Bots & Botnets
From Computing and Software Wiki
Line 3: | Line 3: | ||
== Bot? What is it?? How it works???== | == Bot? What is it?? How it works???== | ||
- | A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine | + | A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control(C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then they connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel. |
<br> | <br> | ||
- | At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot | + | At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers, however an exponential number of Bots integrating a Botnet can be way more catastrophic. |
<br> | <br> | ||
== Botnet? What is it?? How it works??? == | == Botnet? What is it?? How it works??? == | ||
- | A Botnet consists of a Bot server connected to one or more Bot clients. This set of | + | A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before. |
<br> | <br> | ||
- | This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality | + | Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets. |
+ | <br> | ||
+ | |||
+ | === Life cycle of a Botnet === | ||
+ | |||
+ | * Initial setup of configuration settings of the Bot | ||
+ | * Register a Dynamic DNS | ||
+ | * Infect a PC with a Bot | ||
+ | ** Bot propagates according to the configuration settings | ||
+ | ** Scans for vulnerabilities | ||
+ | ** Idle | ||
+ | ** Performs actions as received by other Bots above it in the chain of command | ||
+ | ** Bot dies: | ||
+ | *** Bot may be taken over by another Botnet | ||
+ | *** The bot's owner's PC realizes the PC is a zombie, kills the bot. | ||
+ | *** The chain of command may be compromised above the level. | ||
+ | <br> | ||
+ | |||
+ | This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of a computer network. | ||
<br> | <br> | ||
Line 23: | Line 41: | ||
This all casts doubt on the capability of anti virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system. | This all casts doubt on the capability of anti virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system. | ||
<br> | <br> | ||
+ | |||
== History of Botnets == | == History of Botnets == | ||
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. | Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely. | ||
Line 188: | Line 207: | ||
<br> | <br> | ||
- | == | + | == How to Fight Botnets == |
+ | A weak point is that due to it's inheritance of the C&C structure, once the higher level bots are compromised the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails. | ||
+ | <br> | ||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service | http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service | ||
<br> | <br> |
Revision as of 19:44, 11 April 2009
Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.
Bot? What is it?? How it works???
A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control(C&C) infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine. The Bot camouflages itself, maintaining a low profile (using the least system resources for example before ordered to attack) and only then they connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker (Bot Herder) full control of this machine though a remote communication channel.
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot clients to a much greater threat and risk, such as a Botnet. An individual Bot by itself has a few powers, however an exponential number of Bots integrating a Botnet can be way more catastrophic.
Botnet? What is it?? How it works???
A Botnet consists of a Bot server connected to one or more Bot clients. This set of zombie machines are used in a network to create a more powerful and sophisticated invasion technique then the one's knew before.
Each Bot that can distribute orders and commands from the Bot Herder to others PC's that come in contact in a certain way with this PC. This leads to the exponentially grow characteristic of Botnets.
Life cycle of a Botnet
- Initial setup of configuration settings of the Bot
- Register a Dynamic DNS
- Infect a PC with a Bot
- Bot propagates according to the configuration settings
- Scans for vulnerabilities
- Idle
- Performs actions as received by other Bots above it in the chain of command
- Bot dies:
- Bot may be taken over by another Botnet
- The bot's owner's PC realizes the PC is a zombie, kills the bot.
- The chain of command may be compromised above the level.
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the whole concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss how has this threat being used and ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of a computer network.
Hard to exterminate...why?
A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet.
Some Botnets add a layer of complexity by using a hidden “Proxys” though where the IRC commands will be sent, or though a series of "hops". This layers make the crackers hide evidences that could lead to the discovery of the Botnet.
A file such as .bat, that execute network commands can be modified to deactivate applications such as anti-virus systems or to kill processes associated to any security application. Other bots execute processes that substitute normal programs files of anti-virus to others that make the program look normal or even modify references to the download of corrupted patches that will be downloaded and executed on the compromised machine.
This all casts doubt on the capability of anti virus software to claim that a system is actually clean when it encounters and cleans one component of a multi-component Bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect defense system.
History of Botnets
Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely.
