URL: www.syngress.com
[3].Source URL: http://swatit.org/bots/gallery.html.
[11]Source URL
[4]Source URL: www.usdoj.gov/criminal/cybercrime/parsonSent.htm
http://www.netsys.com/library/papers/DDoS-ircbot.txt
[12] “Botnets, detection and mitigation – DNS based
[5] Paper The Zombie Roundup: Understanding, Detecting, techniques”
and Disrupting Botnets By Evan Cooke, Farnam Jahanian, Source URL: http://aharp.ittns.northwestern.edu
Danny McPherson ,Electrical Engineering and Computer
Science Department [13] Symantec security check
Source URL:
[6]. a Technical analysis can be located at: http://security.symantec.com/sscv6/home.asp?j=1&langid=i
http://www.lurhq.com/phatbot.html. e&venid=sym&plfid=23&pkj=BINJ
b. Leyden, John. Phatbot arrest throws open trade in ESLHFEPGEVVSDUX.
zombie PCs.
[14] Paper “Killing Botnets - A view from the trenches” by
http://www.theregister.co.uk/2004/05/12/phatbot_zombie_tr Ken Baylor, Ph.D. CISSP CISM Chris Brown, CISSP CISM
ade/