Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, May 13, 2008

The botnet business

Botnets have been in existence for about 10 years; experts have been warning the public about the threat posed by botnets for more or less the same period.  Nevertheless, the scale of the problem caused by botnets is still underrated and many users have little understanding of the real threat posed by zombie networks (that is, until their ISP disconnects them from the Internet, or money is stolen from their credit cards, or their email or IM account is hijacked).  This article discusses zombie networks or botnets: how they are created, who uses them to make money on them and how this is done.

First of all, we need to understand what a botnet or zombie network is.  A botnet is a network of computers made up of machines infected with a malicious backdoor program.  The backdoor enables cybercriminals to remotely control the infected computers (which may mean controlling an individual machine, some of the computers making up the network or the entire network).  Malicious backdoor programs that are specifically designed for use in creating botnets are called bots.

They are used as a powerful cyber weapon and are an effective tool for making money illegally.  The owner of a botnet can control the computers which form the network from anywhere in the world—from another city, country or even another continent.  Importantly, the Internet is structured in such a way that a botnet can be controlled anonymously.

When bots are controlled directly, the cybercriminal establishes a connection with an infected computer and manages it by using commands built into the bot program.  In the case of indirect control, the bot connects to the control center or other machines on the network, sends a request and then performs the command which is returned.

Botnets can be used by cybercriminals to conduct a wide range of criminal activity, from sending spam to attacking government networks.  It should be noted that spam is not always sent by botnet owners: botnets are often rented by spammers.

The second most popular method of making money via botnets is to use tens or even hundreds of thousands of computers to conduct DDoS (Distributed Denial of Service) attacks.  This involves sending a stream of false requests from bot-infected machines to the web server under attack.

Botnets help increase the haul of passwords (passwords to email and ICQ accounts, FTP resources, web services etc.) and other confidential user data by a factor of a thousand.

It can also be used to infect the computer with other malicious programs (such as viruses or worms) and install other bots on the computer.

Flood: start creating a stream of false requests to a specific Internet server in order to make it fail or to overload channels in a specific segment of the Internet.

Types of botnet Today’s botnet classification is relatively simple, and uses botnet architecture the protocols used to control bots as a basis.  In practice, building decentralized botnets is not an easy task, since each newly infected computer needs to be provided with a list of bots to which it will connect on the zombie network.

Classification of botnets according to network protocols For a botnet owner to be able to send commands to a bot, it is essential that a network connection be established between the zombie machine and the computer transmitting commands to it.

NetBus and BackOrifice2000 were the first to include a complete set of functions that made it possible to remotely administer infected computers, enabling cybercriminals to perform file operations on remote machines, launch new programs, make screenshots, open or close CD-ROM drives, etc.

A malicious user then came up with the idea that computers infected with backdoors should establish connections themselves and that they should always be visible online (on the condition that the machine is switched on and working).  This user must almost certainly have been a hacker, because new-generation bots employed a communication channel traditionally used by hackers—IRC (Internet Relay Chat).  It is also likely that the development of new bots was made easier by the fact that bots working in the IRC system were open source (even though these bots were not designed for remote administration purposes but to respond to user requests such as questions about the weather or when another user had last appeared in chat).  When infecting a computer, the new bots connected to IRC servers on a predefined IRC channel as visitors and waited for messages from the botnet owner.  The owner could come online at any time, view the list of bots, send commands to all infected computers at once or send a private message to one infected machine.  This was the original mechanism for implementing a centralized botnet, which was later christened C&C (Command & Control Center).

Developing such bots was not difficult because the IRC protocol has simple syntax.  A specialized client program is not required to use an IRC server—a universal network client, such as Netcat or Telnet, can be used. 

Information about the new IRC botnets spread rapidly.  This was done by seizing control of the network, redirecting bots to other, password-protected, IRC channels and the result was full control over somebody else’s network of infected machines.

First, hackers developed tools for remotely controlling servers based on such popular script engines as Perl and PHP or, more rarely, ASP, JSP and a few others.  Then somebody developed a method by which a computer on a local area network could connect to a server on the Internet; this made it possible to control the computer from anywhere in the world.  Descriptions of the method for remotely controlling computers on local area networks which bypassed such protection as proxy servers and NAT were published online and it soon became popular in certain circles.

The development of semi-legitimate remote administration tools that could be used to evade protection on machines in local area networks and to gain remote access to such computers paved the way for web-oriented botnets.  It is difficult to register a large number of accounts automatically as systems which protect against automated registrations are constantly modified.  It turned out that botnets with classic architecture (i.e. a large number of bots with one command and control center) are very vulnerable, since they depend on a critical node—the command and control center.

