Bots & Botnets

From Computing and Software Wiki

Revision as of 16:13, 11 April 2009 by Rosard (Talk)

(diff) ← Older revision | Current revision (diff) | Newer revision → (diff)

Each phase our world, had it's wealthiness such it has been with gold, commerce, industry and others on the last centuries. On this XXI century, the main wealthiness has been around information, and the spread of it. This information has been the key structure of our world's society, economy, health, development and others. And this vast information sea has been spread though the internet network, which evolved into a magnificent tool of knowledge power on the latest years. Unfortunately, malicious intentioned people have been using this consistent tool for the spread of threats such as viruses, worms, Trojan horses and others, again, to obtain confidential and powerful information such as bank accounts user names & passwords, confidential & military information or even CPU power to the increase of the spread of these threats. One powerful way of this spread, has been though Bots that integrate Botnets, which are the main focus on this research. This security breach has been one of the newest and most powerful threats relating to computer security within the last 5 years.

Bot? What is it?? How it works???

A Bot is a type of malicious software that after successfully invading a machine (called Zombie computers), usually installed via worms, Trojan horses, or through Back doors, under a common command-and-control infrastructure. These new installed malicious software (Most likely to exist in machines that run on Windows OS (most used OS in the world), which don't have a file-user safe executing system like computers that run on Linux or Mac OS) behaves like a “worm” process, capable of spreading though the infected machine and having the power to connect to a communication channel (IRC, Web Server or P2P Server), allowing the attacker(Bot Herder) full control of this machine though a remote communication channel.
At this point, these infected machines can work only as tool used by the Bot Herders as they may please. Some of this malicious intentioned people use this Bot commanded machines to obtain certain valuable information from users, or also, to integrate these Bot Clients to a much greater threat and risk, such as a Botnet.

Botnet? What is it?? How it works???

A Botnet consists of a Bot server connected to one or more Bot clients. This set of Bots integrate the zombie machines into a really powerful and sophisticated invasion technique of a mass control of a a network.
This invasion technique has evolved not only to an illegal way of profit, but also to a way of violating people's information privilege. What have been Botnets being used for? Is the concept of Botnet Evil? What measurements are being taken to control this terrible plague?. On the following sections, this article will discuss ways to detain this astonishing threat which has been vastly used as one effective malicious way of breaking into data integrity, availability and confidentiality of computers of a network.

Hard to exterminate...why?

A Botnet is adaptive; it can be designed to to download different modules to exploit specific things that it finds on a victim. New exploits can be added as they are discovered. This makes the job of the anti-viruses systems way more complex. Finding one component of a Botnet does not imply the nature of any other of the others components because the first component can choose to download from any number of modules to perform the functionality of each phase in the life cycle of a Botnet. It also casts doubt on the capability of anti virus software to claim that a system is clean when it encounters and cleans one component of a multi-component bot. Because each component is downloaded when it is needed after the initial infection, the potential for a system to get a zero day exploit is higher. We also have to put in consideration that one of the bot client modules is usually set to to make the anti-virus tool ineffective and prevent the user from contacting the anti-virus vendor’s Web site for updates or removal tools. Botnets are powerful because they not only try to enable a perfect attack, but also a perfect own defense system.

History of Botnets

Like many things on the Internet today, bots began as a useful tool without malicious purposes. They were originally developed to keep a channel open and prevent malicious users from taking over the channel when the operator was busy doing other things. In order to assist these IRC operators, bots needed to be able to operate as the channel operator. This lead the bots to evolve from being code that helped a single user to a code that manages and runs IRC channels as well. Around this time, some IRC servers and bots began offering the capability to make OS shell accounts available to users. The shell account permitted users to run commands on the IRC host. At this point, the bots intentions were twisted to a malicious way of commanding a machine remotely.
The table bellow shows the evolution and how a human-machine assist application went from being a simple and helpful code to a complex distributed network threat:

Timeline	Bot technology
1988	Invention of IRC by Jarkko “WiZ” Oikarinen of the University of Oulu, Finland
1989	Greg Lindahl invents GM the first Bot, where GM plays "Hunt the Wumpus" with IRC users
1999	Pretty Park discovered. First worm to use an IRC server as a means of remote control
1999	SubSeven Trojan/bot. A remote control Trojan added control via IRC
2000	GT Bot, mIRC based. Runs scripts in response to IRC server events Supports raw TCP and UDP Socket connections
2002	SDBot. Written in C++ where its source code is available to hacker community though a small single binary
2002	AgoBot, Gaobot. They introduced modular design. The 1st module break-sin downloads, the 2nd module turns off anti virus and hides from detection before downloading the 3rd module. Module 3 has attack engines/payload
2003	SpyBot. Spyware capabilities (key logging, data mining for email addresses lists of URLs, etc.)
2003	RBot. Most Prevalent Bot today. It spreads through weak passwords, easily modifiable, Uses packaging software
2004	PolyBot. A derivative of AgoBot with Polymorphic abilty. Changes the look of its code on every infection
2005	MYTOB. My Doom mass emailing worm with Bot IRC C&C

How Big is this problem anyways? Why should I worry?? Is there anything being done by someone to prevent and stop this???

Symantec

On September of 2006 Symantec released a internet threat report which stated that during the six-month period from January to June 2006, Symantec observed 57,717 active bot network computers per day. Symantec also stated that it observed more than 4.5 million distinct, active bot network computers. They also discovered that many bots were not usually detected until the Bot Herder had abandoned the computer which makes us conclude that the actual number is much larger than what Symantec can report.

McAfee

In March of 2006, McAfee was called to literally reclaim an unnamed Central American country’s telecommunications infrastructure from a massive Botnet. In the first week of the engagement McAfee documented 6.9 million attacks of which 95 percent were Internet Relay Chat (IRC) bot related. The national telecommunication company reported the following resulting problems:

Numerous network outages of up to six hours
Customer threats of lawsuits
Customer business disruptions
Lengthy outages of bank ATM service

Consider the distributed denial-of-service (DDoS) attack power in one Botnet; A small Botnet of 10,000 bot clients with, conservatively, 128Kbps broadband upload speed can produce approximately 1.3 giga-bits of data per second. With this kind of power, two or three large (one million plus) Botnets could, according to McAfee, “threaten the national infrastructure of most countries.”

Microsoft

Since January 2005, Microsoft has been delivering the Windows Malicious Software Removal Tool to its customers. After 15 months, Microsoft announced that it had removed 16 million instances of malicious software from almost six million unique computers. Use of the tool is voluntary; that is to say, the vast majority of Microsoft users are not running it.

VeriSign

Denial-of-service attacks are growing faster than bandwidth is being added to the Internet, according to VeriSign, the company that administers the .com domain. The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the Internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the Internet."

Sun Microsystems' Grid

Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial of service attack," said Aisling MacRunnels, Sun's senior director of utility computing said in an interview on March 2006.

International Botnet Task Force

More than a million PCs under the control of spammers are threatening the US national security, its economy and its information infrastructure, according to the FBI. The discovery was made by Operation Bot Roast, which is an initiative aimed at revealing the scale of the Botnet problem and prosecuting those responsible. It is being carried out in conjunction with Carnegie Mellon University, Microsoft and the International Botnet Task Force since May 2006.

Vint Cerf

On September 2007, the father of the Internet, Vint Cerf, has warned attendees of the the World Economic Forum in Davos-Switzerland that the Internet is at serious risk from Botnets. Vast networks of compromised PCs, used by criminals for sending spam and spyware and for launching denial of service attacks, are reported to be growing at an alarming rate and now Cerf has warned they could undermine the future of the Internet by comparing the threat to a pandemic disease.

Facebook

Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a Botnet that in a demonstration launched denial-of-service attacks on a victim server. "Social Network websites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore. The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper. Such a Botnet could be used for other types of attacks, such as spreading Malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned. The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet." However, Facebook representatives did not return e-mails seeking comment after the research was released in September 2008.