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:
Timeline | Bot technology |
---|---|
1988 | Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland |
1989 | Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users |
1999 | Pretty Park discovered. First worm to use an IRC server as a means of remote control |
1999 | SubSeven Trojan/bot. A remote control Trojan added control via IRC |
2000 | GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections |
2002 | SDBot. Written in C++ where its source code is available to hacker community though a small single binary |
2002 | AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload |
2003 | SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.) |
2003 | RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software |
2004 | PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection |
2005 | MYTOB. My Doom mass emailing worm with Bot IRC C&C |
How Big is this problem anyways? Why should I worry?? Who's out there for us???
Symantec
On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not
usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.
McAfee
In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the following resulting problems:
- Numerous network outages of up to six hours
- Customer threats of lawsuits
- Customer business disruptions
- Lengthy outages of bank ATM service
Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”
Microsoft
Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it.
VeriSign
Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."
Sun Microsystems' Grid
Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.
International Botnet Task Force
More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI.
The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.
Vint Cerf
On September 2007, the "father of the Internet", Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spyware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.
Types of attacks and profit
Spam
A Herder can sell his Botnet services to a spammer. This hides the identity of the spammer as he can have anonymous distribution of his messages though the Bots on the Botnet. Another advantage is the speed. A spammer will also be able to send incredible amounts of messages via the Bots then he normally could.
On the table bellow, there is the flow of steps to a Botnet use spam to profit:
Steps | Action |
---|---|
First | A Botnet Herder sends out viruses or worms, infecting ordinary users' computers, with the Bot application |
Second | The Bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server) |
Third | A Spammer purchases access to the Botnet from the Bot Herder |
Fourth | The Spammer sends command instructions via the IRC server to the infected PCs |
Fifth | When the commands are acknowledged, the infected zombies machines will send out spam messages to mail servers |
Phishing
This method works like spamming. However, instead of trying to sell a service to the spammers, the phisher sends mass of email trying to look is trying to obtain valuable credit card information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
Game and software keys
Game and software keys can cost hundreds and thousands of dollars. Botnets have been working on getting those keys though "brute-force social engineering". A lot of users today still write files like with name "word-key.txt", "photoshop_key.doc", etc. Though files with simple names as such, Bot Herders managed to obtain key from many software application.
Id, password and information theft
As the introduction mentioned, information is the most valuable resource of our new century. Bots also are able to work as keyloggers to record key strokes or even ScreenLoggers to view the infected pc's monitor. By stealing an Id and password from someone in the FBI, military or special service, anyone can obtain resourceful information that can be used, go public on news or maybe even sold for malicious military strategy purposes. Let's not also forget the credit card password and number theft, which can be vastly used to steal user's money (this method is not phishing).
Distributed denial of Service attack (DDoS)
The Botnet floods a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his Botnet by taking down the website server, then contacts the website administrator in question and extorts them for money; we can actually think of this by being some sort of "kidnapping".
Scrumping
A Bot steals CPU cycles to perform calculations from the host computer. This can be used as a positive means if the Botnet is configured to not automatically propagate into systems that do not want it. The Sun's Grid system is a distributed calculation system for extra-terrestrial life that is done with the user's concern and understanding. There are other's distributed application, but usually they don't have inoffensive purposes like the Grid System.
How to Fight Botnets
A weak point is that due to it's inheritance of the C&C structure, once the higher level bots are compromised the effectiveness of the Botnet can be severally reduced. If the main Bot Herder server is taken down, the entire Botnet fails.
http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service
http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service
http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service
http://pt.wikipedia.org/wiki/Botnet
http://en.wikipedia.org/wiki/Botnet
http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software
http://www.builderau.com.au/tag/attack-botnet-denial_of_service.htm
http://www.builderau.com.au/news/soa/A-million-zombies-threaten-US-national-security/0,339028227,339278685,00.htm?feed=pt_denial_of_service
http://en.wikipedia.org/wiki/Phishing
Norton Anti-Bot
Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.
General Tips
Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications.
A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.
References
See Also
"Alternative Technologies for Ethernet"
"Phishing"
External Links
"Norton AntiBot"
"Dutch Botnet Suspects Ran 1.5 Million Machines"
--SJakubowski 23:17, 13 April 2008 (EDT)