All that the zombie network’s owner needs to do is send a command to one of the computers on the network, and the bots will spread the command to other computers in the botnet automatically.

P2P botnets The Storm Botnet In 2007, the attention of security researchers was attracted by a P2P botnet created using a malicious program known as the Storm Worm.  Authors of the Storm Worm were spreading their creation so rapidly that it seems as though they had set up a conveyor belt to create new versions of the malicious program.  From January 2007 onwards, we have detected between three and five new Storm Worm (Kaspersky Lab classifies it as Email-Worm.Win32.Zhelatin) variants a day.

Clearly, the bot is being developed and distributed by professionals, and both the zombie network architecture and its defense are well-designed. 

Mayday Mayday is another interesting botnet and it technically differs slightly from its forerunners.  Network size is not the only criterion in which Mayday is inferior to its ‘big brother’ Storm: the Mayday botnet uses a non-encrypted network communication protocol, the malicious code has not been tweaked to hinder analysis by antivirus software and, most importantly, new bot variants are not released with anything nearing the frequency we saw with new variants of the Storm Worm.  Backdoor.Win32.Mayday was first detected by Kaspersky Lab in late November 2007, and since then just over 20 different variants of the malicious program have made it into our collection.  Most users are familiar with ICMP (Internet Control Message Protocol) because it is used by the PING utility to check whether a network host is accessible.  Command and control centers of web-oriented botnets use a mechanism known as CGI (Common Gateway Interface). 
Kaspersky Lab did not detect any new variants of the Mayday bot in spring 2008.  Perhaps the malicious program’s authors have taken a timeout and the Mayday botnet will resurface in the near future.

The botnet business The answer to the question why botnets keep evolving and why they are coming to pose an increasingly serious threat lies in the underground market that has sprung up around them.  Today, cybercriminals need neither specialized knowledge nor large amounts of money to get access to a botnet.  The underground botnet industry provides everyone who wants to use a botnet with everything they need, including software, ready-to-use zombie networks and anonymous hosting services, at low prices.

Let’s take a look at the ‘dark side’ of the Internet and see how the botnet industry works to benefit zombie network owners.  The first thing needed to create a botnet is a bot, i.e. a program that can remotely perform certain actions on a user’s computer without the user’s knowledge.  Software for creating botnets can be easily purchased on the Internet by simply finding a appropriate advertisement and contacting the advertiser.  Bot prices vary from $5 to $1000, depending on how widespread a bot is, whether it is detected by antivirus products, what commands it supports, etc.

A simple web-oriented botnet requires a hosting site where a command and control center can be located.  Such sites are readily available, and come complete with support and anonymous access to the server (providers of anonymous hosting services usually guarantee that log files will not be accessible to anybody, including law enforcement agencies).  Since stealing botnets is a common practice, most buyers prefer to replace both the malicious programs and the command and control centers with their own, thereby gaining guaranteed control over the botnet.  This ‘reloading’ of botnets is also helpful for protecting them and ensuring anonymity, since IT security experts may already be aware of the ‘old’ C&C and the ‘old’ bot.  They infect the systems of users who visit a malicious web page by exploiting vulnerabilities in browsers or browser plugins.  Sadly, these tools are so accessible that even adolescents can easily find them and they even try to make money by reselling them.

Interestingly, ExploitPacks were originally developed by Russian hackers but later they found an audience in other countries as well.  These malicious programs have been localized (showing that they were commercially successful on the black market) and are now actively used in China, among other places.  Developers of such systems as C&C software or ExploitPacks realize this and develop user-friendly installation and configuration mechanisms for their products in order to make them more popular and increase demand.  For example, installation of a command and control center usually involves copying files onto a web server and using the browser to launch an install.php script.

It is well known in the cybercriminal world that sooner or later antivirus products will start detecting any bot program.  When this happens, the infected machines on which an antivirus product is installed are lost to the cybercriminals, while the rate of new infections significantly deteriorates.  Botnet owners use a number of methods to retain control of their networks, the most effective of which is protecting malicious programs from detection by processing the malicious code.  The ability to gain access to a network of infected computers is determined by the amount of money cybercriminals have at their disposal rather than whether they have specialized knowledge.  Such botnets can be used by governments or individuals to exert political pressure in tense situations.

In addition, anonymous control of infected machines that does not depend on their geographic location could be used to provoke cyber conflicts.  Think of ten friends or acquaintances who have computers—out of the ten, one of them is likely to own a machine that is part of a zombie network.

Posted on 05/13