All About Botnets: Part 1 – Attacking Behavior
Botnets - not spam, viruses, or worms – are perhaps the biggest threat currently facing the Internet. As the intent behind Internet attacks shifts from hackers’ quests for fame and recognition to criminal organizations’ interest in profit-driven attacks and as botnet attacks become much more powerful and sophisticated, the number of botnet attacks is exploding.
A botnet consists of a number of computers that, without their owners’ knowledge , have been compromised by an exploit (malware) and are manipulated using IRC to send malicious programs, such as spam, spyware, and to other computers on the Internet. Such computers - "bots" – operate under the control of a single hacker (or a small group of hackers) known as a botmaster.
Once the botmaster has created a botnet, attacks can occur in a number of ways, such as DdoS (Distributed Denial of Service) attacks, social engineering and related e-mail spamming, remote exploits, or via keyloggers and network traffic sniffers. Botnets can assemble a tremendous amount of aggregate computing power, and can perform a variety of attacks against a wide range of targets. For example, a botmaster can command each bot participant in a botnet to launch spamming e-mails, perform credit-card theft (gleaned from surreptitiously planted keyloggers), and simultaneously launch DDoS attacks against thousands of computer hosts. Botnets continue to grow in number, sophistication, and power, driven by new and/or customized bots developed on the knowledge obtained from their predecessors
Botnets use social engineering and the distribution of malicious e-mails to infect new hosts. A botnet may distribute e-mail messages with malware attached, or with an embedded link to malware located elsewhere. Social engineering techniques that include a subject line such as "Check out this picture!" and an infected attachment that resembles a .jpg fileare used to trick computer users into executing the malware Botnets may also compromise new hosts by searching for (and actively exploiting) hosts with known vulnerabilities, such as OS or browser vulnerabilities. In this way, more hosts are recruited to participate in the botnet.
One of the oldest botnet attack mechanisms is the DDoS attack, in which a number of compromised computers attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down. In the infancy of botnets, DDoS attacks were launched against large organizations such as Yahoo! and Microsoft. Recent DDoS attacks have involved corporate extortion, although, overall, they are now less frequent and smaller.
Botnets are also widely used to disseminate spam, because the victims cannot trace the spam back to the source for legal action, and because botnets can distribute a much larger volume of spam. Some spam is used to distribute exploits, while other spam tricks users into visiting malicious websites, which install malware on their computers by exploiting Internet browser vulnerabilities.
Botnets are commonly used to steal users’ information through keyloggers and network traffic sniffers. Keyloggers modify host operating systems to spy on user activities and capture user key strikes. Network traffic sniffers monitor network traffic sent over the subnet of the compromised host. These tools log sensitive data, compile it, and send it their botmasters, for example via a designated IRC channel created by a botnet and in e-mails to a designated e-mail address.
Botmasters typically control botnets in three ways: centralized, peer to peer (p2p) and random. Command and control (C&C) of botnets is unique and unlikely to change among bots and their variants. The botnet C&C is essential to support an operational and effective botnet and is also the weakest link in the operational aspect of botnets. If we manage to bring down an active C&C, or interrupt the communication -- botmasters will not be able to contact a large number of bots, or to launch large-scale, coordinated attacks. Therefore, understanding the C&C function in botnets has great value for us in our fight against botnets.
The centralized model is the predominant C&C model used by existing botnets. In the centralized model, a botmaster selects a single high bandwidth host to be the contacting point (C&C server) of all the bots. The C&C server, usually a compromised computer as well, runs certain network services such as IRC, HTTP and etc. When a new computer is infected by a bot, it joins the botnet by initiating a connection to the C&C server. The bot then waits on the C&C server for commands from the botmaster. Botnets may have mechanisms to protect their communications. For example, IRC channels may be protected by passwords only known to bots and their masters to prevent eavesdropping.
Some botnet authors have started to build alternative botnet communication systems, which are more resilient to failures in the network. The P2P based C&C model is much harder to discover and destroy. Since the communication system doesn’t heavily depend on a few selected servers, destroying a single, or even a number of bots, won’t necessarily lead to the destruction of an entire botnet. However, P2P systems have a number of constraints. First, they only support conversations of small user groups, usually in the range of 10-50 users (compared with a “small” size botnet of 1000 hosts for a centralized C&C botnet). Secondly, they don’t guarantee message delivery and propagation latency so a botnet is more difficult to coordinate than those which use centralized C&C models. These two constraints have limited the wider adoption of P2P based communication in botnets. The few existing P2P based botnets are used by hackers to attack a small number of targeted hosts. As the knowledge on implementing P2P based botnets accumulates, new P2P-based botnets, which overcome the above limitations, may appear.
The random1 C&C model has not been used in real world botnets but may ensure survivability. In the random model, rather than actively contacting other bots or the botmaster, the bot listens to incoming connections from its botmaster. To launch attacks, a botmaster scans the Internet to discover its bots. While easy to implement and highly resilient to discovery and destruction, the model intrinsically has scalability problem, and is difficult to be used for large scale, coordinated attacks.
Stay tuned for Part 2, where we’ll examine the mechanisms used to discover and control new bots, the communication protocols used to communicate among botnets, and how botnets evade detection.
1Evan Cooke, Farnam Jahanian, and Danny McPherson, The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets, Proc. of Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI '05), Boston, 2005.