Profitable? How??

Life cycle of a Botnet

Initial setup of configuration settings of the bot
Register a Dynamic DNS
Infect a PC with a bot
- Bot propagates according to the configuration settings
- Scans for vulnerabilities
- Idle
- Performs actions as received by other bots above it in the chain of command
- Bot dies:
  - Bot may be taken over by another botnet
  - The bot's owner's PC realizes the PC is a zombie, kills the bot.
  - The chain of command may be compromised above the level.

Types of attacks

DDoS

A Distributed denial of Service attack. The bots flood a web server with ICMP requests causing the server to crash. This can be used as a method of extortion from various websites. The herder demonstrates the power of his botnet by taking down the website, then he/she contacts the site in question and extorts them for money.

Spamming

A Herder can sell his botnet as a service to a spammer. This is beneficial to the spammer as he can have anonymous distribution of his messages.
Due to the size of some botnets, a spammer will also be able to send much more messages via the bots then he normally could. This is another example of the exponential power of a botnet.

Phishing

Works the same way as the spamming method. However, instead of trying to sell a service such as "P3N15 3NLARGEMENT PILLS" the phisher is trying to con you out of your paypal or bank account.

Scrumping

A bot stealing CPU cycles from the host computer. This can be used as a positive means if the botnet is configured to not automatically propagate into systems that do not want it. This is not commonly the case. This could be done on a school's network.

How it works

A Botnet basically uses a command and control schema, the same as a military. Each bot has a chain of command that is part of. It distributes orders down the line that it receives from up top. This is beneficial in the fact that it can grow exponentially. This is the opposite of the cell schema that some malware uses, which is to split apart and never communicate once they become big enough.

A bot installs itself onto a PC. It has various vectors to enter that PC that the Herder can set. It does this autonomously. It receives orders from a server that tell it what to do. An individual bot by itself is not that powerful. However an exponential number of bots performing the same action has a much more profound effect.

The bot once installed camouflages itself from the system view. It installs a hidden IRC client. It tries to mask itself by maintaining a low profile by using as little system resources as possible until it receives orders.

Due to the inherent weakness of a command and control scheme, once the higher level bots are compromised the effectiveness of the botnet can be severally reduced. If the main server is taken down, the entire botnet fails.

Bot Management

Bots commonly have hidden removal commands, to completely clean the host computer. On the larger IRC networks such as EFnet channel activity is logged in order to learn the commands, and then automated systems are setup to prevent the owner of the botnet from accessing them and at the same time perform the removal command when a bot comes online to it's control channel.

How to Fight Botnets

http://www.builderau.com.au/news/soa/Facebook-botnet-risk-revealed/0,339028227,339291847,00.htm?feed=pt_denial_of_service
http://www.builderau.com.au/news/soa/Sun-Grid-hit-by-network-attack/0,339028227,339243901,00.htm?feed=pt_denial_of_service
http://www.builderau.com.au/news/soa/Escalating-DoS-attacks-may-shut-down-the-Internet-/0,339028227,339282392,00.htm?feed=pt_denial_of_service

Norton Anti-Bot

Norton Anti-Bot

Norton Anti-Bot is commercial software that scans your system to see if it has become a zombie. It is behavioral based, versus the usual signature based. What this means is unless the bot software actually does something, Norton will leave it alone. It has all the benefits of a commercial software, meaning it will be updated constantly as new bot definitions are found.

General Tips

Use common malware prevention techniques. On Windows XP this includes monitoring the process manager and registry for unknown applications.

A better user could also monitor network traffic and see what ports are in use. A good indication is TCP port 6667 open when an IRC client is not running.

References

"Botnet"

External Links

"Norton AntiBot"
"Dutch Botnet Suspects Ran 1.5 Million Machines"

--SJakubowski 23:17, 13 April 2008 (EDT)